Finish implementation of stubbed roles APIs

Author: cyrossignol

api/core/exceptions.py

@@ -15,6 +15,13 @@ def __init__(self, detail: str = "Resource already exists"):
         super().__init__(status_code=status.HTTP_409_CONFLICT, detail=detail)
 
 
+class ConflictException(HTTPException):
+    """Base exception for conflict errors."""
+
+    def __init__(self, detail: str = "Conflict"):
+        super().__init__(status_code=status.HTTP_409_CONFLICT, detail=detail)
+
+
 class UnauthorizedException(HTTPException):
     """Base exception for unauthorized access errors."""
 

api/core/security.py

@@ -12,7 +12,7 @@
 from api.core.database import get_osm_session, get_task_session
 from api.core.jwt import validate_and_decode_token
 from api.core.logging import get_logger
-from api.src.workspaces.schemas import WorkspaceUserRoleType
+from api.src.users.schemas import WorkspaceUserRoleType
 
 # Set up logger for this module
 logger = get_logger(__name__)
@@ -125,6 +125,13 @@ def isWorkspaceContributor(self, workspaceId: int) -> bool:
                 return True
         return False
 
+    def effective_role(self, workspaceId: int) -> WorkspaceUserRoleType:
+        if self.isWorkspaceLead(workspaceId):
+            return WorkspaceUserRoleType.LEAD
+        if self.isWorkspaceValidator(workspaceId):
+            return WorkspaceUserRoleType.VALIDATOR
+        return WorkspaceUserRoleType.CONTRIBUTOR
+
 
 # can't use the ORM here since the ORM uses us! (circular dependency)
 def get_osm_db_session(

api/main.py

@@ -22,6 +22,7 @@
     validate_token,
 )
 from api.src.teams.routes import router as teams_router
+from api.src.users.routes import router as users_router
 from api.src.workspaces.repository import WorkspaceRepository
 from api.src.workspaces.routes import router as workspaces_router
 from api.utils.migrations import run_migrations
@@ -85,6 +86,7 @@ async def lifespan(_app: FastAPI):
 
 # Include routers
 app.include_router(teams_router, prefix="/api/v1")
+app.include_router(users_router, prefix="/api/v1")
 app.include_router(workspaces_router, prefix="/api/v1")
 
 

api/src/teams/repository.py

@@ -9,7 +9,7 @@
     WorkspaceTeamItem,
     WorkspaceTeamUpdate,
 )
-from api.src.workspaces.schemas import User
+from api.src.users.schemas import User
 
 
 class WorkspaceTeamRepository:

api/src/teams/routes.py

@@ -1,4 +1,4 @@
-from fastapi import APIRouter, Depends, status
+from fastapi import APIRouter, Depends, HTTPException, status
 from sqlmodel.ext.asyncio.session import AsyncSession
 
 from api.core.database import get_osm_session, get_task_session
@@ -9,8 +9,9 @@
     WorkspaceTeamItem,
     WorkspaceTeamUpdate,
 )
-from api.src.workspaces.repository import OSMRepository, WorkspaceRepository
-from api.src.workspaces.schemas import User
+from api.src.users.repository import UserRepository
+from api.src.users.schemas import User
+from api.src.workspaces.repository import WorkspaceRepository
 
 router = APIRouter(prefix="/workspaces/{workspace_id}/teams", tags=["teams"])
 
@@ -22,10 +23,10 @@ def get_workspace_repo(
     return repo
 
 
-def get_osm_repo(
+def get_user_repo(
     session: AsyncSession = Depends(get_osm_session),
-) -> OSMRepository:
-    repository = OSMRepository(session)
+) -> UserRepository:
+    repository = UserRepository(session)
     return repository
 
