fix: access right permissions when getting

Author: giancarloromeo

packages/models-library/src/models_library/api_schemas_webserver/functions.py

@@ -5,7 +5,6 @@
 
 from ..functions import (
     Function,
-    FunctionAccessRights,
     FunctionBase,
     FunctionClass,
     FunctionClassSpecificData,
@@ -49,6 +48,7 @@
     UnsupportedFunctionClassError,
     UnsupportedFunctionFunctionJobClassCombinationError,
 )
+from ..groups import GroupID
 from ..projects import ProjectID
 from ._base import InputSchema, OutputSchema
 
@@ -114,11 +114,23 @@
 ]
 
 
+class FunctionGroupAccessRightsGet(OutputSchema):
+    read: bool
+    write: bool
+    execute: bool
+
+
+class FunctionGroupAccessRightsUpdate(InputSchema):
+    read: bool
+    write: bool
+    execute: bool
+
+
 class RegisteredSolverFunctionGet(RegisteredSolverFunction, OutputSchema):
     uid: Annotated[FunctionID, Field(alias="uuid")]
     created_at: Annotated[datetime.datetime, Field(alias="creationDate")]
     modified_at: Annotated[datetime.datetime, Field(alias="lastChangeDate")]
-    access_rights: FunctionAccessRights | None = None
+    access_rights: dict[GroupID, FunctionGroupAccessRightsGet] | None = None
     thumbnail: HttpUrl | None = None
 
 
@@ -127,7 +139,7 @@ class RegisteredProjectFunctionGet(RegisteredProjectFunction, OutputSchema):
     project_id: Annotated[ProjectID, Field(alias="templateId")]
     created_at: Annotated[datetime.datetime, Field(alias="creationDate")]
     modified_at: Annotated[datetime.datetime, Field(alias="lastChangeDate")]
-    access_rights: FunctionAccessRights | None = None
+    access_rights: dict[GroupID, FunctionGroupAccessRightsGet] | None = None
     thumbnail: HttpUrl | None = None
 
 
@@ -149,15 +161,3 @@ class ProjectFunctionToRegister(ProjectFunction, InputSchema): ...
 
 
 class RegisteredFunctionUpdate(FunctionUpdate, InputSchema): ...
-
-
-class FunctionGroupAccessRightsGet(OutputSchema):
-    read: bool
-    write: bool
-    execute: bool
-
-
-class FunctionGroupAccessRightsUpdate(InputSchema):
-    read: bool
-    write: bool
-    execute: bool

services/web/server/src/simcore_service_webserver/api/v0/openapi.yaml

@@ -3505,14 +3505,14 @@ paths:
         content:
           application/json:
             schema:
-              $ref: '#/components/schemas/FunctionGroupUpdate'
+              $ref: '#/components/schemas/FunctionGroupAccessRightsUpdate'
       responses:
         '200':
           description: Successful Response
           content:
             application/json:
               schema:
-                $ref: '#/components/schemas/Envelope_FunctionGroupGet_'
+                $ref: '#/components/schemas/Envelope_FunctionGroupAccessRightsGet_'
     delete:
       tags:
       - functions
@@ -10553,19 +10553,19 @@ components:
           title: Error
       type: object
       title: Envelope[FolderGet]
-    Envelope_FunctionGroupGet_:
+    Envelope_FunctionGroupAccessRightsGet_:
       properties:
         data:
           anyOf:
-          - $ref: '#/components/schemas/FunctionGroupGet'
+          - $ref: '#/components/schemas/FunctionGroupAccessRightsGet'
           - type: 'null'
         error:
           anyOf:
           - {}
           - type: 'null'
           title: Error
       type: object
-      title: Envelope[FunctionGroupGet]
+      title: Envelope[FunctionGroupAccessRightsGet]
     Envelope_GetProjectInactivityResponse_:
       properties:
         data:
@@ -12396,24 +12396,7 @@ components:
       required:
       - name
       title: FolderReplaceBodyParams
-    FunctionAccessRights:
-      properties:
-        read:
-          type: boolean
-          title: Read
-          default: false
-        write:
-          type: boolean
-          title: Write
-          default: false
-        execute:
-          type: boolean
-          title: Execute
-          default: false
-      additionalProperties: false
-      type: object
-      title: FunctionAccessRights
-    FunctionGroupGet:
+    FunctionGroupAccessRightsGet:
       properties:
         read:
           type: boolean
@@ -12429,8 +12412,8 @@ components:
       - read
       - write
       - execute
-      title: FunctionGroupGet
-    FunctionGroupUpdate:
+      title: FunctionGroupAccessRightsGet
+    FunctionGroupAccessRightsUpdate:
       properties:
         read:
           type: boolean
@@ -12446,7 +12429,7 @@ components:
       - read
       - write
       - execute
-      title: FunctionGroupUpdate
+      title: FunctionGroupAccessRightsUpdate
     GetProjectInactivityResponse:
       properties:
         is_inactive:
@@ -16184,8 +16167,11 @@ components:
           title: Templateid
         accessRights:
           anyOf:
-          - $ref: '#/components/schemas/FunctionAccessRights'
+          - additionalProperties:
+              $ref: '#/components/schemas/FunctionGroupAccessRightsGet'
+            type: object
           - type: 'null'
+          title: Accessrights
         thumbnail:
           anyOf:
           - type: string
@@ -16263,8 +16249,11 @@ components:
           title: Solverversion
         accessRights:
           anyOf:
-          - $ref: '#/components/schemas/FunctionAccessRights'
+          - additionalProperties:
+              $ref: '#/components/schemas/FunctionGroupAccessRightsGet'
+            type: object
           - type: 'null'
+          title: Accessrights
         thumbnail:
           anyOf:
           - type: string

