Skip to content

Commit

Permalink
Drop: share_queried_objects capability (#1004)
Browse files Browse the repository at this point in the history
* Drop: share_queried_objects capability

* Fix capabilities list

* Remove test for share_queried_objects
  • Loading branch information
psrok1 committed Dec 16, 2024
1 parent 04e28c1 commit 0342526
Show file tree
Hide file tree
Showing 7 changed files with 0 additions and 49 deletions.
5 changes: 0 additions & 5 deletions docs/user-guide/9-Sharing-objects.rst
Original file line number Diff line number Diff line change
Expand Up @@ -148,11 +148,6 @@ Each capability has its own name and scope:

Allows to access all users and groups in MWDB. Rules described in *Who is who?* don't apply to users with that permission. Enables user to create new user accounts, new groups and change their capabilities and membership. Allows to manage attribute keys, define new ones, delete and set the group permissions for them.

*
**share_queried_objects - Query for all objects in system**

That one is a bit tricky and will be possibly deprecated. MWDB will automatically share object and all descendants with group if member directly accessed it via identifier (knows the hash e.g. have direct link to the object). It can be used for bot accounts, so they have access only to these objects that are intended to be processed by them. Internally, we abandoned that idea, so that capability may not be stable.

*
**access_all_objects - Has access to all uploaded objects into system**

Expand Down
2 changes: 0 additions & 2 deletions mwdb/core/capabilities.py
Original file line number Diff line number Diff line change
@@ -1,8 +1,6 @@
class Capabilities(object):
# Can create/update users and groups
manage_users = "manage_users"
# Queried objects by members are automatically shared with this group
share_queried_objects = "share_queried_objects"
# All new uploaded objects are automatically shared with this group
access_all_objects = "access_all_objects"
# Can share objects with all groups, have access to complete list of groups
Expand Down
4 changes: 0 additions & 4 deletions mwdb/core/deprecated.py
Original file line number Diff line number Diff line change
Expand Up @@ -19,10 +19,6 @@ class DeprecatedFeature(Enum):
# API keys non-complaint with RFC7519
# Deprecated in v2.7.0
legacy_api_key_v2 = "legacy_api_key_v2"
# Legacy /request/sample/<token>
# Use /file/<id>/download instead
# Deprecated in v2.2.0
legacy_file_download = "legacy_file_download"
# Legacy Metakey API
# Use Attribute API instead
# Deprecated in v2.6.0
Expand Down
19 changes: 0 additions & 19 deletions mwdb/model/object.py
Original file line number Diff line number Diff line change
Expand Up @@ -475,8 +475,6 @@ def access(cls, identifier, requestor=None):
(default: currently authenticated user)
:return: Object instance or None
"""
from .group import Group

if requestor is None:
requestor = g.auth_user

Expand All @@ -489,23 +487,6 @@ def access(cls, identifier, requestor=None):
if obj.has_explicit_access(requestor):
return obj

# If not, but has "share_queried_objects" rights: give_access
if requestor.has_rights(Capabilities.share_queried_objects):
share_queried_groups = (
db.session.query(Group)
.filter(
and_(
Group.capabilities.contains(
[Capabilities.share_queried_objects]
),
requestor.is_member(Group.id),
)
)
.all()
)
for group in share_queried_groups:
obj.give_access(group.id, AccessType.QUERIED, obj, requestor)
return obj
# Well.. I've tried
return None

Expand Down
1 change: 0 additions & 1 deletion mwdb/web/src/commons/auth/capabilities.tsx
Original file line number Diff line number Diff line change
Expand Up @@ -4,7 +4,6 @@ import { Capability } from "@mwdb-web/types/types";
export let capabilitiesList: Record<Capability, string> = {
[Capability.manageUsers]:
"Managing users and groups (system administration)",
[Capability.shareQueriedObjects]: "Query for all objects in system",
[Capability.accessAllObjects]:
"Has access to all new uploaded objects into system",
[Capability.sharingWithAll]: "Can share objects with all groups in system",
Expand Down
1 change: 0 additions & 1 deletion mwdb/web/src/types/types.ts
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ import { AxiosError } from "axios";

export enum Capability {
manageUsers = "manage_users",
shareQueriedObjects = "share_queried_objects",
accessAllObjects = "access_all_objects",
sharingWithAll = "sharing_with_all",
accessUploaderInfo = "access_uploader_info",
Expand Down
17 changes: 0 additions & 17 deletions tests/backend/test_permissions.py
Original file line number Diff line number Diff line change
Expand Up @@ -30,23 +30,6 @@ def request(*args, **kwargs):
request("PUT", "/group/{}".format(group_name), json={"capabilities": []})


def test_share_queried_objects(admin_session):
testCase = RelationTestCase(admin_session)

Alice = testCase.new_user("Alice")
Bob = testCase.new_user("Bob", capabilities=["share_queried_objects"])

Sample = testCase.new_sample("Sample")

with ShouldRaise(status_code=404):
Alice.session.get_sample(Sample.dhash)

Bob.session.get_sample(Sample.dhash)

Sample.should_not_access(Alice)
Sample.should_access(Bob)


def test_access_all_objects(admin_session):
testCase = RelationTestCase(admin_session)

Expand Down

0 comments on commit 0342526

Please sign in to comment.