 
@@ -56,6 +57,12 @@ async def create_team_for_workspace(
     team_repo=Depends(get_team_repo),
     current_user: UserInfo = Depends(validate_token),
 ) -> int:
+    if not current_user.isWorkspaceLead(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only workspace leads can create teams",
+        )
+
     # Repo guards if workspace doesn't exist or user cannot access:
     await workspace_repo.getById(current_user, workspace_id)
     return await team_repo.create(workspace_id, team)
@@ -84,6 +91,12 @@ async def update_team_for_workspace(
     team_repo=Depends(get_team_repo),
     current_user: UserInfo = Depends(validate_token),
 ):
+    if not current_user.isWorkspaceLead(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only workspace leads can update teams",
+        )
+
     # Repo guards if workspace doesn't exist or user cannot access:
     await workspace_repo.getById(current_user, workspace_id)
     await team_repo.assert_team_in_workspace(team_id, workspace_id)
@@ -98,6 +111,12 @@ async def delete_team_from_workspace(
     team_repo=Depends(get_team_repo),
     current_user: UserInfo = Depends(validate_token),
 ):
+    if not current_user.isWorkspaceLead(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only workspace leads can delete teams",
+        )
+
     # Repo guards if workspace doesn't exist or user cannot access:
     await workspace_repo.getById(current_user, workspace_id)
     await team_repo.assert_team_in_workspace(team_id, workspace_id)
@@ -123,14 +142,14 @@ async def join_workspace_team(
     workspace_id: int,
     team_id: int,
     workspace_repo=Depends(get_workspace_repo),
-    osm_repo=Depends(get_osm_repo),
+    user_repo=Depends(get_user_repo),
     team_repo=Depends(get_team_repo),
     current_user: UserInfo = Depends(validate_token),
 ) -> User:
     # Repo guards if workspace doesn't exist or user cannot access:
     await workspace_repo.getById(current_user, workspace_id)
     await team_repo.assert_team_in_workspace(team_id, workspace_id)
-    user = await osm_repo.get_current_user(current_user)
+    user = await user_repo.get_current_user(current_user)
     await team_repo.add_member(team_id, user.id)
     return user
 
@@ -144,6 +163,12 @@ async def add_member_to_workspace_team(
     team_repo=Depends(get_team_repo),
     current_user: UserInfo = Depends(validate_token),
 ):
+    if not current_user.isWorkspaceLead(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only workspace leads can add team members",
+        )
+
     # Repo guards if workspace doesn't exist or user cannot access:
     await workspace_repo.getById(current_user, workspace_id)
     await team_repo.assert_team_in_workspace(team_id, workspace_id)
@@ -159,6 +184,12 @@ async def delete_member_from_workspace_team(
     team_repo=Depends(get_team_repo),
     current_user: UserInfo = Depends(validate_token),
 ):
+    if not current_user.isWorkspaceLead(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Only workspace leads can remove team members",
+        )
+
     # Repo guards if workspace doesn't exist or user cannot access:
     await workspace_repo.getById(current_user, workspace_id)
     await team_repo.assert_team_in_workspace(team_id, workspace_id)

api/src/users/repository.py

@@ -0,0 +1,109 @@
+from uuid import UUID
+
+from sqlalchemy import delete, select
+from sqlalchemy.dialects.postgresql import insert as pg_insert
+from sqlmodel.ext.asyncio.session import AsyncSession
+
+from api.core.exceptions import NotFoundException
+from api.core.security import UserInfo
+from api.src.users.schemas import (
+    User,
+    WorkspaceUserRole,
+    WorkspaceUserRoleItem,
+    WorkspaceUserRoleType,
+)
+
+
+class UserRepository:
+
+    def __init__(self, session: AsyncSession):
+        self.session = session
+
+    async def get_privileged_workspace_members(
+        self,
+        workspace_id: int,
+    ) -> list[WorkspaceUserRoleItem]:
+        # The table only stores "lead" and "validator" role assignments. Project
+        # group members implicitly have the base "contributor" role.
+        #
+        query = (
+            select(User, WorkspaceUserRole.role)
+            .join(WorkspaceUserRole, User.auth_uid == WorkspaceUserRole.user_auth_uid)
+            .where(WorkspaceUserRole.workspace_id == workspace_id)
+        )
+        result = await self.session.execute(query)
+
+        return [
+            WorkspaceUserRoleItem(
+                id=user.id,
+                auth_uid=user.auth_uid,
+                email=user.email,
+                display_name=user.display_name,
+                role=role,
+            )
+            for user, role in result.all()
+        ]
+
+    async def get_current_user(self, current_user: UserInfo) -> User:
+        result = await self.session.exec(
+            select(User).where(User.auth_uid == str(current_user.user_uuid))
+        )
+
+        # Current user should exist--throw if it doesn't:
+        return result.scalar_one()
+
+    async def assign_member_role(
+        self,
+        workspace_id: int,
+        user_id: UUID,
+        role: WorkspaceUserRoleType,
+    ) -> None:
+        # Ensure the user has a local user record (signed in at least once):
+        user_exists = await self.session.scalar(
+            select(User.id).where(User.auth_uid == str(user_id))
+        )
+        if not user_exists:
+            raise NotFoundException(
+                f"User {user_id} has not signed in to Workspaces yet"
+            )
+
+        await self.session.execute(
+            pg_insert(WorkspaceUserRole)
+            .values(
+                user_auth_uid=str(user_id),
+                workspace_id=workspace_id,
+                role=role,
+            )
+            .on_conflict_do_update(
+                index_elements=["user_auth_uid", "workspace_id"],
+                set_={"role": role},
+            )
+        )
+        await self.session.commit()
+
+    async def remove_member_role(
+        self,
+        workspace_id: int,
+        user_id: UUID,
+    ) -> None:
+        query = delete(WorkspaceUserRole).where(
+            (WorkspaceUserRole.workspace_id == workspace_id)
+            & (WorkspaceUserRole.user_auth_uid == str(user_id))
+        )
+
+        result = await self.session.execute(query)
+
+        if result.rowcount != 1:
+            raise NotFoundException(
+                f"No role assigned for workspace {workspace_id}, user {user_id}"
+            )
+
+        await self.session.commit()
+
+    async def remove_all_member_roles(self, workspace_id: int) -> None:
+        await self.session.execute(
+            delete(WorkspaceUserRole).where(
+                WorkspaceUserRole.workspace_id == workspace_id
+            )
+        )
+        await self.session.commit()

