PnX-SI · bouttier · May 17, 2023 · May 17, 2023 · May 17, 2023
diff --git a/backend/geonature/core/gn_commons/validation/routes.py b/backend/geonature/core/gn_commons/validation/routes.py
@@ -18,7 +18,7 @@
 
 
 @routes.route("/history/<uuid_attached_row>", methods=["GET"])
-@permissions.check_cruved_scope("R")
+@permissions.check_cruved_scope("R", module_code="SYNTHESE")
 @json_resp
 def get_hist(uuid_attached_row):
     # Test if uuid_attached_row is uuid

diff --git a/backend/geonature/core/users/routes.py b/backend/geonature/core/users/routes.py
@@ -317,7 +317,7 @@ def after_confirmation():
 
 
 @routes.route("/role", methods=["PUT"])
-@permissions.check_cruved_scope("R")
+@permissions.login_required
 @json_resp
 def update_role():
     """
@@ -362,19 +362,17 @@ def update_role():
 
 
 @routes.route("/password/change", methods=["PUT"])
-@check_auth(1, True)
+@permissions.login_required
 @json_resp
-def change_password(id_role):
+def change_password():
     """
     Modifie le mot de passe de l'utilisateur connecté et de son ancien mdp
     Fait appel à l'API UsersHub
     """
     if not current_app.config["ACCOUNT_MANAGEMENT"].get("ENABLE_USER_MANAGEMENT", False):
         return {"message": "Page introuvable"}, 404
 
-    user = DB.session.query(User).get(id_role)
-    if not user:
-        return {"msg": "Droit insuffisant"}, 403
+    user = g.current_user
     data = request.get_json()
 
     init_password = data.get("init_password", None)

diff --git a/contrib/gn_module_occhab/backend/gn_module_occhab/blueprint.py b/contrib/gn_module_occhab/backend/gn_module_occhab/blueprint.py
@@ -260,6 +260,7 @@ def export_all_habitats(
 
 
 @blueprint.route("/defaultNomenclatures", methods=["GET"])
+@login_required
 def get_default_nomenclatures():
     """Get default nomenclatures define in occhab module
 

diff --git a/contrib/gn_module_validation/backend/gn_module_validation/blueprint.py b/contrib/gn_module_validation/backend/gn_module_validation/blueprint.py
@@ -4,6 +4,7 @@
 
 from flask import Blueprint, request, jsonify, current_app, g
 from flask.json import jsonify
+from werkzeug.exceptions import Forbidden
 import sqlalchemy as sa
 from sqlalchemy.orm import aliased, contains_eager, selectinload
 from marshmallow import ValidationError
@@ -28,7 +29,7 @@
 
 
 @blueprint.route("", methods=["GET", "POST"])
-@permissions.check_cruved_scope("R", get_scope=True, module_code="VALIDATION")
+@permissions.check_cruved_scope("C", get_scope=True, module_code="VALIDATION")
 def get_synthese_data(scope):
     """
     Return synthese and t_validations data filtered by form params
@@ -193,7 +194,7 @@ def get_synthese_data(scope):
 
 
 @blueprint.route("/statusNames", methods=["GET"])
-@permissions.check_cruved_scope("R", module_code="VALIDATION")
+@permissions.check_cruved_scope("C", module_code="VALIDATION")
 def get_statusNames():
     nomenclatures = (
         TNomenclatures.query.join(BibNomenclaturesTypes)
@@ -212,8 +213,8 @@ def get_statusNames():
 
 
 @blueprint.route("/<id_synthese>", methods=["POST"])
-@permissions.check_cruved_scope("C", module_code="VALIDATION")
-def post_status(id_synthese):
+@permissions.check_cruved_scope("C", get_scope=True, module_code="VALIDATION")
+def post_status(scope, id_synthese):
     data = dict(request.get_json())
     try:
         id_validation_status = data["statut"]
@@ -232,6 +233,10 @@ def post_status(id_synthese):
 
