From 50dec23b79490fcb02631a609912572ece0a77bc Mon Sep 17 00:00:00 2001 From: Lazlo Westerhof Date: Thu, 7 Dec 2023 11:41:02 +0100 Subject: [PATCH] SRAM: do not update role of read only members --- deposit.py | 2 +- groups.py | 60 ++++++++++++++++++++++------------------------------ meta_form.py | 2 +- research.py | 20 +++++++++--------- resources.py | 2 +- revisions.py | 4 ++-- vault.py | 6 +++--- 7 files changed, 43 insertions(+), 53 deletions(-) diff --git a/deposit.py b/deposit.py index fdc891358..54ef12f62 100644 --- a/deposit.py +++ b/deposit.py @@ -69,7 +69,7 @@ def api_deposit_copy_data_package(ctx, reference): # Check if user has write access to research folder. # Only normal user has write access. - if not groups.user_role(ctx, group_name, user_full_name) in ['normal', 'manager']: + if not groups.user_role(ctx, user_full_name, group_name) in ['normal', 'manager']: return api.Error('NoWriteAccessTargetCollection', 'Not permitted to write in selected folder') # Register to delayed rule queue. diff --git a/groups.py b/groups.py index ed4003d39..f412f60fc 100644 --- a/groups.py +++ b/groups.py @@ -270,30 +270,34 @@ def getSubcategories(ctx, category): return list(categories) -def user_role(ctx, group_name, user): - """Return role of user in group. +def user_role(ctx, username, group_name): + """Get role of user in group. :param ctx: Combined type of a ctx and rei struct + :param username: User to return type of :param group_name: Group name of user - :param user: User to return type of :returns: User role ('none' | 'reader' | 'normal' | 'manager') """ group = getGroupData(ctx, group_name) - if '#' not in user: - user = user + "#" + session_vars.get_map(ctx.rei)["client_user"]["irods_zone"] + if '#' not in username: + username = username + "#" + session_vars.get_map(ctx.rei)["client_user"]["irods_zone"] if group: - if user in group["managers"]: + if username in group["managers"]: return "manager" - elif user in group["members"]: + elif username in group["members"]: return "normal" - elif user in group["read"]: + elif username in group["read"]: return "reader" return "none" +"""API to get role of user in group.""" +api_group_get_user_role = api.make()(user_role) + + def user_is_datamanager(ctx, category, user): """Return if user is datamanager of category. @@ -303,7 +307,7 @@ def user_is_datamanager(ctx, category, user): :returns: Boolean indicating if user is datamanager """ - return user_role(ctx, 'datamanager-{}'.format(category), user) \ + return user_role(ctx, user, 'datamanager-{}'.format(category)) \ in ('normal', 'manager') @@ -603,11 +607,11 @@ def apply_data(ctx, data, allow_update, delete_users): # Now add the users and set their role if other than member allusers = managers + members + viewers for username in list(set(allusers)): # duplicates removed - currentrole = user_role(ctx, group_name, username) + currentrole = user_role(ctx, username, group_name) if currentrole == "none": response = group_user_add(ctx, username, group_name) if response: - currentrole = "member" + currentrole = "normal" log.write(ctx, "CSV import - Notice: added user {} to group {}".format(username, group_name)) else: log.write(ctx, "CSV import - Warning: error occurred while attempting to add user {} to group {}".format(username, group_name)) @@ -637,8 +641,8 @@ def apply_data(ctx, data, allow_update, delete_users): # Always remove the rods user for new groups, unless it is in the # CSV file. - if (new_group and "rods" not in allusers and user_role(ctx, group_name, "rods") != "none"): - response = group_remove_user_from_group(ctx, 'rods', group_name) + if (new_group and "rods" not in allusers and user_role(ctx, "rods", group_name) != "none"): + response = group_remove_user_from_group(ctx, "rods", group_name) if response: log.write(ctx, "CSV import - Notice: removed rods user from group " + group_name) else: @@ -757,8 +761,6 @@ def _process_csv_line(ctx, line): elif not yoda_names.is_email_username(username): return None, 'Username "{}" is not a valid email address.'