services/web/server/src/simcore_service_webserver/functions/_controller/_functions_rest.py

@@ -12,13 +12,13 @@
 )
 from models_library.api_schemas_webserver.users import MyFunctionPermissionsGet
 from models_library.functions import (
-    FunctionAccessRights,
     FunctionClass,
     FunctionGroupAccessRights,
     FunctionID,
     RegisteredProjectFunction,
     RegisteredSolverFunction,
 )
+from models_library.groups import GroupID
 from models_library.products import ProductName
 from models_library.rest_pagination import Page
 from models_library.rest_pagination_utils import paginate_data
@@ -52,24 +52,27 @@
 routes = web.RouteTableDef()
 
 
-async def _build_function_access_rights(
+async def _build_function_group_access_rights(
     app: web.Application,
     user_id: UserID,
     product_name: ProductName,
     function_id: FunctionID,
-) -> FunctionAccessRights:
-    access_rights = await _functions_service.get_function_user_permissions(
+) -> dict[GroupID, FunctionGroupAccessRightsGet]:
+    access_rights_list = await _functions_service.get_function_group_permissions(
         app=app,
         user_id=user_id,
         product_name=product_name,
         function_id=function_id,
     )
 
-    return FunctionAccessRights(
-        read=access_rights.read,
-        write=access_rights.write,
-        execute=access_rights.execute,
-    )
+    return {
+        access_rights.group_id: FunctionGroupAccessRightsGet(
+            read=access_rights.read,
+            write=access_rights.write,
+            execute=access_rights.execute,
+        )
+        for access_rights in access_rights_list
+    }
 
 
 def _build_project_function_extras_dict(
@@ -221,7 +224,7 @@ async def list_functions(request: web.Request) -> web.Response:
                     )
 
     for function in functions:
-        access_rights = await _build_function_access_rights(
+        access_rights = await _build_function_group_access_rights(
             request.app,
             user_id=req_ctx.user_id,
             product_name=req_ctx.product_name,
@@ -271,7 +274,7 @@ async def get_function(request: web.Request) -> web.Response:
         product_name=req_ctx.product_name,
     )
 
-    access_rights = await _build_function_access_rights(
+    access_rights = await _build_function_group_access_rights(
         request.app,
         user_id=req_ctx.user_id,
         product_name=req_ctx.product_name,
@@ -319,7 +322,7 @@ async def update_function(request: web.Request) -> web.Response:
         function=function_update,
     )
 
-    access_rights = await _build_function_access_rights(
+    access_rights = await _build_function_group_access_rights(
         request.app,
         user_id=req_ctx.user_id,
         product_name=req_ctx.product_name,

services/web/server/src/simcore_service_webserver/functions/_functions_exceptions.py

