From 80b23a43214d2fdae721ef7f396048e1e499dcbd Mon Sep 17 00:00:00 2001 From: EstelleDa Date: Tue, 10 Sep 2024 17:10:52 +1000 Subject: [PATCH] Debug has_permission function. --- src/mavedb/lib/permissions.py | 26 +++++++++++++++++++------- 1 file changed, 19 insertions(+), 7 deletions(-) diff --git a/src/mavedb/lib/permissions.py b/src/mavedb/lib/permissions.py index 972b91be..1b2f966c 100644 --- a/src/mavedb/lib/permissions.py +++ b/src/mavedb/lib/permissions.py @@ -95,8 +95,10 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) -> elif private: # Do not acknowledge the existence of a private entity. return PermissionResponse(False, 404, f"experiment set with URN '{item.urn}' not found") + elif user_data is None or user_data.user is None: + return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'") else: - return PermissionResponse(False) + return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'") elif action == Action.UPDATE: if user_may_edit: return PermissionResponse(True) @@ -106,8 +108,10 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) -> elif private: # Do not acknowledge the existence of a private entity. return PermissionResponse(False, 404, f"experiment set with URN '{item.urn}' not found") + elif user_data is None or user_data.user is None: + return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'") else: - return PermissionResponse(False) + return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'") elif action == Action.DELETE: # Owner may only delete an experiment set if it has not already been published. if user_may_edit: @@ -143,8 +147,10 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) -> elif private: # Do not acknowledge the existence of a private entity. return PermissionResponse(False, 404, f"experiment with URN '{item.urn}' not found") + elif user_data is None or user_data.user is None: + return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'") else: - return PermissionResponse(False) + return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'") elif action == Action.UPDATE: if user_may_edit: return PermissionResponse(True) @@ -154,8 +160,10 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) -> elif private: # Do not acknowledge the existence of a private entity. return PermissionResponse(False, 404, f"experiment with URN '{item.urn}' not found") + elif user_data is None or user_data.user is None: + return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'") else: - return PermissionResponse(False) + return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'") elif action == Action.DELETE: # Owner may only delete an experiment if it has not already been published. if user_may_edit: @@ -191,8 +199,10 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) -> elif private: # Do not acknowledge the existence of a private entity. return PermissionResponse(False, 404, f"score set with URN '{item.urn}' not found") + elif user_data is None or user_data.user is None: + return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'") else: - return PermissionResponse(False) + return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'") elif action == Action.UPDATE: if user_may_edit: return PermissionResponse(True) @@ -202,8 +212,10 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) -> elif private: # Do not acknowledge the existence of a private entity. return PermissionResponse(False, 404, f"score set with URN '{item.urn}' not found") + elif user_data is None or user_data.user is None: + return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'") else: - return PermissionResponse(False) + return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'") elif action == Action.DELETE: # Owner may only delete a score set if it has not already been published. if user_may_edit: @@ -247,7 +259,7 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) -> elif roles_permitted(active_roles, [UserRole.admin]): return PermissionResponse(True) else: - return PermissionResponse(False) + return PermissionResponse(False, 403, "Insufficient permissions for user update.") elif action == Action.UPDATE: if user_is_self: return PermissionResponse(True)