diff --git a/contrib/gn_module_validation/backend/gn_module_validation/blueprint.py b/contrib/gn_module_validation/backend/gn_module_validation/blueprint.py index 9b4b9786b5..0bbde8d737 100644 --- a/contrib/gn_module_validation/backend/gn_module_validation/blueprint.py +++ b/contrib/gn_module_validation/backend/gn_module_validation/blueprint.py @@ -4,6 +4,7 @@ from flask import Blueprint, request, jsonify, current_app, g from flask.json import jsonify +from werkzeug.exceptions import Forbidden import sqlalchemy as sa from sqlalchemy.orm import aliased, contains_eager, selectinload from marshmallow import ValidationError @@ -28,7 +29,7 @@ @blueprint.route("", methods=["GET", "POST"]) -@permissions.check_cruved_scope("R", get_scope=True, module_code="VALIDATION") +@permissions.check_cruved_scope("C", get_scope=True, module_code="VALIDATION") def get_synthese_data(scope): """ Return synthese and t_validations data filtered by form params @@ -193,7 +194,7 @@ def get_synthese_data(scope): @blueprint.route("/statusNames", methods=["GET"]) -@permissions.check_cruved_scope("R", module_code="VALIDATION") +@permissions.check_cruved_scope("C", module_code="VALIDATION") def get_statusNames(): nomenclatures = ( TNomenclatures.query.join(BibNomenclaturesTypes) @@ -212,8 +213,8 @@ def get_statusNames(): @blueprint.route("/", methods=["POST"]) -@permissions.check_cruved_scope("C", module_code="VALIDATION") -def post_status(id_synthese): +@permissions.check_cruved_scope("C", get_scope=True, module_code="VALIDATION") +def post_status(scope, id_synthese): data = dict(request.get_json()) try: id_validation_status = data["statut"] @@ -232,6 +233,10 @@ def post_status(id_synthese): # t_validations.uuid_attached_row: synthese = Synthese.query.get_or_404(int(id)) + + if not synthese.has_instance_permission(scope): + raise Forbidden + uuid = synthese.unique_id_sinp # t_validations.id_validator: @@ -269,12 +274,15 @@ def post_status(id_synthese): @blueprint.route("/date/", methods=["GET"]) -def get_validation_date(uuid): +@permissions.check_cruved_scope("C", get_scope=True, module_code="VALIDATION") +def get_validation_date(scope, uuid): """ Retourne la date de validation pour l'observation uuid """ s = Synthese.query.filter_by(unique_id_sinp=uuid).lateraljoin_last_validation().first_or_404() + if not s.has_instance_permission(scope): + raise Forbidden if s.last_validation: return jsonify(str(s.last_validation.validation_date)) else: diff --git a/contrib/gn_module_validation/backend/gn_module_validation/migrations/__init__.py b/contrib/gn_module_validation/backend/gn_module_validation/migrations/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/contrib/gn_module_validation/backend/gn_module_validation/migrations/df93a68242ee_declare_permissions.py b/contrib/gn_module_validation/backend/gn_module_validation/migrations/df93a68242ee_declare_permissions.py new file mode 100644 index 0000000000..49f837c7b0 --- /dev/null +++ b/contrib/gn_module_validation/backend/gn_module_validation/migrations/df93a68242ee_declare_permissions.py @@ -0,0 +1,92 @@ +"""declare permissions + +Revision ID: df93a68242ee +Revises: 85efc9bb5a47 +Create Date: 2023-05-17 15:15:38.833529 + +""" +from alembic import op +import sqlalchemy as sa + + +# revision identifiers, used by Alembic. +revision = "df93a68242ee" +down_revision = None +branch_labels = ("validation",) +depends_on = ("f051b88a57fd",) + + +def upgrade(): + op.execute( + """ + INSERT INTO + gn_permissions.t_permissions_available ( + id_module, + id_object, + id_action, + label, + scope_filter + ) + SELECT + m.id_module, + o.id_object, + a.id_action, + v.label, + v.scope_filter + FROM + ( + VALUES + ('VALIDATION', 'ALL', 'C', True, 'Valider les observations') + ) AS v (module_code, object_code, action_code, scope_filter, label) + JOIN + gn_commons.t_modules m ON m.module_code = v.module_code + JOIN + gn_permissions.t_objects o ON o.code_object = v.object_code + JOIN + gn_permissions.bib_actions a ON a.code_action = v.action_code + """ + ) + op.execute( + """ + WITH bad_permissions AS ( + SELECT + p.id_permission + FROM + gn_permissions.t_permissions p + JOIN gn_commons.t_modules m + USING (id_module) + WHERE + m.module_code = 'VALIDATION' + EXCEPT + SELECT + p.id_permission + FROM + gn_permissions.t_permissions p + JOIN gn_permissions.t_permissions_available pa ON + (p.id_module = pa.id_module + AND p.id_object = pa.id_object + AND p.id_action = pa.id_action) + ) + DELETE + FROM + gn_permissions.t_permissions p + USING bad_permissions bp + WHERE + bp.id_permission = p.id_permission; + """ + ) + + +def downgrade(): + op.execute( + """ + DELETE FROM + gn_permissions.t_permissions_available pa + USING + gn_commons.t_modules m + WHERE + pa.id_module = m.id_module + AND + module_code = 'VALIDATION' + """ + ) diff --git a/contrib/gn_module_validation/setup.py b/contrib/gn_module_validation/setup.py index f3a9214e4e..893582f2f8 100644 --- a/contrib/gn_module_validation/setup.py +++ b/contrib/gn_module_validation/setup.py @@ -29,6 +29,7 @@ "picto = gn_module_validation:MODULE_PICTO", "blueprint = gn_module_validation.blueprint:blueprint", "config_schema = gn_module_validation.conf_schema_toml:GnModuleSchemaConf", + "migrations = gn_module_validation:migrations", ], }, classifiers=[