drafted groups

Author: pcrespov

packages/models-library/src/models_library/api_schemas_webserver/groups.py

@@ -274,7 +274,14 @@ class GroupUserGet(OutputSchemaWithoutCamelCase):
     ] = None
 
     # Access Rights
-    access_rights: GroupAccessRights = Field(..., alias="accessRights")
+    access_rights: Annotated[
+        GroupAccessRights | None,
+        Field(
+            alias="accessRights",
+            description="If group is standard, these are these are the access rights of the user to it."
+            "None if primary group.",
+        ),
+    ] = None
 
     model_config = ConfigDict(
         populate_by_name=True,
@@ -292,7 +299,23 @@ class GroupUserGet(OutputSchemaWithoutCamelCase):
                     "write": False,
                     "delete": False,
                 },
-            }
+            },
+            "examples": [
+                # unique member on a primary group with two different primacy settings
+                {
+                    "id": "16",
+                    "userName": "mrprivate",
+                    "gid": "55",
+                },
+                {
+                    "id": "56",
+                    "userName": "mrpublic",
+                    "login": "[email protected]",
+                    "first_name": "Mr",
+                    "last_name": "Public",
+                    "gid": "42",
+                },
+            ],
         },
     )
 

packages/models-library/src/models_library/groups.py

@@ -108,7 +108,7 @@ class GroupMember(BaseModel):
     last_name: str | None
 
     # group access
-    access_rights: AccessRightsDict
+    access_rights: AccessRightsDict | None = None
 
     model_config = ConfigDict(from_attributes=True)
 

services/web/server/src/simcore_service_webserver/groups/_groups_repository.py

@@ -1,5 +1,6 @@
 import re
 from copy import deepcopy
+from typing import Literal
 
 import sqlalchemy as sa
 from aiohttp import web
@@ -89,11 +90,14 @@ def _to_group_info_tuple(group: Row) -> GroupInfoTuple:
 
 
 def _check_group_permissions(
-    group: Row, user_id: int, gid: int, permission: str
+    group: Row,
+    caller_id: UserID,
+    group_id: GroupID,
+    permission: Literal["read", "write", "delete"],
 ) -> None:
     if not group.access_rights[permission]:
         raise UserInsufficientRightsError(
-            user_id=user_id, gid=gid, permission=permission
+            user_id=caller_id, gid=group_id, permission=permission
         )
 
 
@@ -487,18 +491,37 @@ async def list_users_in_group(
 ) -> list[GroupMember]:
     async with pass_or_acquire_connection(get_asyncpg_engine(app), connection) as conn:
         # first check if the group exists
-        group = await _get_group_and_access_rights_or_raise(
-            conn, user_id=user_id, group_id=group_id
+        result = await conn.execute(
+            sa.select(
+                *_GROUP_COLUMNS,
+                user_to_groups.c.access_rights,
+            )
+            .select_from(
+                groups.join(
+                    user_to_groups, user_to_groups.c.gid == groups.c.gid, isouter=True
+                )
+            )
+            .where(
+                ((user_to_groups.c.uid == user_id) & (user_to_groups.c.gid == group_id))
+                | (groups.c.type == GroupType.PRIMARY)
+            )
         )
-        _check_group_permissions(group, user_id, group_id, "read")
+        group_row = result.first()
+        if not group_row:
+            raise GroupNotFoundError(gid=group_id)
+
+        if group_row.type != GroupType.PRIMARY:
+            _check_group_permissions(
+                group_row, caller_id=user_id, group_id=group_id, permission="read"
+            )
 
         # now get the list
         query = (
             sa.select(
                 *_group_user_cols(user_id),
                 user_to_groups.c.access_rights,
             )
-            .select_from(users.join(user_to_groups))
+            .select_from(users.join(user_to_groups, isouter=True))
             .where(user_to_groups.c.gid == group_id)
         )
 

services/web/server/src/simcore_service_webserver/groups/_groups_rest.py

@@ -164,7 +164,7 @@ async def delete_group(request: web.Request):
 @permission_required("groups.*")
 @handle_plugin_requests_exceptions
 async def get_all_group_users(request: web.Request):
-    """Gets users in organization groups"""
+    """Gets users in organization or primary groups"""
     req_ctx = GroupsRequestContext.model_validate(request)
     path_params = parse_request_path_parameters_as(GroupsPathParams, request)
 

services/web/server/tests/unit/with_dbs/03/test_users.py

@@ -20,6 +20,7 @@
 from common_library.users_enums import UserRole, UserStatus
 from faker import Faker
 from models_library.api_schemas_webserver.auth import AccountRequestInfo
+from models_library.api_schemas_webserver.groups import GroupUserGet
 from models_library.api_schemas_webserver.users import (
     MyProfileGet,
     UserForAdminGet,
@@ -156,6 +157,25 @@ async def test_get_and_search_public_users(
         resp = await client.get(f"{url}")
         await assert_status(resp, status.HTTP_403_FORBIDDEN)
 
+        # GET user by primary GID
+        url = client.app.router["get_all_group_users"].url_for(
+            gid=f"{public_user['id']}"
+        )
+        resp = await client.get(f"{url}")
+        data, _ = await assert_status(resp, status.HTTP_200_OK)
+
+        user = GroupUserGet.model_validate(data)
+        assert user.id == public_user["id"]
+
+        url = client.app.router["get_all_group_users"].url_for(
+            gid=f"{private_user['id']}"
+        )
+        resp = await client.get(f"{url}")
+        data, _ = await assert_status(resp, status.HTTP_200_OK)
+
+        user = GroupUserGet.model_validate(data)
+        assert user.id == private_user["id"]
+
 
 @pytest.mark.parametrize(
     "user_role,expected",