.format( username) - # elif not is_valid_domain(username.split('@')[1]): - # return None, 'Username "{}" failed DNS domain validation - domain does not exist or has no MX records.'.format(username) if column_name.lower().startswith('manager:'): managers.append(username) @@ -1213,13 +1215,14 @@ def group_user_update_role(ctx, username, group_name, new_role): """ try: if config.enable_sram: - sram_group, co_identifier = sram_enabled(ctx, group_name) - if sram_group: - uid = sram.sram_get_uid(ctx, co_identifier, username) - if uid == '': - return api.Error('sram_error', 'Something went wrong getting the unique user id for user {} from SRAM. Please contact a system administrator.'.format(username)) - else: - if not sram.sram_update_collaboration_membership(ctx, co_identifier, uid, new_role): + # Only call SRAM when changing between normal and manager roles. + if new_role == "reader" and user_role(ctx, username, group_name) != "normal": + sram_group, co_identifier = sram_enabled(ctx, group_name) + if sram_group: + uid = sram.sram_get_uid(ctx, co_identifier, username) + if uid == '': + return api.Error('sram_error', 'Something went wrong getting the unique user id for user {} from SRAM. Please contact a system administrator.'.format(username)) + elif not sram.sram_update_collaboration_membership(ctx, co_identifier, uid, new_role): return api.Error('sram_error', 'Something went wrong updating role for {} user.'.format(username)) response = ctx.uuGroupUserChangeRole(group_name, username, new_role, '', '')['arguments'] @@ -1237,19 +1240,6 @@ def group_user_update_role(ctx, username, group_name, new_role): api_group_user_update_role = api.make()(group_user_update_role) -@api.make() -def api_group_get_user_role(ctx, username, group_name): - """Get role of a user in a group. - - :param ctx: Combined type of a ctx and rei struct - :param username: Name of the user - :param group_name: Name of the group - - :returns: Role of the user - """ - return user_role(ctx, group_name, username) - - def group_remove_user_from_group(ctx, username, group_name): """Remove a user from a group. diff --git a/meta_form.py b/meta_form.py index 887a88ee4..55e2bcf4f 100644 --- a/meta_form.py +++ b/meta_form.py @@ -136,7 +136,7 @@ def load(ctx, coll): category = groups.group_category(ctx, group) # - What rights does the client have? - is_member = groups.user_role(ctx, group, user_full_name) in ['normal', 'manager'] + is_member = groups.user_role(ctx, user_full_name, group) in ['normal', 'manager'] # - What is the active schema for this category? schema, uischema = schema_.get_active_schema_uischema(ctx, coll) diff --git a/research.py b/research.py index e6026c830..5dea60590 100644 --- a/research.py +++ b/research.py @@ -66,7 +66,7 @@ def api_research_folder_add(ctx, coll, new_folder_name): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to add new folders') # Collection exists? @@ -127,7 +127,7 @@ def api_research_folder_copy(ctx, folder_path, new_folder_path): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to copy the selected folder') # Folder not locked? @@ -188,7 +188,7 @@ def api_research_folder_move(ctx, folder_path, new_folder_path): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to move the selected folder') # Folder not locked? @@ -256,7 +256,7 @@ def api_research_folder_rename(ctx, new_folder_name, coll, org_folder_name): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to rename the selected folder') # Collection exists? @@ -307,7 +307,7 @@ def api_research_folder_delete(ctx, coll, folder_name): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to delete the selected folder') # Folder not locked? @@ -398,7 +398,7 @@ def api_research_file_copy(ctx, filepath, new_filepath): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to copy the selected file') # Folder not locked? @@ -462,7 +462,7 @@ def