splits decorator from actual function

pcrespov · pcrespov · commit 24f7dbcda5e1 · 2025-09-08T15:25:01.000+02:00
diff --git a/services/web/server/src/simcore_service_webserver/security/_authz_web.py b/services/web/server/src/simcore_service_webserver/security/_authz_web.py
@@ -54,3 +54,29 @@ async def check_user_permission(
         else:
             msg += f" {permission}"
         raise web.HTTPForbidden(text=msg)
+
+
+async def check_user_permission_with_groups(
+    request: web.Request, permission: str
+) -> None:
+    """Checker that passes to authorized users with given permission via roles OR groups.
+
+    Raises:
+        web.HTTPUnauthorized: If user is not authorized
+        web.HTTPForbidden: If user is authorized but lacks both role and group permissions
+    """
+    from ..products import products_web
+
+    context = {
+        "authorized_uid": await check_user_authorized(request),
+        "enable_group_permissions": True,
+        "request": request,
+        "product_support_group_id": products_web.get_current_product(
+            request
+        ).support_standard_group_id,
+    }
+
+    allowed = await aiohttp_security.api.permits(request, permission, context)
+    if not allowed:
+        msg = f"You do not have sufficient access rights for {permission}"
+        raise web.HTTPForbidden(text=msg)
diff --git a/services/web/server/src/simcore_service_webserver/security/decorators.py b/services/web/server/src/simcore_service_webserver/security/decorators.py
@@ -1,11 +1,9 @@
 from functools import wraps
 
-import aiohttp_security.api  # type: ignore[import-untyped]
 from aiohttp import web
 from servicelib.aiohttp.typing_extension import Handler
-from simcore_service_webserver.products import products_web
 
-from ._authz_web import check_user_authorized
+from ._authz_web import check_user_permission_with_groups
 from .security_web import check_user_permission
 
 
@@ -43,20 +41,9 @@ def group_or_role_permission_required(permission: str):
     def _decorator(handler: Handler):
         @wraps(handler)
         async def _wrapped(request: web.Request):
-            context = {
-                "authorized_uid": await check_user_authorized(request),
-                "product_support_group_id": products_web.get_current_product(
-                    request
-                ).support_standard_group_id,
-            }
-
-            # Check both role-based and group-based permissions
-            if await aiohttp_security.api.permits(request, permission, context):
-                return await handler(request)
-
-            # Neither role nor group permissions granted
-            msg = f"You do not have sufficient access rights for {permission}"
-            raise web.HTTPForbidden(text=msg)
+            await check_user_permission_with_groups(request, permission)
+
+            return await handler(request)
 
         return _wrapped
 
