1696 update rest api for access control #1704
Conversation
|
@aphelionz This PR needs some update to resolve conflicts as well failing test. |
|
@pkdash Thanks for the nudge :) All set. |
|
|
||
| class ResourceAccessUpdateDelete(generics.RetrieveUpdateDestroyAPIView): | ||
| """ | ||
| Read, update, or delete a resource |
There was a problem hiding this comment.
Probably this comment be "Read, update or delete access permission for a resource"
| :return: (on success): Success or Error JSON object | ||
|
|
||
| :type str | ||
| :param user_id: user ID to remove |
There was a problem hiding this comment.
Parameter description seems not correct.
| message = "Request must contain a 'resource' ID as well as a 'user_id' or 'group_id'" | ||
| return Response( | ||
| data={'error': message}, | ||
| status=status.HTTP_200_OK |
There was a problem hiding this comment.
Should the status code be HTTP_400_BAD_REQUEST?
| message = "Request must contain a 'resource' ID as well as a 'user_id' or 'group_id'" | ||
| return Response( | ||
| data={'error': message}, | ||
| status=status.HTTP_200_OK |
| def get_queryset(self, pk, user): | ||
| resource = hydroshare.get_resource_by_shortkey(shortkey=pk) | ||
|
|
||
| if resource.user_id == user.id: |
There was a problem hiding this comment.
Not sure how this if statement works. I don't think resource object has attribute/property user_id. user can be an anonymous user.
There was a problem hiding this comment.
This works. It allows resource owners to see all resource access but non-owners to only see their own access.
That being said i'm perfectly amenable to a different way of doing this
There was a problem hiding this comment.
There is nothing wrong about the logic. I was just wondering how you are able to access the user_id of the resource object. Does the resource object has such an attribute?
There was a problem hiding this comment.
Indeed it does! @pkdash
There was a problem hiding this comment.
@aphelionz I assume we are able to access an instance of user from an instance of resource due to the inheritance of Resource class from Ownable (mezzanine code) class.
There was a problem hiding this comment.
@aphelionz It seems the user_id is the id of the user who originally created the resource. So we can't use user_id to check if the requesting user is the owner of the resource. I think the following check should work:
if user in resource.raccess.owners:
| elif needed_permission == ACTION_TO_AUTHORIZE.VIEW_RESOURCE_ACCESS: | ||
| authorized = user.uaccess.can_view_resource(res) | ||
| elif needed_permission == ACTION_TO_AUTHORIZE.EDIT_RESOURCE_ACCESS: | ||
| authorized = user.uaccess.owns_resource(res) |
There was a problem hiding this comment.
Should this be authorized = user.uaccess.can_edit_resource(res)?
There was a problem hiding this comment.
I guess that's how the UI works, but we should definitely clarify if we want any editor to edit resource access, or only the owner.
There was a problem hiding this comment.
@alvacouch can you clarify this?
There was a problem hiding this comment.
@aphelionz @pkdash This does not conform to the engine. According to the engine, anyone can share something with someone else, but only at the privilege that person holds. So, being able to edit permissions requires VIEW access..... but that isn't enough..... what do you mean by "edit"?
user.uaccess.can_share_resource is appropriate.
|
|
||
| def tearDown(self): | ||
| super(TestSetAccessRules, self).tearDown() | ||
| self.secondUser.delete() |
There was a problem hiding this comment.
I think yes, based on the tearDown method in /hs_core/tests/api/rest/base.py. Am I wrong?
There was a problem hiding this comment.
I am not sure if the implementation of teardown() in base.py is correct. Shouldn't it be calling the super()?. I assume the APITestCase is an extension of the Django's TestCase class. When subclassing the TestCase I believe there is no need to override the teardown() for database cleanup as that's the default behavior. I may be wrong.
There was a problem hiding this comment.
I'm not sure either. Who can answer this? @alvacouch ?
There was a problem hiding this comment.
@aphelionz @pkdash I have not looked this over much.... I didn't write this suite of tests. Check hs_access_control/tests for mine.....
There was a problem hiding this comment.
@alvacouch In you tests it seems you are also explicitly deleting the database objects using the function global_reset(). Also, it seems all access control tests pass without the use of global_reset().
There was a problem hiding this comment.
In general, the tests don't reset, and using --keepdb leads to different results every time. I have made a practice of resetting and cleaning up after myself, which at least insures that --keepdb works for me. If you repeat test --keepdb several times, you will see the number of errors grow as state accumulates, and only the tests for which there is local cleanup work properly in --keepdb. The initial global_reset is redundant, I admit, but it is without cost.
There was a problem hiding this comment.
There are some methods in the super that might be useful on occasion. In this case, they don't seem to be relevant.
There was a problem hiding this comment.
I then am OK with leaving the deletes in trearDown().
| self.assertEqual( | ||
| "Request cannot contain both a 'user_id' and a 'group_id' parameter.", | ||
| put_response.data['error']) | ||
|
|
There was a problem hiding this comment.
Another error case you may consider where a user who does not have sufficient permission on the resource tries to grant/revoke permission.
There was a problem hiding this comment.
Yes, I will add negative cases.
There was a problem hiding this comment.
Negative cases added :)
| else: | ||
| querysets = ( | ||
| UserResourcePrivilege.objects.filter(resource=resource, user=user), | ||
| GroupResourcePrivilege.objects.filter(resource=resource, user=user) |
There was a problem hiding this comment.
GroupResourcePrivelege class doesn't have user field.
|
|
||
| if "user_id" in keys and "privilege" in keys: | ||
| user_to_add = utils.user_from_id(request.data['user_id']) | ||
| user_access.share_resource_with_user(resource, user_to_add, request.data['privilege']) |
There was a problem hiding this comment.
Should this also be within try ... except?
Also should we be validating the value in request.data['privilege'] before using it?
|
@aphelionz I have left few additional comments. It would be good to close this PR soon. |
| elif needed_permission == ACTION_TO_AUTHORIZE.VIEW_RESOURCE_ACCESS: | ||
| authorized = user.uaccess.can_view_resource(res) | ||
| elif needed_permission == ACTION_TO_AUTHORIZE.EDIT_RESOURCE_ACCESS: | ||
| authorized = user.uaccess.owns_resource(res) |
|
@aphelionz Looks good. +1 |
Starting the PR process for this so I can keep an eye on Jenkins while I do the next parts. - will update with docs and tests over the next day or so.
This exposes a new endpoint at /hsapi/resource/[id]/access/.
group_idoruser_idwill remove access.