cleanup permission key

Author: pcrespov

services/web/server/src/simcore_service_webserver/login/decorators.py

@@ -6,7 +6,12 @@
 from servicelib.request_keys import RQT_USERID_KEY
 
 from ..products.api import get_product_name
-from ..security.api import AuthContextDict, check_user_authorized, check_user_permission
+from ..security.api import (
+    PERMISSION_PRODUCT_LOGIN,
+    AuthContextDict,
+    check_user_authorized,
+    check_user_permission,
+)
 
 
 def login_required(handler: HandlerAnyReturn) -> HandlerAnyReturn:
@@ -53,7 +58,7 @@ async def _wrapper(request: web.Request):
 
         await check_user_permission(
             request,
-            "product",
+            PERMISSION_PRODUCT_LOGIN,
             context=AuthContextDict(
                 product_name=get_product_name(request),
                 authorized_uid=user_id,

services/web/server/src/simcore_service_webserver/security/_authz_policy.py

@@ -1,4 +1,5 @@
-""" AUTHoriZation (auth) policy:
+""" AUTHoriZation (auth) policy
+
 """
 
 import contextlib
@@ -23,7 +24,7 @@
     has_access_by_role,
 )
 from ._authz_db import AuthInfoDict, get_active_user_or_none, is_user_in_product_name
-from ._constants import MSG_AUTH_NOT_AVAILABLE
+from ._constants import MSG_AUTH_NOT_AVAILABLE, PERMISSION_PRODUCT_LOGIN_KEY
 from ._identity_api import IdentityStr
 
 _logger = logging.getLogger(__name__)
@@ -132,7 +133,7 @@ async def permits(
         context = context or AuthContextDict()
 
         # product access
-        if permission == "product":
+        if permission == PERMISSION_PRODUCT_LOGIN_KEY:
             product_name = context.get("product_name")
             ok: bool = product_name is not None and await self._has_access_to_product(
                 user_id=auth_info["id"], product_name=product_name

services/web/server/src/simcore_service_webserver/security/_constants.py

@@ -1,3 +1,5 @@
 from typing import Final
 
 MSG_AUTH_NOT_AVAILABLE: Final[str] = "Authentication service is temporary unavailable"
+
+PERMISSION_PRODUCT_LOGIN_KEY: Final[str] = "product.login"

services/web/server/src/simcore_service_webserver/security/api.py

@@ -6,7 +6,6 @@
 NOTE: DO NOT USE aiohttp_security.api directly but use this interface instead
 """
 
-
 import aiohttp_security.api  # type: ignore[import-untyped]
 import passlib.hash
 from aiohttp import web
@@ -64,7 +63,9 @@ async def check_user_permission(
 
     allowed = await aiohttp_security.api.permits(request, permission, context)
     if not allowed:
-        raise web.HTTPForbidden(reason=f"Not sufficient access rights for {permission}")
+        raise web.HTTPForbidden(
+            reason=f"You do not have sufficient access rights for {permission}"
+        )
 
 
 #
@@ -93,5 +94,6 @@ def check_password(password: str, password_hash: str) -> bool:
     "forget_identity",
     "get_access_model",
     "is_anonymous",
+    "PERMISSION_PRODUCT_LOGIN",
     "remember_identity",
 )