@@ -2,4 +2,4 @@
 
 
 class FunctionGroupAccessRightsNotFoundError(OsparcErrorMixin, Exception):
-    msg_template = "Group '{group_id}' does not have access rights to {object_type} '{object_id}' in product '{product_name}'"
+    msg_template = "Group access rights not found for {object_type} '{object_id}' in product '{product_name}'"

services/web/server/src/simcore_service_webserver/functions/_functions_repository.py

@@ -1064,6 +1064,36 @@ async def delete_function_job_collection(
         )
 
 
+async def get_group_permissions(
+    app: web.Application,
+    connection: AsyncConnection | None = None,
+    *,
+    user_id: UserID,
+    product_name: ProductName,
+    object_type: Literal["function", "function_job", "function_job_collection"],
+    object_ids: list[UUID],
+) -> list[tuple[UUID, list[FunctionGroupAccessRights]]]:
+    async with pass_or_acquire_connection(get_asyncpg_engine(app), connection) as conn:
+        for object_id in object_ids:
+            await check_user_permissions(
+                app,
+                connection=conn,
+                user_id=user_id,
+                product_name=product_name,
+                object_id=object_id,
+                object_type=object_type,
+                permissions=["read"],
+            )
+
+        return await _internal_get_group_permissions(
+            app,
+            connection=connection,
+            product_name=product_name,
+            object_type=object_type,
+            object_ids=object_ids,
+        )
+
+
 async def set_group_permissions(
     app: web.Application,
     connection: AsyncConnection | None = None,
@@ -1170,6 +1200,55 @@ async def _internal_remove_group_permissions(
             )
 
 
+async def _internal_get_group_permissions(
+    app: web.Application,
+    connection: AsyncConnection | None = None,
+    *,
+    product_name: ProductName,
+    object_type: Literal["function", "function_job", "function_job_collection"],
+    object_ids: list[UUID],
+) -> list[tuple[UUID, list[FunctionGroupAccessRights]]]:
+    access_rights_table = None
+    field_name = None
+    if object_type == "function":
+        access_rights_table = functions_access_rights_table
+        field_name = "function_uuid"
+    elif object_type == "function_job":
+        access_rights_table = function_jobs_access_rights_table
+        field_name = "function_job_uuid"
+    elif object_type == "function_job_collection":
+        access_rights_table = function_job_collections_access_rights_table
+        field_name = "function_job_collection_uuid"
+
+    assert access_rights_table is not None  # nosec
+    assert field_name is not None  # nosec
+
+    access_rights_list: list[tuple[UUID, list[FunctionGroupAccessRights]]] = []
+    async with pass_or_acquire_connection(get_asyncpg_engine(app), connection) as conn:
+        for object_id in object_ids:
+            rows = [
+                row
+                async for row in await conn.stream(
+                    access_rights_table.select().where(
+                        getattr(access_rights_table.c, field_name) == object_id,
+                        access_rights_table.c.product_name == product_name,
+                    )
+                )
+            ]
+            group_permissions = [
+                FunctionGroupAccessRights(
+                    group_id=row.group_id,
+                    read=row.read,
+                    write=row.write,
+                    execute=row.execute,
+                )
+                for row in rows
+            ]
+            access_rights_list.append((object_id, group_permissions))
+
+        return access_rights_list
+
+
 async def _internal_set_group_permissions(
     app: web.Application,
     connection: AsyncConnection | None = None,
@@ -1238,7 +1317,7 @@ async def _internal_set_group_permissions(
                     "execute": execute if execute is not None else row["execute"],
                 }
 
-                await transaction.execute(
+                update_result = await transaction.execute(
                     access_rights_table.update()
                     .where(
                         getattr(access_rights_table.c, field_name) == object_id,
@@ -1252,8 +1331,10 @@ async def _internal_set_group_permissions(
                         access_rights_table.c.execute,
                     )
                 )
-                row = result.one()
-                access_rights_list.append((object_id, FunctionGroupAccessRights(**row)))
+                updated_row = update_result.one()
+                access_rights_list.append(
+                    (object_id, FunctionGroupAccessRights(**updated_row))
+                )
 
         return access_rights_list