Merge pull request #456 from ghga-de/develop

Prepare Release 1.0.4

Author: lkuchenb

datameta/api/download.py

@@ -54,7 +54,8 @@ def get_file_url(request: Request) -> HTTPTemporaryRedirect:
     response = {
             'fileId' : get_identifier(db_file),
             'fileUrl' : f"{request.host_url}{url}",
-            'expires' : expires_at.isoformat() + "+00:00"
+            'expires' : expires_at.isoformat() + "+00:00",
+            'checksum' : db_file.checksum
             }
 
     if redirect:

datameta/api/groups.py

@@ -25,7 +25,14 @@
 from sqlalchemy.orm import joinedload
 from sqlalchemy.exc import IntegrityError
 
-from pyramid.httpexceptions import HTTPNoContent, HTTPForbidden
+from pyramid.httpexceptions import HTTPNoContent, HTTPForbidden, HTTPNotFound
+
+
+@dataclass
+class GroupResponseElement(DataHolderBase):
+    """Class for Group Information Request communication to OpenApi"""
+    id: dict
+    name: str
 
 
 class GroupSubmissions:
@@ -110,6 +117,35 @@ class ChangeGroupName(DataHolderBase):
     new_group_name: str
 
 
+@view_config(
+    route_name="groups_id",
+    renderer="json",
+    request_method="GET",
+    openapi=True
+)
+def get(request: Request):
+
+    # Authenticate the user
+    auth_user = security.revalidate_user(request)
+
+    group_id = request.matchdict["id"]
+    db = request.dbsession
+
+    # Get the targeted user
+    target_group = resource_by_id(db, Group, group_id)
+
+    if target_group is None:
+        raise HTTPNotFound()
+
+    if not authz.view_group(auth_user, target_group):
+        raise HTTPForbidden()
+
+    return GroupResponseElement(
+        id              =   get_identifier(target_group),
+        name            =   target_group.name,
+    )
+
+
 @view_config(
     route_name="groups_id",
     renderer='json',

datameta/api/openapi.yaml

@@ -15,7 +15,7 @@
 openapi: 3.0.0
 info:
   description: DataMeta
-  version: 1.0.1
+  version: 1.3.0
   title: DataMeta
 
 servers:
@@ -111,7 +111,7 @@ paths:
           content:
             application/json:
               schema:
-                $ref: "#/components/schemas/UserResponse"
+                $ref: "#/components/schemas/WhoamiResponse"
         '401':
           description: Unauthorized
         '400':
@@ -341,6 +341,41 @@ paths:
           description: Internal Server Error
 
   /users/{id}:
+    get:
+      summary: Get user information
+      description: >-
+        Get information about a user.
+      tags:
+        - Authentication and Users
+      operationId: UserInformationRequest
+      parameters:
+        - name: id
+          in: path
+          description: ID of the user
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/UserResponse'
+        '400':
+          description: Validation Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorModel"
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden
+        '404':
+          description: Not found
+        '500':
+          description: Internal Server Error
     put:
       summary: Update a user's credentials and status
       description: Update a user's name, group, admin status and enabled status.
@@ -957,6 +992,41 @@ paths:
           description: Internal Server Error
 
   /groups/{id}:
+    get:
+      summary: Get group information
+      description: >-
+        Get information about a group.
+      tags:
+        - Groups
+      operationId: GroupInformationRequest
+      parameters:
+        - name: id
+          in: path
+          description: ID of the group
+          required: true
+          schema:
+            type: string
+      responses:
+        '200':
+          description: OK
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/GroupResponse'
+        '400':
+          description: Validation Error
+          content:
+            application/json:
+              schema:
+                $ref: "#/components/schemas/ErrorModel"
+        '401':
+          description: Unauthorized
+        '403':
+          description: Forbidden
+        '404':
+          description: Not found
+        '500':
+          description: Internal Server Error
     put:
       summary: Change the name of a group.
       description: >-
@@ -1282,10 +1352,13 @@ components:
         expires:
           type: string
           format: date-time
+        checksum:
+          type: string
       required:
         - fileId
         - fileUrl
         - expires
+        - checksum
       additionalProperties: false
 
     ApiKeyList:
@@ -1634,8 +1707,20 @@ components:
       required:
         - name
       additionalProperties: false
-
-    UserResponse:
+    
+    GroupResponse:
+      type: object
+      properties:
+        id:
+          $ref: "#/components/schemas/Identifier"
+        name:
+          type: string
+      required:
+        - id
+        - name
+      additionalProperties: false
+        
+    WhoamiResponse:
       type: object
       properties:
         id:
@@ -1667,6 +1752,38 @@ components:
         - group
       additionalProperties: false
 
+    UserResponse:
+      type: object
+      properties:
+        id:
+          $ref: "#/components/schemas/Identifier"
+        name:
+          type: string
+        groupAdmin:
+          type: boolean
+          nullable: true
+        siteAdmin:
+          type: boolean
+          nullable: true
+        siteRead:
+          type: boolean
+          nullable: true
+        email:
+          type: string
+          nullable: true
+        group:
+          type: object
+          properties:
+            id:
+              $ref: "#/components/schemas/Identifier"
+            name:
+              type: string
+      required:
+        - id
+        - name
+        - group
+      additionalProperties: false
+
     UserUpdateRequest:
       type: object
       properties:

datameta/api/ui/admin.py

@@ -64,7 +64,8 @@ def v_admin_put_request(request):
 
