From 3eabbd50b31c241ef81380d6673b9f38cc7428f9 Mon Sep 17 00:00:00 2001
From: c8y3 <25362953+c8y3@users.noreply.github.com>
Date: Wed, 20 Mar 2024 09:46:26 +0100
Subject: [PATCH] [IMP] Introduced permission check in the business layer

---
 source/app/business/cases.py       |  3 +++
 source/app/business/permissions.py | 16 ++++++++++++++++
 2 files changed, 19 insertions(+)

diff --git a/source/app/business/cases.py b/source/app/business/cases.py
index cb9dfdd79..9e5f0a230 100644
--- a/source/app/business/cases.py
+++ b/source/app/business/cases.py
@@ -18,14 +18,17 @@
 
 from app import app
 from app.models.authorization import CaseAccessLevel
+from app.models.authorization import Permissions
 from app.iris_engine.module_handler.module_handler import call_modules_hook
 from app.iris_engine.utils.tracker import track_activity
 from app.datamgmt.manage.manage_cases_db import delete_case
 from app.business.errors import BusinessProcessingError
 from app.business.permissions import check_current_user_has_some_case_access
+from app.business.permissions import check_current_user_has_some_permission
 
 
 def delete(case_identifier, context_case_identifier):
+    check_current_user_has_some_permission([Permissions.standard_user])
     check_current_user_has_some_case_access(case_identifier, [CaseAccessLevel.full_access])
 
     if case_identifier == 1:
diff --git a/source/app/business/permissions.py b/source/app/business/permissions.py
index 29efad29b..4ac199329 100644
--- a/source/app/business/permissions.py
+++ b/source/app/business/permissions.py
@@ -16,6 +16,11 @@
 #  along with this program; if not, write to the Free Software Foundation,
 #  Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
 
+from flask import session
+from flask_login import current_user
+
+from app.models.authorization import Permissions
+from app.iris_engine.access_control.utils import ac_get_effective_permissions_of_user
 from app.iris_engine.access_control.utils import ac_fast_check_current_user_has_case_access
 from app.business.errors import PermissionDeniedError
 
@@ -23,3 +28,14 @@
 def check_current_user_has_some_case_access(case_identifier, access_levels):
     if not ac_fast_check_current_user_has_case_access(case_identifier, access_levels):
         raise PermissionDeniedError()
+
+
+def check_current_user_has_some_permission(permissions):
+    if 'permissions' not in session:
+        session['permissions'] = ac_get_effective_permissions_of_user(current_user)
+
+    for permission in permissions:
+        if session['permissions'] & permission.value:
+            return
+
+    raise PermissionDeniedError()