drafted sharing

pcrespov · pcrespov · commit 1ef4437a3445 · 2025-01-06T14:21:28.000+01:00
diff --git a/packages/postgres-database/src/simcore_postgres_database/utils_tags.py b/packages/postgres-database/src/simcore_postgres_database/utils_tags.py
@@ -10,10 +10,13 @@
 from .utils_tags_sql import (
     count_groups_with_given_access_rights_stmt,
     create_tag_stmt,
+    delete_tag_sharing_stmt,
     delete_tag_stmt,
     get_tag_stmt,
+    has_access_rights_stmt,
+    list_tag_group_access_stmt,
     list_tags_stmt,
-    set_tag_access_rights_stmt,
+    share_tag_stmt,
     update_tag_stmt,
 )
 
@@ -109,7 +112,7 @@ async def create(
             assert tag  # nosec
 
             # take tag ownership
-            access_stmt = set_tag_access_rights_stmt(
+            access_stmt = share_tag_stmt(
                 tag_id=tag.id,
                 user_id=user_id,
                 read=read,
@@ -231,37 +234,100 @@ async def delete(
     # ACCESS RIGHTS
     #
 
-    async def create_access_rights(
+    async def _has_access_rights(
+        self,
+        connection: AsyncConnection,
+        *,
+        caller_id: int,
+        tag_id: int,
+        read: bool = False,
+        write: bool = False,
+        delete: bool = False,
+    ) -> bool:
+        result = await connection.execute(
+            has_access_rights_stmt(
+                tag_id=tag_id,
+                caller_user_id=caller_id,
+                read=read,
+                write=write,
+                delete=delete,
+            )
+        )
+        return result.fetchone() is not None
+
+    async def list_tag_group_access(
         self,
         connection: AsyncConnection | None = None,
         *,
+        # caller
         user_id: int,
+        # target
         tag_id: int,
-        group_id: int,
-        read: bool,
-        write: bool,
-        delete: bool,
     ):
-        raise NotImplementedError
+        async with pass_or_acquire_connection(self.engine, connection) as conn:
+            if not await self._has_access_rights(
+                conn, caller_id=user_id, tag_id=tag_id, read=True
+            ):
+                # TODO: empyt list or error?
+                raise TagOperationNotAllowedError(
+                    operation="share.list", user_id=user_id, tag_id=tag_id
+                )
 
-    async def update_access_rights(
+            result = await conn.execute(list_tag_group_access_stmt(tag_id=tag_id))
+            return [dict(row) for row in result.fetchall()]
+
+    async def create_or_update_access_rights(
         self,
         connection: AsyncConnection | None = None,
         *,
+        # caller
         user_id: int,
+        # target
         tag_id: int,
         group_id: int,
+        # access-rights
         read: bool,
         write: bool,
         delete: bool,
     ):
-        raise NotImplementedError
+        async with transaction_context(self.engine, connection) as conn:
+            if not await self._has_access_rights(
+                conn, caller_id=user_id, tag_id=tag_id, write=True
+            ):
+                raise TagOperationNotAllowedError(
+                    operation="share.write", user_id=user_id, tag_id=tag_id
+                )
+
+            result = await conn.execute(
+                share_tag_stmt(
+                    tag_id=tag_id,
+                    group_id=group_id,
+                    read=read,
+                    write=write,
+                    delete=delete,
+                )
+            )
+            row = result.first()
+            return dict(row)
 
     async def delete_access_rights(
         self,
         connection: AsyncConnection | None = None,
         *,
         user_id: int,
+        # target
         tag_id: int,
-    ):
-        raise NotImplementedError
+        group_id: int,
+    ) -> bool:
+        async with transaction_context(self.engine, connection) as conn:
+            if not await self._has_access_rights(
+                conn, caller_id=user_id, tag_id=tag_id, write=True
+            ):
+                raise TagOperationNotAllowedError(
+                    operation="share.delete", user_id=user_id, tag_id=tag_id
+                )
+
+            deleted: bool = await conn.scalar(
+                delete_tag_sharing_stmt(tag_id=tag_id, group_id=group_id)
+            )
+            return deleted
diff --git a/packages/postgres-database/src/simcore_postgres_database/utils_tags_sql.py b/packages/postgres-database/src/simcore_postgres_database/utils_tags_sql.py
@@ -130,25 +130,6 @@ def count_groups_with_given_access_rights_stmt(
     return sa.select(sa.func.count(user_to_groups.c.uid)).select_from(j)
 