api/src/users/routes.py

@@ -0,0 +1,87 @@
+from uuid import UUID
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from sqlmodel.ext.asyncio.session import AsyncSession
+
+from api.core.database import get_osm_session, get_task_session
+from api.core.security import UserInfo, validate_token
+from api.src.users.repository import UserRepository
+from api.src.users.schemas import SetRoleRequest, WorkspaceUserRoleItem
+from api.src.workspaces.repository import WorkspaceRepository
+
+router = APIRouter(prefix="/workspaces/{workspace_id}/users", tags=["users"])
+
+
+def get_user_repo(
+    session: AsyncSession = Depends(get_osm_session),
+) -> UserRepository:
+    repository = UserRepository(session)
+    return repository
+
+
+def get_workspace_repo(
+    session: AsyncSession = Depends(get_task_session),
+) -> WorkspaceRepository:
+    return WorkspaceRepository(session)
+
+
+@router.get("", response_model=list[WorkspaceUserRoleItem])
+async def get_privileged_workspace_members(
+    workspace_id: int,
+    current_user: UserInfo = Depends(validate_token),
+    user_repo: UserRepository = Depends(get_user_repo),
+):
+    if not current_user.isWorkspaceContributor(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Project group membership required to view members",
+        )
+
+    return await user_repo.get_privileged_workspace_members(workspace_id)
+
+
+@router.put("/{user_id}/role", status_code=status.HTTP_204_NO_CONTENT)
+async def assign_member_role(
+    workspace_id: int,
+    user_id: UUID,
+    body: SetRoleRequest,
+    current_user: UserInfo = Depends(validate_token),
+    user_repo: UserRepository = Depends(get_user_repo),
+    workspace_repo: WorkspaceRepository = Depends(get_workspace_repo),
+):
+    if not current_user.isWorkspaceLead(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Must be a workspace owner to assign roles",
+        )
+
+    # Ensure that the workspace exists in the tasks DB before we write to the
+    # OSM DB. TODO: remove the check when we merge the DBs with the proper FK
+    # constraints that enforce referential integrity internally.
+    #
+    await workspace_repo.getById(current_user, workspace_id)
+
+    await user_repo.assign_member_role(workspace_id, user_id, body.role)
+
+
+@router.delete("/{user_id}", status_code=status.HTTP_204_NO_CONTENT)
+async def remove_member_role(
+    workspace_id: int,
+    user_id: UUID,
+    current_user: UserInfo = Depends(validate_token),
+    user_repo: UserRepository = Depends(get_user_repo),
+    workspace_repo: WorkspaceRepository = Depends(get_workspace_repo),
+):
+    if not current_user.isWorkspaceLead(workspace_id):
+        raise HTTPException(
+            status_code=status.HTTP_403_FORBIDDEN,
+            detail="Must be a workspace owner to remove roles",
+        )
+
+    # Ensure that the workspace exists in the tasks DB before we write to the
+    # OSM DB. TODO: remove the check when we merge the DBs with the proper FK
+    # constraints that enforce referential integrity internally.
+    #
+    await workspace_repo.getById(current_user, workspace_id)
+
+    await user_repo.remove_member_role(workspace_id, user_id)