Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Yuanzhou/validate put group #656

Merged
merged 2 commits into from
Apr 8, 2024
Merged

Yuanzhou/validate put group #656

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
ca6d3b6
Permission check on entity update
yuanzhou Apr 8, 2024
72b7bf0
Fix old typo
yuanzhou Apr 8, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions src/app.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import collections
import yaml
from typing import List
from datetime import datetime
from flask import Flask, g, jsonify, abort, request, Response, redirect, make_response
from neo4j.exceptions import TransactionError
Expand Down Expand Up @@ -1225,6 +1226,9 @@ def update_entity(id):
# Otherwise query against uuid-api and neo4j to get the entity dict if the id exists
entity_dict = query_target_entity(id, user_token)

# Check that the user has the correct access to modify this entity
validate_user_update_privilege(entity_dict, user_token)

# Normalize user provided entity_type
normalized_entity_type = schema_manager.normalize_entity_type(entity_dict['entity_type'])

Expand Down Expand Up @@ -4203,6 +4207,34 @@ def user_in_hubmap_read_group(request):
return (hubmap_read_group_uuid in user_info['hmgroupids'])


"""
Check if a user has valid access to update a given entity

Parameters
----------
entity : dict
The entity that is attempting to be updated
user_token : str
The token passed in via the request header that will be used to authenticate
"""
def validate_user_update_privilege(entity, user_token):
# A user has update privileges if they are a data admin or are in the same group that registered the entity
is_admin = auth_helper_instance.has_data_admin_privs(user_token)

if isinstance(is_admin, Response):
abort(is_admin)

user_write_groups: List[dict] = auth_helper_instance.get_user_write_groups(user_token)

if isinstance(user_write_groups, Response):
abort(user_write_groups)

user_group_uuids = [d['uuid'] for d in user_write_groups]
if entity['group_uuid'] not in user_group_uuids and is_admin is False:
forbidden_error(f"User does not have write privileges for this entity. "
f"Reach out to the help desk ([email protected]) to request access to group: {entity['group_uuid']}.")


"""
Validate the provided token when Authorization header presents

Expand Down
2 changes: 1 addition & 1 deletion src/schema/schema_manager.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1038,7 +1038,7 @@ def validate_json_data_against_schema(json_data_dict, normalized_entity_type, ex
for key in schema_keys:
# By default, the schema treats all entity properties as optional on creation.
# Use `required_on_create: true` to mark a property as required for creating a new entity
if ('required_on_create' in properties[key]) and properties[key]['required_on_create'] and ('trigger' not in properties[key]):
if ('required_on_create' in properties[key]) and properties[key]['required_on_create']:
if key not in json_data_keys:
missing_required_keys_on_create.append(key)
else:
Expand Down
Loading