 
-def set_tag_access_rights_stmt(
-    *, tag_id: int, user_id: int, read: bool, write: bool, delete: bool
-):
-    scalar_subq = (
-        sa.select(users.c.primary_gid).where(users.c.id == user_id).scalar_subquery()
-    )
-    return (
-        tags_access_rights.insert()
-        .values(
-            tag_id=tag_id,
-            group_id=scalar_subq,
-            read=read,
-            write=write,
-            delete=delete,
-        )
-        .returning(*_ACCESS_RIGHTS_COLUMNS)
-    )
-
-
 def update_tag_stmt(*, user_id: int, tag_id: int, **updates):
     return (
         tags.update()
@@ -182,6 +163,108 @@ def delete_tag_stmt(*, user_id: int, tag_id: int):
     )
 
 
+#
+# ACCESS RIGHTS AND SHARING: GROUP<--> TAGS
+#
+
+
+def list_tag_group_access_stmt(*, tag_id: int):
+    return sa.select(tags_access_rights.c.group_id, *_ACCESS_RIGHTS_COLUMNS).where(
+        tags_access_rights.c.tag_id == tag_id
+    )
+
+
+def share_tag_stmt(
+    *,
+    tag_id: int,
+    group_id: int | None = None,
+    user_id: int | None = None,
+    read: bool,
+    write: bool,
+    delete: bool,
+):
+    assert (user_id and group_id) or (not user_id and not group_id)  # nosec
+
+    if user_id:
+        assert not group_id  # nosec
+        target_group_id = (
+            sa.select(users.c.primary_gid)
+            .where(users.c.id == user_id)
+            .scalar_subquery()
+        )
+    else:
+        assert group_id  # nosec
+        target_group_id = group_id
+
+    return (
+        pg_insert(tags_access_rights)
+        .values(
+            tag_id=tag_id,
+            group_id=target_group_id,
+            read=read,
+            write=write,
+            delete=delete,
+        )
+        .on_conflict_do_update(
+            index_elements=["tag_id", "group_id"],
+            set_={"read": read, "write": write, "delete": delete},
+        )
+        .returning(tags_access_rights.c.group_id, *_ACCESS_RIGHTS_COLUMNS)
+    )
+
+
+def delete_tag_sharing_stmt(*, tag_id: int, group_id: int):
+    return (
+        sa.delete(tags_access_rights)
+        .where(
+            (tags_access_rights.c.tag_id == tag_id)
+            & (tags_access_rights.c.group_id == group_id)
+        )
+        .returning(tags_access_rights.c.tag_id.is_not(None))
+    )
+
+
+def has_access_rights_stmt(
+    *,
+    tag_id: int,
+    caller_user_id: int | None = None,
+    caller_group_id: int | None = None,
+    read: bool = False,
+    write: bool = False,
+    delete: bool = False,
+):
+    conditions = []
+
+    # caller
+    if caller_user_id is not None:
+        group_condition = (
+            tags_access_rights.c.group_id
+            == sa.select(users.c.primary_gid)
+            .where(users.c.id == caller_user_id)
+            .scalar_subquery()
+        )
+    elif caller_group_id is not None:
+        group_condition = tags_access_rights.c.group_id == caller_group_id
+    else:
+        msg = "Either caller_user_id or caller_group_id must be provided."
+        raise ValueError(msg)
+
+    conditions.append(group_condition)
+    if read:
+        conditions.append(tags_access_rights.c.read.is_(True))
+    if write:
+        conditions.append(tags_access_rights.c.write.is_(True))
+    if delete:
+        conditions.append(tags_access_rights.c.delete.is_(True))
+
+    return sa.select(tags_access_rights).where(
+        sa.and_(
+            tags_access_rights.c.tag_id == tag_id,
+            *conditions,
+        )
+    )
+
+
 #
 # PROJECT TAGS
 #
diff --git a/packages/postgres-database/tests/test_utils_tags.py b/packages/postgres-database/tests/test_utils_tags.py
@@ -28,7 +28,7 @@
     get_tags_for_project_stmt,
     get_tags_for_services_stmt,
     list_tags_stmt,
-    set_tag_access_rights_stmt,
+    share_tag_stmt,
     update_tag_stmt,
 )
 from sqlalchemy.ext.asyncio import AsyncEngine
@@ -690,7 +690,7 @@ def _check(func_smt, **kwargs):
     )
 
     _check(
-        set_tag_access_rights_stmt,
+        share_tag_stmt,
         tag_id=tag_id,
         user_id=user_id,
         read=True,
