Skip to content

Commit

Permalink
Fixes #1060
Browse files Browse the repository at this point in the history 
The organisation manager was not granted "full" support to view the CO,
but being an Org manager was granted "lite" support to view the
collaboration details. Fix is to re-use the check if the Org
manager has access based on the units of his membership.
  • Loading branch information
@oharsta @baszoetekouw
oharsta authored and baszoetekouw committed Nov 15, 2023
1 parent 9010fa1 commit 2cde516
Showing 1 changed file with 19 additions and 14 deletions.
33 changes: 19 additions & 14 deletions server/auth/security.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,23 @@ def _get_impersonated_session():
return session


def _has_org_manager_unit_access(user_id, collaboration, org_manager_allowed=True):
organisation_id = collaboration.organisation_id
if is_organisation_admin(organisation_id):
return True
if not org_manager_allowed:
return False
is_organisation_member = is_organisation_admin_or_manager(organisation_id)
if not is_organisation_member:
return False
unit_allowed = True
membership = list(
filter(lambda m: m.user_id == user_id, collaboration.organisation.organisation_memberships))[0]
if membership.units:
unit_allowed = collaboration.is_allowed_unit_organisation_membership(membership)
return unit_allowed


def is_application_admin():
impersonated_session = _get_impersonated_session()
return impersonated_session["user"].get("admin", False)
Expand Down Expand Up @@ -180,19 +197,7 @@ def override_func():
collaboration = db.session.get(Collaboration, collaboration_id)
if not collaboration:
return False
org_id = collaboration.organisation_id
if is_organisation_admin(org_id):
return True
if org_manager_allowed:
is_organisation_member = is_organisation_admin_or_manager(org_id)
if not is_organisation_member:
return False
unit_allowed = True
membership = list(
filter(lambda m: m.user_id == user_id, collaboration.organisation.organisation_memberships))[0]
if membership.units:
unit_allowed = collaboration.is_allowed_unit_organisation_membership(membership)
return unit_allowed
return _has_org_manager_unit_access(user_id, collaboration, org_manager_allowed=org_manager_allowed)
return True

if read_only:
Expand All @@ -214,7 +219,7 @@ def override_func():
collaboration = db.session.get(Collaboration, collaboration_id)
if not collaboration:
return False
return is_organisation_admin_or_manager(collaboration.organisation_id)
return _has_org_manager_unit_access(user_id, collaboration)

confirm_write_access(override_func=override_func)

Expand Down

0 comments on commit 2cde516

Please sign in to comment.