SRAM: do not update role of read only members

deposit.py

@@ -69,7 +69,7 @@ def api_deposit_copy_data_package(ctx, reference):
 
     # Check if user has write access to research folder.
     # Only normal user has write access.
-    if not groups.user_role(ctx, group_name, user_full_name) in ['normal', 'manager']:
+    if not groups.user_role(ctx, user_full_name, group_name) in ['normal', 'manager']:
         return api.Error('NoWriteAccessTargetCollection', 'Not permitted to write in selected folder')
 
     # Register to delayed rule queue.

groups.py

@@ -270,30 +270,34 @@ def getSubcategories(ctx, category):
     return list(categories)
 
 
-def user_role(ctx, group_name, user):
-    """Return role of user in group.
+def user_role(ctx, username, group_name):
+    """Get role of user in group.
 
     :param ctx:        Combined type of a ctx and rei struct
+    :param username:   User to return type of
     :param group_name: Group name of user
-    :param user:       User to return type of
 
     :returns: User role ('none' | 'reader' | 'normal' | 'manager')
     """
     group = getGroupData(ctx, group_name)
-    if '#' not in user:
-        user = user + "#" + session_vars.get_map(ctx.rei)["client_user"]["irods_zone"]
+    if '#' not in username:
+        username = username + "#" + session_vars.get_map(ctx.rei)["client_user"]["irods_zone"]
 
     if group:
-        if user in group["managers"]:
+        if username in group["managers"]:
             return "manager"
-        elif user in group["members"]:
+        elif username in group["members"]:
             return "normal"
-        elif user in group["read"]:
+        elif username in group["read"]:
             return "reader"
 
     return "none"
 
 
+"""API to get role of user in group."""
+api_group_get_user_role = api.make()(user_role)
+
+
 def user_is_datamanager(ctx, category, user):
     """Return if user is datamanager of category.
 
@@ -303,7 +307,7 @@ def user_is_datamanager(ctx, category, user):
 
     :returns: Boolean indicating if user is datamanager
     """
-    return user_role(ctx, 'datamanager-{}'.format(category), user) \
+    return user_role(ctx, user, 'datamanager-{}'.format(category)) \
         in ('normal', 'manager')
 
 
@@ -603,11 +607,11 @@ def apply_data(ctx, data, allow_update, delete_users):
         # Now add the users and set their role if other than member
         allusers = managers + members + viewers
         for username in list(set(allusers)):   # duplicates removed
-            currentrole = user_role(ctx, group_name, username)
+            currentrole = user_role(ctx, username, group_name)
             if currentrole == "none":
                 response = group_user_add(ctx, username, group_name)
                 if response:
-                    currentrole = "member"
+                    currentrole = "normal"
                     log.write(ctx, "CSV import - Notice: added user {} to group {}".format(username, group_name))
                 else:
                     log.write(ctx, "CSV import - Warning: error occurred while attempting to add user {} to group {}".format(username, group_name))
@@ -637,8 +641,8 @@ def apply_data(ctx, data, allow_update, delete_users):
 
         # Always remove the rods user for new groups, unless it is in the
         # CSV file.
-        if (new_group and "rods" not in allusers and user_role(ctx, group_name, "rods") != "none"):
-            response = group_remove_user_from_group(ctx, 'rods', group_name)
+        if (new_group and "rods" not in allusers and user_role(ctx, "rods", group_name) != "none"):
+            response = group_remove_user_from_group(ctx, "rods", group_name)
             if response:
                 log.write(ctx, "CSV import - Notice: removed rods user from group " + group_name)
             else:
@@ -757,8 +761,6 @@ def _process_csv_line(ctx, line):
         elif not yoda_names.is_email_username(username):
             return None, 'Username "{}" is not a valid email address.'.format(
                 username)
-        # elif not is_valid_domain(username.split('@')[1]):
-        #    return None, 'Username "{}" failed DNS domain validation - domain does not exist or has no MX records.'.format(username)
 
         if column_name.lower().startswith('manager:'):
             managers.append(username)
@@ -1213,13 +1215,14 @@ def group_user_update_role(ctx, username, group_name, new_role):
     """
     try:
         if config.enable_sram:
-            sram_group, co_identifier = sram_enabled(ctx, group_name)
-            if sram_group:
-                uid = sram.sram_get_uid(ctx, co_identifier, username)
-                if uid == '':
-                    return api.Error('sram_error', 'Something went wrong getting the unique user id for user {} from SRAM. Please contact a system administrator.'.format(username))
-                else:
-                    if not sram.sram_update_collaboration_membership(ctx, co_identifier, uid, new_role):
+            # Only call SRAM when changing between normal and manager roles.
+            if new_role == "reader" and user_role(ctx, username, group_name) != "normal":
+                sram_group, co_identifier = sram_enabled(ctx, group_name)
+                if sram_group:
+                    uid = sram.sram_get_uid(ctx, co_identifier, username)
+                    if uid == '':
+                        return api.Error('sram_error', 'Something went wrong getting the unique user id for user {} from SRAM. Please contact a system administrator.'.format(username))
+                    elif not sram.sram_update_collaboration_membership(ctx, co_identifier, uid, new_role):
                         return api.Error('sram_error', 'Something went wrong updating role for {} user.'.format(username))
 
         response = ctx.uuGroupUserChangeRole(group_name, username, new_role, '', '')['arguments']
@@ -1237,19 +1240,6 @@ def group_user_update_role(ctx, username, group_name, new_role):
 api_group_user_update_role = api.make()(group_user_update_role)
 