         # t_validations.uuid_attached_row:
         synthese = Synthese.query.get_or_404(int(id))
+
+        if not synthese.has_instance_permission(scope):
+            raise Forbidden
+
         uuid = synthese.unique_id_sinp
 
         # t_validations.id_validator:
@@ -269,12 +274,15 @@ def post_status(id_synthese):
 
 
 @blueprint.route("/date/<uuid:uuid>", methods=["GET"])
-def get_validation_date(uuid):
+@permissions.check_cruved_scope("C", get_scope=True, module_code="VALIDATION")
+def get_validation_date(scope, uuid):
     """
     Retourne la date de validation
     pour l'observation uuid
     """
     s = Synthese.query.filter_by(unique_id_sinp=uuid).lateraljoin_last_validation().first_or_404()
+    if not s.has_instance_permission(scope):
+        raise Forbidden
     if s.last_validation:
         return jsonify(str(s.last_validation.validation_date))
     else:

diff --git a/contrib/gn_module_validation/backend/gn_module_validation/migrations/__init__.py b/contrib/gn_module_validation/backend/gn_module_validation/migrations/__init__.py
diff --git a/...le_validation/backend/gn_module_validation/migrations/df93a68242ee_declare_permissions.py b/...le_validation/backend/gn_module_validation/migrations/df93a68242ee_declare_permissions.py
@@ -0,0 +1,92 @@
+"""declare permissions
+
+Revision ID: df93a68242ee
+Revises: 85efc9bb5a47
+Create Date: 2023-05-17 15:15:38.833529
+
+"""
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = "df93a68242ee"
+down_revision = None
+branch_labels = ("validation",)
+depends_on = ("f051b88a57fd",)
+
+
+def upgrade():
+    op.execute(
+        """
+        INSERT INTO
+            gn_permissions.t_permissions_available (
+                id_module,
+                id_object,
+                id_action,
+                label,
+                scope_filter
+            )
+        SELECT
+            m.id_module,
+            o.id_object,
+            a.id_action,
+            v.label,
+            v.scope_filter
+        FROM
+            (
+                VALUES
+                     ('VALIDATION', 'ALL', 'C', True, 'Valider les observations')
+            ) AS v (module_code, object_code, action_code, scope_filter, label)
+        JOIN
+            gn_commons.t_modules m ON m.module_code = v.module_code
+        JOIN
+            gn_permissions.t_objects o ON o.code_object = v.object_code
+        JOIN
+            gn_permissions.bib_actions a ON a.code_action = v.action_code
+        """
+    )
+    op.execute(
+        """
+        WITH bad_permissions AS (
+            SELECT
+                p.id_permission
+            FROM
+                gn_permissions.t_permissions p
+            JOIN gn_commons.t_modules m
+                    USING (id_module)
+            WHERE
+                m.module_code = 'VALIDATION'
+            EXCEPT
+            SELECT
+                p.id_permission
+            FROM
+                gn_permissions.t_permissions p
+            JOIN gn_permissions.t_permissions_available pa ON
+                (p.id_module = pa.id_module
+                    AND p.id_object = pa.id_object
+                    AND p.id_action = pa.id_action)
+        )
+        DELETE
+        FROM
+            gn_permissions.t_permissions p
+                USING bad_permissions bp
+        WHERE
+            bp.id_permission = p.id_permission;
+        """
+    )
+
+
+def downgrade():
+    op.execute(
+        """
+        DELETE FROM
+            gn_permissions.t_permissions_available pa
+        USING
+            gn_commons.t_modules m
+        WHERE
+            pa.id_module = m.id_module
+            AND
+            module_code = 'VALIDATION'
+        """
+    )
diff --git a/contrib/gn_module_validation/setup.py b/contrib/gn_module_validation/setup.py
@@ -29,6 +29,7 @@
             "picto = gn_module_validation:MODULE_PICTO",
             "blueprint = gn_module_validation.blueprint:blueprint",
             "config_schema = gn_module_validation.conf_schema_toml:GnModuleSchemaConf",
+            "migrations = gn_module_validation:migrations",
         ],
     },
     classifiers=[