Drafts group_or_role_permission_required

Author: pcrespov

services/web/server/src/simcore_service_webserver/products/_controller/rest.py

@@ -10,7 +10,10 @@
 
 from ..._meta import API_VTAG as VTAG
 from ...login.decorators import login_required
-from ...security.decorators import permission_required
+from ...security.decorators import (
+    group_or_role_permission_required,
+    permission_required,
+)
 from ...utils_aiohttp import envelope_json_response
 from .. import _service, products_web
 from .._repository import ProductRepository
@@ -46,7 +49,7 @@ async def _get_current_product_price(request: web.Request):
 
 @routes.get(f"/{VTAG}/products/{{product_name}}", name="get_product")
 @login_required
-@permission_required("product.details.*")
+@group_or_role_permission_required("product.details.*")
 @handle_rest_requests_exceptions
 async def _get_product(request: web.Request):
     req_ctx = ProductsRequestContext.model_validate(request)

services/web/server/src/simcore_service_webserver/security/_authz_access_roles.py

@@ -133,3 +133,14 @@ class PermissionDict(TypedDict, total=False):
 assert set(ROLES_PERMISSIONS) == set(  # nosec
     UserRole
 ), "All user roles must be part define permissions"  # nosec
+
+
+# Group-based permissions for support groups
+# Maps group type to list of permissions that group members can perform
+GROUP_PERMISSIONS: dict[str, list[str]] = {
+    "support_group": [
+        "product.details.*",
+        "admin.users.read",
+    ],
+    # NOTE: Future group types can be added here
+}

services/web/server/src/simcore_service_webserver/security/decorators.py

@@ -1,8 +1,14 @@
+from contextlib import suppress
 from functools import wraps
 
+import aiohttp_security.api  # type: ignore[import-untyped]
 from aiohttp import web
 from servicelib.aiohttp.typing_extension import Handler
 
+from ..products.products_web import get_current_product
+from ._authz_access_model import AuthContextDict
+from ._authz_access_roles import GROUP_PERMISSIONS
+from ._authz_web import check_user_authorized
 from .security_web import check_user_permission
 
 
@@ -26,3 +32,53 @@ async def _wrapped(request: web.Request):
         return _wrapped
 
     return _decorator
+
+
+def group_or_role_permission_required(permission: str):
+    """Decorator that checks user permissions via both roles AND groups (OR logic).
+
+    User gets access if they have permission via role OR group membership.
+
+    If user is not authorized - raises HTTPUnauthorized,
+    if user is authorized but lacks both role and group permissions - raises HTTPForbidden.
+    """
+
+    def _decorator(handler: Handler):
+        @wraps(handler)
+        async def _wrapped(request: web.Request):
+            context = AuthContextDict()
+            context["authorized_uid"] = await check_user_authorized(request)
+
+            # Check role-based permissions first
+            role_allowed = await aiohttp_security.api.permits(
+                request, permission, context
+            )
+            if role_allowed:
+                return await handler(request)
+
+            # Check group-based permissions
+            with suppress(
+                Exception
+                # If product or group check fails, continue to deny access
+                # NOTE: Logging omitted to avoid exposing internal errors
+            ):
+
+                product = get_current_product(request)
+
+                if product.support_standard_group_id is not None:
+                    # FIXME: Group membership API will be implemented later
+                    # For now, always returns False
+                    is_member = False  # Placeholder
+
+                    if is_member:
+                        group_permissions = GROUP_PERMISSIONS.get("support_group", [])
+                        if permission in group_permissions:
+                            return await handler(request)
+
+            # Neither role nor group permissions granted
+            msg = f"You do not have sufficient access rights for {permission}"
+            raise web.HTTPForbidden(text=msg)
+
+        return _wrapped
+
+    return _decorator

services/web/server/src/simcore_service_webserver/users/_controller/rest/accounts_rest.py

@@ -26,7 +26,10 @@
 from ...._meta import API_VTAG
 from ....invitations import api as invitations_service
 from ....login.decorators import login_required
-from ....security.decorators import permission_required
+from ....security.decorators import (
+    group_or_role_permission_required,
+    permission_required,
+)
 from ....utils_aiohttp import create_json_response_from_page, envelope_json_response
 from ... import _accounts_service
 from ._rest_exceptions import handle_rest_requests_exceptions
@@ -43,7 +46,7 @@
 
 @routes.get(f"/{API_VTAG}/admin/user-accounts", name="list_users_accounts")
 @login_required
-@permission_required("admin.users.read")
+@group_or_role_permission_required("admin.users.read")
 @handle_rest_requests_exceptions
 async def list_users_accounts(request: web.Request) -> web.Response:
     req_ctx = UsersRequestContext.model_validate(request)