api_research_file_rename(ctx, new_file_name, coll, org_file_name): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to rename the selected file') # Folder not locked? @@ -531,7 +531,7 @@ def api_research_file_move(ctx, filepath, new_filepath): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to move the selected file') # Folder not locked? @@ -578,7 +578,7 @@ def api_research_file_delete(ctx, coll, file_name): # permissions ok for group? user_full_name = user.full_name(ctx) - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You do not have sufficient permissions to delete the selected file') # Folder not locked? @@ -631,7 +631,7 @@ def api_research_collection_details(ctx, path): basename = pathutil.chop(path)[1] # Retrieve user type. - member_type = groups.user_role(ctx, group, user.full_name(ctx)) + member_type = groups.user_role(ctx, user.full_name(ctx), group) # Retrieve research folder status. status = folder.get_status(ctx, path) diff --git a/resources.py b/resources.py index 13b3ebd9f..41fe70ad0 100644 --- a/resources.py +++ b/resources.py @@ -168,7 +168,7 @@ def api_resource_full_year_differentiated_group_storage(ctx, group_name): """ # Check permissions for this function # Member of this group? - member_type = groups.user_role(ctx, group_name, user.full_name(ctx)) + member_type = groups.user_role(ctx, user.full_name(ctx), group_name) if member_type not in ['reader', 'normal', 'manager']: category = groups.group_category(ctx, group_name) if not groups.user_is_datamanager(ctx, category, user.full_name(ctx)): diff --git a/revisions.py b/revisions.py index 7c52d5ee9..2f48eaee2 100644 --- a/revisions.py +++ b/revisions.py @@ -189,7 +189,7 @@ def api_revisions_restore(ctx, revision_id, overwrite, coll_target, new_filename user_full_name = user.full_name(ctx) # Target collection write access? - if groups.user_role(ctx, target_group_name, user_full_name) in ['none', 'reader']: + if groups.user_role(ctx, user_full_name, target_group_name) in ['none', 'reader']: return api.Error('not_allowed', 'You are not allowed to write in the selected collection') # Target_coll locked? @@ -217,7 +217,7 @@ def api_revisions_restore(ctx, revision_id, overwrite, coll_target, new_filename origin_group_name = original_path.split('/')[3] - if groups.user_role(ctx, origin_group_name, user_full_name) in ['none']: + if groups.user_role(ctx, user_full_name, origin_group_name) in ['none']: return api.Error('not_allowed', 'You are not allowed to view the information from this group {}'.format(origin_group_name)) source_path = coll_origin + "/" + filename_origin diff --git a/vault.py b/vault.py index c88485dc3..a2df41383 100644 --- a/vault.py +++ b/vault.py @@ -203,7 +203,7 @@ def api_vault_copy_to_research(ctx, coll_origin, coll_target): # Check if user has write access to research folder. # Only normal user has write access. - if not groups.user_role(ctx, group_name, user_full_name) in ['normal', 'manager']: + if not groups.user_role(ctx, user_full_name, group_name) in ['normal', 'manager']: return api.Error('NoWriteAccessTargetCollection', 'Not permitted to write in selected folder') # Register to delayed rule queue. @@ -748,7 +748,7 @@ def api_grant_read_access_research_group(ctx, coll): # Is datamanager? actor = user.full_name(ctx) - if groups.user_role(ctx, 'datamanager-' + category, actor) in ['normal', 'manager']: + if groups.user_role(ctx, actor, 'datamanager-' + category) in ['normal', 'manager']: # Grant research group read access to vault package. try: acl_kv = msi.kvpair(ctx, "actor", actor) @@ -795,7 +795,7 @@ def api_revoke_read_access_research_group(ctx, coll): # Is datamanager? actor = user.full_name(ctx) - if groups.user_role(ctx, 'datamanager-' + category, actor) in ['normal', 'manager']: + if groups.user_role(ctx, actor, 'datamanager-' + category) in ['normal', 'manager']: # Grant research group read access to vault package. try: acl_kv = msi.kvpair(ctx, "actor", actor)