Skip to content

Commit d416cdf

Browse files
committed
Moved functions out of iris_engine.access_control.utils into the business layer
1 parent a3e5979 commit d416cdf

5 files changed

Lines changed: 98 additions & 92 deletions

File tree

source/app/blueprints/access_controls.py

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -48,7 +48,7 @@
4848
from app.datamgmt.manage.manage_access_control_db import user_has_client_access
4949
from app.datamgmt.manage.manage_users_db import get_user
5050
from app.iris_engine.access_control.iris_user import iris_current_user
51-
from app.iris_engine.access_control.utils import ac_fast_check_user_has_case_access
51+
from app.business.access_controls import ac_fast_check_user_has_case_access
5252
from app.iris_engine.access_control.utils import ac_get_effective_permissions_of_user
5353
from app.iris_engine.utils.tracker import track_activity
5454
from app.models.authorization import Permissions

source/app/blueprints/rest/case/case_routes.py

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,9 +38,8 @@
3838
from app.datamgmt.manage.manage_groups_db import get_group_with_members
3939
from app.datamgmt.manage.manage_users_db import get_user
4040
from app.datamgmt.manage.manage_users_db import get_users_list_restricted_from_case
41-
from app.datamgmt.manage.manage_users_db import set_user_case_access
41+
from app.business.access_controls import set_user_case_access, ac_fast_check_user_has_case_access
4242
from app.business.cases import cases_export_to_json
43-
from app.iris_engine.access_control.utils import ac_fast_check_user_has_case_access
4443
from app.iris_engine.access_control.utils import ac_set_case_access_for_users
4544
from app.iris_engine.utils.tracker import track_activity
4645
from app.models.models import CaseStatus

source/app/business/access_controls.py

Lines changed: 93 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -15,9 +15,101 @@
1515
# You should have received a copy of the GNU Lesser General Public License
1616
# along with this program; if not, write to the Free Software Foundation,
1717
# Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
18+
from sqlalchemy import and_
19+
20+
from app import db
21+
from app.datamgmt.manage.manage_access_control_db import get_case_effective_access
22+
from app.datamgmt.manage.manage_access_control_db import check_ua_case_client
1823
from app.iris_engine.access_control.iris_user import iris_current_user
19-
from app.iris_engine.access_control.utils import ac_fast_check_user_has_case_access
24+
from app.logger import logger
25+
from app.models.authorization import UserCaseAccess
26+
from app.models.authorization import UserCaseEffectiveAccess
27+
from app.models.authorization import CaseAccessLevel
28+
from app.models.authorization import ac_flag_match_mask
2029

2130

2231
def ac_fast_check_current_user_has_case_access(cid, access_level):
2332
return ac_fast_check_user_has_case_access(iris_current_user.id, cid, access_level)
33+
34+
35+
def set_user_case_access(user_id, case_id, access_level):
36+
37+
uca = UserCaseAccess.query.filter(
38+
UserCaseAccess.user_id == user_id,
39+
UserCaseAccess.case_id == case_id
40+
).all()
41+
42+
if len(uca) > 1:
43+
for u in uca:
44+
db.session.delete(u)
45+
db.session.commit()
46+
uca = None
47+
48+
if not uca:
49+
uca = UserCaseAccess()
50+
uca.user_id = user_id
51+
uca.case_id = case_id
52+
uca.access_level = access_level
53+
db.session.add(uca)
54+
else:
55+
uca[0].access_level = access_level
56+
57+
db.session.commit()
58+
59+
set_case_effective_access_for_user(user_id, case_id, access_level)
60+
61+
62+
def set_case_effective_access_for_user(user_id, case_id, access_level: int):
63+
"""
64+
Set a case access from a user
65+
"""
66+
67+
uac = UserCaseEffectiveAccess.query.where(and_(
68+
UserCaseEffectiveAccess.user_id == user_id,
69+
UserCaseEffectiveAccess.case_id == case_id
70+
)).all()
71+
72+
if len(uac) > 1:
73+
logger.error(f'Multiple access found for user {user_id} and case {case_id}')
74+
for u in uac:
75+
db.session.delete(u)
76+
db.session.commit()
77+
78+
uac = UserCaseEffectiveAccess()
79+
uac.user_id = user_id
80+
uac.case_id = case_id
81+
uac.access_level = access_level
82+
db.session.add(uac)
83+
84+
elif len(uac) == 1:
85+
uac = uac[0]
86+
uac.access_level = access_level
87+
88+
db.session.commit()
89+
90+
91+
def ac_fast_check_user_has_case_access(user_id, cid, expected_access_levels: list[CaseAccessLevel]):
92+
"""
93+
Checks the user has access to the case with at least one of the access_level
94+
if the user has access, returns the access level of the user to the case
95+
Returns None otherwise
96+
"""
97+
access_level = get_case_effective_access(user_id, cid)
98+
99+
if not access_level:
100+
# The user has no direct access, check if he is part of the client
101+
access_level = check_ua_case_client(user_id, cid)
102+
if not access_level:
103+
return None
104+
set_case_effective_access_for_user(user_id, cid, access_level)
105+
106+
return access_level
107+
108+
if ac_flag_match_mask(access_level, CaseAccessLevel.deny_all.value):
109+
return None
110+
111+
for acl in expected_access_levels:
112+
if ac_flag_match_mask(access_level, acl.value):
113+
return access_level
114+
115+
return None

source/app/datamgmt/manage/manage_users_db.py

Lines changed: 0 additions & 28 deletions
Original file line numberDiff line numberDiff line change
@@ -34,7 +34,6 @@
3434
from app.iris_engine.access_control.utils import ac_auto_update_user_effective_access
3535
from app.iris_engine.access_control.utils import ac_get_detailed_effective_permissions_from_groups
3636
from app.iris_engine.access_control.utils import ac_remove_case_access_from_user
37-
from app.iris_engine.access_control.utils import ac_set_case_access_for_user
3837
from app.models.cases import Cases
3938
from app.models.models import Client
4039
from app.models.models import UserActivity
@@ -445,33 +444,6 @@ def remove_case_access_from_user(user_id, case_id):
445444
return True, 'Case access removed'
446445

