Merge pull request #325 from VariantEffect/estelle/userAuthorizationC…

…heck

Add router functions to check whether users have authorization in experiment, experiment set and score set.

src/mavedb/lib/permissions.py

@@ -15,14 +15,14 @@
 
 
 class Action(Enum):
-    READ = 1
-    UPDATE = 2
-    DELETE = 3
-    ADD_EXPERIMENT = 4
-    ADD_SCORE_SET = 5
-    SET_SCORES = 6
-    ADD_ROLE = 7
-    PUBLISH = 8
+    READ = 'read'
+    UPDATE = 'update'
+    DELETE = 'delete'
+    ADD_EXPERIMENT = 'add_experiment'
+    ADD_SCORE_SET = 'add_score_set'
+    SET_SCORES = 'set_scores'
+    ADD_ROLE = 'add_role'
+    PUBLISH = 'publish'
 
 
 class PermissionResponse:

src/mavedb/routers/experiments.py

@@ -5,7 +5,6 @@
 from fastapi import APIRouter, Depends, HTTPException
 from fastapi.encoders import jsonable_encoder
 import pydantic
-from sqlalchemy import or_, and_
 from sqlalchemy.orm import Session
 
 from mavedb import deps

src/mavedb/routers/permissions.py

@@ -0,0 +1,65 @@
+import logging
+from enum import Enum
+
+from fastapi import APIRouter, Depends, HTTPException
+from sqlalchemy.orm import Session
+from typing import Union, Optional
+
+from mavedb import deps
+from mavedb.lib.authentication import get_current_user, UserData
+from mavedb.lib.permissions import has_permission, Action
+from mavedb.lib.logging import LoggedRoute
+from mavedb.lib.logging.context import logging_context, save_to_logging_context
+from mavedb.models.experiment import Experiment
+from mavedb.models.experiment_set import ExperimentSet
+from mavedb.models.score_set import ScoreSet
+
+router = APIRouter(
+    prefix="/api/v1/permissions",
+    tags=["permissions"],
+    responses={404: {"description": "Not found"}},
+    route_class=LoggedRoute,
+)
+
+logger = logging.getLogger(__name__)
+
+
+class ModelName(str, Enum):
+    experiment = "experiment"
+    experiment_set = "experiment-set"
+    score_set = "score-set"
+
+
+@router.get(
+    "/user-is-permitted/{model_name}/{urn}/{action}",
+    status_code=200,
+    response_model=bool
+)
+async def check_permission(
+    *,
+    model_name: ModelName,
+    urn: str,
+    action: Action,
+    db: Session = Depends(deps.get_db),
+    user_data: UserData = Depends(get_current_user),
+) -> bool:
+    """
+    Check whether users have authorizations in adding/editing/deleting/publishing experiment or score set.
+    """
+    save_to_logging_context({"requested_resource": urn})
+
+    item: Optional[Union[ExperimentSet, Experiment, ScoreSet]] = None
+
+    if model_name == ModelName.experiment_set:
+        item = db.query(ExperimentSet).filter(ExperimentSet.urn == urn).one_or_none()
+    elif model_name == ModelName.experiment:
+        item = db.query(Experiment).filter(Experiment.urn == urn).one_or_none()
+    elif model_name == ModelName.score_set:
+        item = db.query(ScoreSet).filter(ScoreSet.urn == urn).one_or_none()
+
+    if item:
+        permission = has_permission(user_data, item, action).permitted
+        return permission
+    else:
+        logger.debug(msg="The requested resources does not exist.", extra=logging_context())
+        raise HTTPException(status_code=404, detail=f"{model_name.value} with URN '{urn}' not found")

src/mavedb/server_main.py

@@ -36,6 +36,7 @@
     log,
     mapped_variant,
     orcid,
+    permissions,
     publication_identifiers,
     target_gene_identifiers,
     taxonomies,
@@ -82,6 +83,7 @@
 # app.include_router(log.router)
 app.include_router(mapped_variant.router)
 app.include_router(orcid.router)
+app.include_router(permissions.router)
 app.include_router(publication_identifiers.router)
 app.include_router(raw_read_identifiers.router)
 app.include_router(score_sets.router)