 
-@api.make()
-def api_group_get_user_role(ctx, username, group_name):
-    """Get role of a user in a group.
-
-    :param ctx:        Combined type of a ctx and rei struct
-    :param username:   Name of the user
-    :param group_name: Name of the group
-
-    :returns: Role of the user
-    """
-    return user_role(ctx, group_name, username)
-
-
 def group_remove_user_from_group(ctx, username, group_name):
     """Remove a user from a group.
 

meta_form.py

@@ -136,7 +136,7 @@ def load(ctx, coll):
     category = groups.group_category(ctx, group)
 
     # - What rights does the client have?
-    is_member = groups.user_role(ctx, group, user_full_name) in ['normal', 'manager']
+    is_member = groups.user_role(ctx, user_full_name, group) in ['normal', 'manager']
 
     # - What is the active schema for this category?
     schema, uischema = schema_.get_active_schema_uischema(ctx, coll)

research.py

@@ -66,7 +66,7 @@ def api_research_folder_add(ctx, coll, new_folder_name):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to add new folders')
 
     # Collection exists?
@@ -127,7 +127,7 @@ def api_research_folder_copy(ctx, folder_path, new_folder_path):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to copy the selected folder')
 
     # Folder not locked?
@@ -188,7 +188,7 @@ def api_research_folder_move(ctx, folder_path, new_folder_path):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to move the selected folder')
 
     # Folder not locked?
@@ -256,7 +256,7 @@ def api_research_folder_rename(ctx, new_folder_name, coll, org_folder_name):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to rename the selected folder')
 
     # Collection exists?
@@ -307,7 +307,7 @@ def api_research_folder_delete(ctx, coll, folder_name):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to delete the selected folder')
 
     # Folder not locked?
@@ -398,7 +398,7 @@ def api_research_file_copy(ctx, filepath, new_filepath):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to copy the selected file')
 
     # Folder not locked?
@@ -462,7 +462,7 @@ def api_research_file_rename(ctx, new_file_name, coll, org_file_name):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to rename the selected file')
 
     # Folder not locked?
@@ -531,7 +531,7 @@ def api_research_file_move(ctx, filepath, new_filepath):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to move the selected file')
 
     # Folder not locked?
@@ -578,7 +578,7 @@ def api_research_file_delete(ctx, coll, file_name):
 
     # permissions ok for group?
     user_full_name = user.full_name(ctx)
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You do not have sufficient permissions to delete the selected file')
 
     # Folder not locked?
@@ -631,7 +631,7 @@ def api_research_collection_details(ctx, path):
     basename = pathutil.chop(path)[1]
 
     # Retrieve user type.
-    member_type = groups.user_role(ctx, group, user.full_name(ctx))
+    member_type = groups.user_role(ctx, user.full_name(ctx), group)
 
     # Retrieve research folder status.
     status = folder.get_status(ctx, path)

resources.py

@@ -168,7 +168,7 @@ def api_resource_full_year_differentiated_group_storage(ctx, group_name):
     """
     # Check permissions for this function
     # Member of this group?
-    member_type = groups.user_role(ctx, group_name, user.full_name(ctx))
+    member_type = groups.user_role(ctx, user.full_name(ctx), group_name)
     if member_type not in ['reader', 'normal', 'manager']:
         category = groups.group_category(ctx, group_name)
         if not groups.user_is_datamanager(ctx, category, user.full_name(ctx)):

revisions.py

@@ -189,7 +189,7 @@ def api_revisions_restore(ctx, revision_id, overwrite, coll_target, new_filename
     user_full_name = user.full_name(ctx)
 
     # Target collection write access?
-    if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']:
+    if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']:
         return api.Error('not_allowed', 'You are not allowed to write in the selected collection')
 
     # Target_coll locked?
@@ -217,7 +217,7 @@ def api_revisions_restore(ctx, revision_id, overwrite, coll_target, new_filename
 
     origin_group_name = original_path.split('/')[3]
 
-    if groups.user_role(ctx, origin_group_name, user_full_name) in ['none']:
+    if groups.user_role(ctx, user_full_name, origin_group_name) in ['none']:
         return api.Error('not_allowed', 'You are not allowed to view the information from this group {}'.format(origin_group_name))
 
     source_path = coll_origin + "/"  + filename_origin

vault.py

@@ -203,7 +203,7 @@ def api_vault_copy_to_research(ctx, coll_origin, coll_target):
 
     # Check if user has write access to research folder.
     # Only normal user has write access.
-    if not groups.user_role(ctx, group_name, user_full_name) in ['normal', 'manager']:
+    if not groups.user_role(ctx, user_full_name, group_name) in ['normal', 'manager']:
         return api.Error('NoWriteAccessTargetCollection', 'Not permitted to write in selected folder')
 
     # Register to delayed rule queue.
@@ -748,7 +748,7 @@ def api_grant_read_access_research_group(ctx, coll):
 
     # Is datamanager?
     actor = user.full_name(ctx)
-    if groups.user_role(ctx, 'datamanager-' + category, actor) in ['normal', 'manager']:
+    if groups.user_role(ctx, actor, 'datamanager-' + category) in ['normal', 'manager']:
         # Grant research group read access to vault package.
         try:
             acl_kv = msi.kvpair(ctx, "actor", actor)
@@ -795,7 +795,7 @@ def api_revoke_read_access_research_group(ctx, coll):
 
     # Is datamanager?
     actor = user.full_name(ctx)
-    if groups.user_role(ctx, 'datamanager-' + category, actor) in ['normal', 'manager']:
+    if groups.user_role(ctx, actor, 'datamanager-' + category) in ['normal', 'manager']:
         # Grant research group read access to vault package.
         try:
             acl_kv = msi.kvpair(ctx, "actor", actor)