447446

448-
def set_user_case_access(user_id, case_id, access_level):
449-
450-
uca = UserCaseAccess.query.filter(
451-
UserCaseAccess.user_id == user_id,
452-
UserCaseAccess.case_id == case_id
453-
).all()
454-
455-
if len(uca) > 1:
456-
for u in uca:
457-
db.session.delete(u)
458-
db.session.commit()
459-
uca = None
460-
461-
if not uca:
462-
uca = UserCaseAccess()
463-
uca.user_id = user_id
464-
uca.case_id = case_id
465-
uca.access_level = access_level
466-
db.session.add(uca)
467-
else:
468-
uca[0].access_level = access_level
469-
470-
db.session.commit()
471-
472-
ac_set_case_access_for_user(user_id, case_id, access_level)
473-
474-
475447
def get_user_details(user_id, include_api_key=False):
476448

477449
user = User.query.filter(User.id == user_id).first()

source/app/iris_engine/access_control/utils.py

Lines changed: 3 additions & 60 deletions
Original file line numberDiff line numberDiff line change
@@ -2,10 +2,9 @@
22
from sqlalchemy import and_
33

44
from app import db
5+
from app.business.access_controls import set_case_effective_access_for_user
56
from app.logger import logger
67
from app.iris_engine.access_control.iris_user import iris_current_user
7-
from app.datamgmt.manage.manage_access_control_db import check_ua_case_client
8-
from app.datamgmt.manage.manage_access_control_db import get_case_effective_access
98
from app.models.cases import Cases
109
from app.models.models import Client
1110
from app.models.authorization import CaseAccessLevel
@@ -285,33 +284,6 @@ def ac_trace_effective_user_permissions(user_id):
285284
return perms
286285

287286

288-
def ac_fast_check_user_has_case_access(user_id, cid, expected_access_levels: list[CaseAccessLevel]):
289-
"""
290-
Checks the user has access to the case with at least one of the access_level
291-
if the user has access, returns the access level of the user to the case
292-
Returns None otherwise
293-
"""
294-
access_level = get_case_effective_access(user_id, cid)
295-
296-
if not access_level:
297-
# The user has no direct access, check if he is part of the client
298-
access_level = check_ua_case_client(user_id, cid)
299-
if not access_level:
300-
return None
301-
ac_set_case_access_for_user(user_id, cid, access_level)
302-
303-
return access_level
304-
305-
if ac_flag_match_mask(access_level, CaseAccessLevel.deny_all.value):
306-
return None
307-
308-
for acl in expected_access_levels:
309-
if ac_flag_match_mask(access_level, acl.value):
310-
return access_level
311-
312-
return None
313-
314-
315287
def ac_recompute_effective_ac_from_users_list(users_list):
316288
"""
317289
Recompute all users effective access of users
@@ -558,44 +530,15 @@ def ac_set_case_access_for_users(users, case_id, access_level):
558530
user_id = user.get('id')
559531
if user_id == iris_current_user.id:
560532
logs = "It's done, but I excluded you from the list of users to update, Dave"
561-
ac_set_case_access_for_user(user.get('id'), case_id, CaseAccessLevel.full_access.value)
533+
set_case_effective_access_for_user(user.get('id'), case_id, CaseAccessLevel.full_access.value)
562534
continue
563535

564-
ac_set_case_access_for_user(user.get('id'), case_id, access_level)
536+
set_case_effective_access_for_user(user.get('id'), case_id, access_level)
565537

566538
db.session.commit()
567539
return True, logs
568540

569541

570-
def ac_set_case_access_for_user(user_id, case_id, access_level: int):
571-
"""
572-
Set a case access from a user
573-
"""
574-
575-
uac = UserCaseEffectiveAccess.query.where(and_(
576-
UserCaseEffectiveAccess.user_id == user_id,
577-
UserCaseEffectiveAccess.case_id == case_id
578-
)).all()
579-
580-
if len(uac) > 1:
581-
logger.error(f'Multiple access found for user {user_id} and case {case_id}')
582-
for u in uac:
583-
db.session.delete(u)
584-
db.session.commit()
585-
586-
uac = UserCaseEffectiveAccess()
587-
uac.user_id = user_id
588-
uac.case_id = case_id
589-
uac.access_level = access_level
590-
db.session.add(uac)
591-
592-
elif len(uac) == 1:
593-
uac = uac[0]
594-
uac.access_level = access_level
595-
596-
db.session.commit()
597-
598-
599542
def ac_get_fast_user_cases_access(user_id):
600543
ucea = UserCaseEffectiveAccess.query.with_entities(
601544
UserCaseEffectiveAccess.case_id

0 commit comments

Comments
 (0)