     # Check if the requesting user is authorized. Both the request group as well as the
     # administratively selected group have to be the requesting user's group
-    if not req_user.site_admin and (reg_req.group_id != req_user.group_id.uuid or newuser_group_id != req_user.group_id.uuid):
+
+    if not req_user.site_admin and (reg_req.group_id != req_user.group_id or newuser_group_id != str(req_user.group.uuid)):
         return HTTPUnauthorized()
 
     # Check if the specified group id is valid

datameta/api/users.py

@@ -12,6 +12,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
+
+from typing import Optional
+
 from pyramid.view import view_config
 from pyramid.request import Request
 from pyramid.httpexceptions import HTTPNoContent, HTTPForbidden, HTTPNotFound
@@ -37,6 +40,32 @@ class UserUpdateRequest(DataHolderBase):
 
 @dataclass
 class UserResponseElement(DataHolderBase):
+    """Class for User Update Request communication to OpenApi"""
+    id: dict
+    name: str  # why is this name when it is called fullname in the db?
+    group: dict
+    group_admin: Optional[bool] = None
+    site_admin: Optional[bool] = None
+    site_read: Optional[bool] = None
+    email: Optional[str] = None
+
+    @classmethod
+    def from_user(cls, target_user, requesting_user):
+        restricted_fields = dict()
+
+        if authz.view_restricted_user_info(requesting_user, target_user):
+            restricted_fields.update({
+                "group_admin": target_user.group_admin,
+                "site_admin": target_user.site_admin,
+                "site_read": target_user.site_read,
+                "email": target_user.email
+            })
+
+        return cls(id=get_identifier(target_user), name=target_user.fullname, group=get_identifier(target_user.group), **restricted_fields)
+
+
+@dataclass
+class WhoamiResponseElement(DataHolderBase):
     """Class for User Update Request communication to OpenApi"""
     id: dict
     name: str  # why is this name when it is called fullname in the db?
@@ -53,11 +82,11 @@ class UserResponseElement(DataHolderBase):
     request_method="GET",
     openapi=True
 )
-def get_whoami(request: Request) -> UserResponseElement:
+def get_whoami(request: Request) -> WhoamiResponseElement:
 
     auth_user = security.revalidate_user(request)
 
-    return UserResponseElement(
+    return WhoamiResponseElement(
         id              =   get_identifier(auth_user),
         name            =   auth_user.fullname,
         group_admin     =   auth_user.group_admin,
@@ -68,6 +97,31 @@ def get_whoami(request: Request) -> UserResponseElement:
     )
 
 
+@view_config(
+    route_name="user_id",
+    renderer="json",
+    request_method="GET",
+    openapi=True
+)
+def get(request: Request):
+
+    # Authenticate the user
+    auth_user = security.revalidate_user(request)
+
+    user_id = request.matchdict["id"]
+    db = request.dbsession
+
+    # Get the targeted user
+    target_user = resource_by_id(db, User, user_id)
+    if target_user is None:
+        raise HTTPNotFound()
+
+    if not authz.view_user(auth_user, target_user):
+        raise HTTPForbidden()
+
+    return UserResponseElement.from_user(target_user, auth_user)
+
+
 @view_config(
     route_name="user_id",
     renderer='json',

datameta/security/authz.py

@@ -16,18 +16,44 @@
 from ..models import MetaDatum, User
 
 
+def is_own_group(user, group):
+    return user.group.id == group.id
+
+
 def user_is_target(user, target_user):
     return user.id == target_user.id
 
 
 def has_group_rights(user, group):
-    return user.site_admin or (user.group_admin and user.group.id == group.id)
+    return user.site_admin or (user.group_admin and is_own_group(user, group))
 
 
 def is_power_grab(user, target_user):
     return not user.site_admin and target_user.site_admin
 
 
+def can_site_read(user):
+    return user.site_admin or user.site_read
+
+
+def view_user(user, target_user):
+    # Regular users shall only be able to request their own user and otherwise receive a 404.
+    # group_admin users shall be able to request information about all users in their group.
+    # site_read (!) and site_admin users shall be able to retrieve information about all users.
+    return any((
+        user_is_target(user, target_user),
+        has_group_rights(user, target_user.group),
+        can_site_read(user)
+    ))
+
+
+def view_group(user, group):
+    return any((
+        is_own_group(user, group),  # i assume, a 'normal' user can query their group's details regardless of group_admin status?
+        can_site_read(user)
+    ))
+
+
 def has_data_access(user, data_user_id, data_group_id=None, was_submitted=False):
     # if dataset was already submitted, the group must match, or the user must have site_read priviledges
     # if dataset was not yet submitted, the user must match
@@ -150,6 +176,10 @@ def update_user_name(user, target_user):
     ))
 
 
+def view_restricted_user_info(user, target_user):
+    return has_group_rights(user, target_user.group)
+
+
 def create_service(user):
     return user.site_admin