✨ users: Implement user account approval functionality with appropriate status code and service logic

Author: pcrespov

api/specs/web-server/_users.py

@@ -160,7 +160,7 @@ async def list_users_for_admin(
 
 @router.post(
     "/admin/users:approve",
-    response_model=Envelope[Page[UserForAdminGet]],
+    status_code=status.HTTP_204_NO_CONTENT,
     tags=_extra_tags,
 )
 async def approve_user_account(_body: UserApprove): ...

services/web/server/src/simcore_service_webserver/security/_authz_access_roles.py

@@ -1,10 +1,9 @@
-""" Defines different user roles and its associated permission
+"""Defines different user roles and its associated permission
 
-    This definition is consumed by the security._access_model to build an access model for the framework
-    The access model is created upon setting up of the security subsystem
+This definition is consumed by the security._access_model to build an access model for the framework
+The access model is created upon setting up of the security subsystem
 """
 
-
 from simcore_postgres_database.models.users import UserRole
 from typing_extensions import (  # https://docs.pydantic.dev/latest/api/standard_library_types/#typeddict
     TypedDict,
@@ -106,6 +105,7 @@ class PermissionDict(TypedDict, total=False):
             "product.details.*",
             "product.invitations.create",
             "admin.users.read",
+            "admin.users.write",
         ],
         inherits=[UserRole.TESTER],
     ),

services/web/server/src/simcore_service_webserver/users/_users_rest.py

@@ -7,6 +7,7 @@
 from models_library.api_schemas_webserver.users import (
     MyProfileGet,
     MyProfilePatch,
+    UserApprove,
     UserForAdminGet,
     UserGet,
     UsersForAdminListQueryParams,
@@ -248,3 +249,25 @@ async def pre_register_user_for_admin(request: web.Request) -> web.Response:
     return envelope_json_response(
         user_profile.model_dump(**_RESPONSE_MODEL_MINIMAL_POLICY)
     )
+
+
+@routes.post(f"/{API_VTAG}/admin/users:approve", name="approve_user_account")
+@login_required
+@permission_required("admin.users.write")
+@_handle_users_exceptions
+async def approve_user_account(request: web.Request) -> web.Response:
+    req_ctx = UsersRequestContext.model_validate(request)
+    assert req_ctx.product_name  # nosec
+
+    approval_data = await parse_request_body_as(UserApprove, request)
+
+    # Approve the user account, passing the current user's ID as the reviewer
+    pre_registration_id = await _users_service.approve_user_account(
+        request.app,
+        pre_registration_email=approval_data.email,
+        product_name=req_ctx.product_name,
+        reviewer_id=req_ctx.user_id,
+    )
+    assert pre_registration_id  # nosec
+
+    return web.json_response(status=status.HTTP_204_NO_CONTENT)

services/web/server/src/simcore_service_webserver/users/_users_service.py

@@ -449,3 +449,53 @@ async def update_my_profile(
         user_id=user_id,
         update=ToUserUpdateDB.from_api(update),
     )
+
+
+async def approve_user_account(
+    app: web.Application,
+    *,
+    pre_registration_email: LowerCaseEmailStr,
+    product_name: ProductName,
+    reviewer_id: UserID,
+) -> int:
+    """Approve a user account based on their pre-registration email.
+
+    Args:
+        app: The web application instance
+        pre_registration_email: Email of the pre-registered user to approve
+        product_name: Product name for which the user is being approved
+        reviewer_id: ID of the user approving the account
+
+    Returns:
+        int: The ID of the approved pre-registration record
+
+    Raises:
+        ValueError: If no pre-registration is found for the email/product
+    """
+    engine = get_asyncpg_engine(app)
+
+    # First, find the pre-registration entry matching the email and product
+    pre_registrations, _ = await _users_repository.list_user_pre_registrations(
+        engine,
+        filter_by_pre_email=pre_registration_email,
+        filter_by_product_name=product_name,
+        filter_by_account_request_status=AccountRequestStatus.PENDING,
+    )
+
+    if not pre_registrations:
+        msg = f"No pending pre-registration found for email {pre_registration_email} in product {product_name}"
+        raise ValueError(msg)
+
+    # There should be only one registration matching these criteria
+    pre_registration = pre_registrations[0]
+    pre_registration_id = pre_registration["id"]
+
+    # Update the pre-registration status to APPROVED using the reviewer's ID
+    await _users_repository.review_user_pre_registration(
+        engine,
+        pre_registration_id=pre_registration_id,
+        reviewed_by=reviewer_id,
+        new_status=AccountRequestStatus.APPROVED,
+    )
+
+    return pre_registration_id

services/web/server/tests/unit/with_dbs/03/test_users_rest_registration.py

@@ -230,12 +230,22 @@ async def test_list_users_for_admin(
     )
     data, _ = await assert_status(resp, status.HTTP_200_OK)
 
-    pending_emails = [user["email"] for user in data if user["status"] == "PENDING"]
+    pending_emails = [user["email"] for user in data if user["status"] is None]
     for pre_user in pre_registered_users:
         assert pre_user["email"] in pending_emails
 
-    # 2. Register one of the pre-registered users
+    # 2. Register one of the pre-registered users: approve + create account
     registered_email = pre_registered_users[0]["email"]
+
+    url = client.app.router["approve_user_account"].url_for()
+    resp = await client.post(
+        f"{url}",
+        headers={X_PRODUCT_NAME_HEADER: product_name},
+        json={"email": registered_email},
+    )
+    await assert_status(resp, status.HTTP_204_NO_CONTENT)
+
+    # Emulates user accepting invitation link
     new_user = await simcore_service_webserver.login._auth_service.create_user(
         client.app,
         email=registered_email,
@@ -246,6 +256,7 @@ async def test_list_users_for_admin(
 
     # 3. Test filtering by status
     # a. Check PENDING filter (should exclude the registered user)
+    url = client.app.router["list_users_for_admin"].url_for()
     resp = await client.get(
         f"{url}?status=PENDING", headers={X_PRODUCT_NAME_HEADER: product_name}
     )