From ebb5f2131406ef369904641c553e1d2a72e317ae Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Pawe=C5=82=20Srokosz?= Date: Thu, 12 Dec 2024 15:19:42 +0100 Subject: [PATCH] Drop: share_queried_objects capability (#1004) * Drop: share_queried_objects capability * Fix capabilities list * Remove test for share_queried_objects --- docs/user-guide/9-Sharing-objects.rst | 5 ----- mwdb/core/capabilities.py | 2 -- mwdb/core/deprecated.py | 4 ---- mwdb/model/object.py | 19 ------------------- mwdb/web/src/commons/auth/capabilities.tsx | 1 - mwdb/web/src/types/types.ts | 1 - tests/backend/test_permissions.py | 17 ----------------- 7 files changed, 49 deletions(-) diff --git a/docs/user-guide/9-Sharing-objects.rst b/docs/user-guide/9-Sharing-objects.rst index 97860b3a2..c6bf0404e 100644 --- a/docs/user-guide/9-Sharing-objects.rst +++ b/docs/user-guide/9-Sharing-objects.rst @@ -148,11 +148,6 @@ Each capability has its own name and scope: Allows to access all users and groups in MWDB. Rules described in *Who is who?* don't apply to users with that permission. Enables user to create new user accounts, new groups and change their capabilities and membership. Allows to manage attribute keys, define new ones, delete and set the group permissions for them. -* - **share_queried_objects - Query for all objects in system** - - That one is a bit tricky and will be possibly deprecated. MWDB will automatically share object and all descendants with group if member directly accessed it via identifier (knows the hash e.g. have direct link to the object). It can be used for bot accounts, so they have access only to these objects that are intended to be processed by them. Internally, we abandoned that idea, so that capability may not be stable. - * **access_all_objects - Has access to all uploaded objects into system** diff --git a/mwdb/core/capabilities.py b/mwdb/core/capabilities.py index e656aaf44..40debc92c 100644 --- a/mwdb/core/capabilities.py +++ b/mwdb/core/capabilities.py @@ -1,8 +1,6 @@ class Capabilities(object): # Can create/update users and groups manage_users = "manage_users" - # Queried objects by members are automatically shared with this group - share_queried_objects = "share_queried_objects" # All new uploaded objects are automatically shared with this group access_all_objects = "access_all_objects" # Can share objects with all groups, have access to complete list of groups diff --git a/mwdb/core/deprecated.py b/mwdb/core/deprecated.py index ba09c05eb..5d3a756a8 100644 --- a/mwdb/core/deprecated.py +++ b/mwdb/core/deprecated.py @@ -17,10 +17,6 @@ class DeprecatedFeature(Enum): # API keys non-complaint with RFC7519 # Deprecated in v2.7.0 legacy_api_key_v2 = "legacy_api_key_v2" - # Legacy /request/sample/ - # Use /file//download instead - # Deprecated in v2.2.0 - legacy_file_download = "legacy_file_download" # Legacy Metakey API # Use Attribute API instead # Deprecated in v2.6.0 diff --git a/mwdb/model/object.py b/mwdb/model/object.py index c5b4e4c37..8c428cc55 100644 --- a/mwdb/model/object.py +++ b/mwdb/model/object.py @@ -475,8 +475,6 @@ def access(cls, identifier, requestor=None): (default: currently authenticated user) :return: Object instance or None """ - from .group import Group - if requestor is None: requestor = g.auth_user @@ -489,23 +487,6 @@ def access(cls, identifier, requestor=None): if obj.has_explicit_access(requestor): return obj - # If not, but has "share_queried_objects" rights: give_access - if requestor.has_rights(Capabilities.share_queried_objects): - share_queried_groups = ( - db.session.query(Group) - .filter( - and_( - Group.capabilities.contains( - [Capabilities.share_queried_objects] - ), - requestor.is_member(Group.id), - ) - ) - .all() - ) - for group in share_queried_groups: - obj.give_access(group.id, AccessType.QUERIED, obj, requestor) - return obj # Well.. I've tried return None diff --git a/mwdb/web/src/commons/auth/capabilities.tsx b/mwdb/web/src/commons/auth/capabilities.tsx index 95d2c555a..f8d2335eb 100644 --- a/mwdb/web/src/commons/auth/capabilities.tsx +++ b/mwdb/web/src/commons/auth/capabilities.tsx @@ -4,7 +4,6 @@ import { Capability } from "@mwdb-web/types/types"; export let capabilitiesList: Record = { [Capability.manageUsers]: "Managing users and groups (system administration)", - [Capability.shareQueriedObjects]: "Query for all objects in system", [Capability.accessAllObjects]: "Has access to all new uploaded objects into system", [Capability.sharingWithAll]: "Can share objects with all groups in system", diff --git a/mwdb/web/src/types/types.ts b/mwdb/web/src/types/types.ts index 9df98c1d2..fd5ac6890 100644 --- a/mwdb/web/src/types/types.ts +++ b/mwdb/web/src/types/types.ts @@ -2,7 +2,6 @@ import { AxiosError } from "axios"; export enum Capability { manageUsers = "manage_users", - shareQueriedObjects = "share_queried_objects", accessAllObjects = "access_all_objects", sharingWithAll = "sharing_with_all", accessUploaderInfo = "access_uploader_info", diff --git a/tests/backend/test_permissions.py b/tests/backend/test_permissions.py index 5ddfbc4ae..adc94425a 100644 --- a/tests/backend/test_permissions.py +++ b/tests/backend/test_permissions.py @@ -30,23 +30,6 @@ def request(*args, **kwargs): request("PUT", "/group/{}".format(group_name), json={"capabilities": []}) -def test_share_queried_objects(admin_session): - testCase = RelationTestCase(admin_session) - - Alice = testCase.new_user("Alice") - Bob = testCase.new_user("Bob", capabilities=["share_queried_objects"]) - - Sample = testCase.new_sample("Sample") - - with ShouldRaise(status_code=404): - Alice.session.get_sample(Sample.dhash) - - Bob.session.get_sample(Sample.dhash) - - Sample.should_not_access(Alice) - Sample.should_access(Bob) - - def test_access_all_objects(admin_session): testCase = RelationTestCase(admin_session)