🎨 sharee permission improvement (#5557)

Co-authored-by: Odei Maiz <[email protected]>

Author: matusdrobuliak66

services/static-webserver/client/source/class/osparc/share/CollaboratorsStudy.js

@@ -202,7 +202,7 @@ qx.Class.define("osparc.share.CollaboratorsStudy", {
       Promise.all(promises)
         .then(values => {
           const noAccessible = values.filter(value => value["accessible"] === false);
-          if (noAccessible.length && !osparc.product.Utils.isS4LProduct()) {
+          if (noAccessible.length) {
             const shareePermissions = new osparc.share.ShareePermissions(noAccessible);
             const win = osparc.ui.window.Window.popUpInWindow(shareePermissions, this.tr("Sharee permissions"), 500, 500, "@FontAwesome5Solid/exclamation-triangle/14").set({
               clickAwayClose: false,

services/web/server/src/simcore_service_webserver/garbage_collector/_core_utils.py

@@ -2,10 +2,9 @@
 
 import asyncpg.exceptions
 from aiohttp import web
-from aiopg.sa.result import RowProxy
+from models_library.groups import Group, GroupTypeInModel
 from models_library.users import GroupID, UserID
 from simcore_postgres_database.errors import DatabaseError
-from simcore_postgres_database.models.groups import GroupType
 
 from ..groups.api import get_group_from_gid
 from ..projects.db import APP_PROJECT_DBAPI, ProjectAccessRights
@@ -74,17 +73,17 @@ async def get_new_project_owner_gid(
     standard_groups = {}  # groups of users, multiple users can be part of this
     primary_groups = {}  # each individual user has a unique primary group
     for other_gid in other_users_access_rights:
-        group: RowProxy | None = await get_group_from_gid(app=app, gid=int(other_gid))
+        group: Group | None = await get_group_from_gid(app=app, gid=int(other_gid))
 
         # only process for users and groups with write access right
         if group is None:
             continue
         if access_rights[other_gid]["write"] is not True:
             continue
 
-        if group.type == GroupType.STANDARD:
+        if group.group_type == GroupTypeInModel.STANDARD:
             standard_groups[other_gid] = access_rights[other_gid]
-        elif group.type == GroupType.PRIMARY:
+        elif group.group_type == GroupTypeInModel.PRIMARY:
             primary_groups[other_gid] = access_rights[other_gid]
 
     _logger.debug(

services/web/server/src/simcore_service_webserver/groups/_db.py

@@ -4,6 +4,7 @@
 import sqlalchemy as sa
 from aiopg.sa import SAConnection
 from aiopg.sa.result import ResultProxy, RowProxy
+from models_library.groups import GroupAtDB
 from models_library.users import GroupID, UserID
 from simcore_postgres_database.utils_products import get_or_create_product_group
 from sqlalchemy import and_, literal_column
@@ -386,6 +387,9 @@ async def delete_user_in_group(
     )
 
 
-async def get_group_from_gid(conn: SAConnection, gid: GroupID) -> RowProxy | None:
-    res: ResultProxy = await conn.execute(groups.select().where(groups.c.gid == gid))
-    return await res.first()
+async def get_group_from_gid(conn: SAConnection, gid: GroupID) -> GroupAtDB | None:
+    row: ResultProxy = await conn.execute(groups.select().where(groups.c.gid == gid))
+    result = await row.first()
+    if result:
+        return GroupAtDB.from_orm(result)
+    return None

services/web/server/src/simcore_service_webserver/groups/api.py

@@ -3,6 +3,7 @@
 from aiohttp import web
 from aiopg.sa.result import RowProxy
 from models_library.emails import LowerCaseEmailStr
+from models_library.groups import Group
 from models_library.users import GroupID, UserID
 
 from ..db.plugin import get_database_engine
@@ -181,6 +182,10 @@ async def delete_user_in_group(
         )
 
 
-async def get_group_from_gid(app: web.Application, gid: GroupID) -> RowProxy | None:
+async def get_group_from_gid(app: web.Application, gid: GroupID) -> Group | None:
     async with get_database_engine(app).acquire() as conn:
-        return await _db.get_group_from_gid(conn, gid=gid)
+        group_db = await _db.get_group_from_gid(conn, gid=gid)
+
+    if group_db:
+        return Group.construct(**group_db.dict())
+    return None

services/web/server/src/simcore_service_webserver/projects/_nodes_handlers.py

@@ -19,7 +19,7 @@
     NodeGetUnknown,
     NodeRetrieve,
 )
-from models_library.groups import EVERYONE_GROUP_ID
+from models_library.groups import EVERYONE_GROUP_ID, Group, GroupTypeInModel
 from models_library.projects import Project, ProjectID
 from models_library.projects_nodes import NodeID
 from models_library.projects_nodes_io import NodeIDStr
@@ -50,14 +50,16 @@
     ServiceWasNotFoundError,
 )
 from simcore_postgres_database.models.users import UserRole
+from simcore_service_webserver.groups.exceptions import GroupNotFoundError
 
 from .._meta import API_VTAG as VTAG
 from ..catalog import client as catalog_client
 from ..director_v2 import api as director_v2_api
 from ..dynamic_scheduler import api as dynamic_scheduler_api
+from ..groups.api import get_group_from_gid, list_user_groups
 from ..login.decorators import login_required
 from ..security.decorators import permission_required
-from ..users.api import get_user_role
+from ..users.api import get_user_id_from_gid, get_user_role
 from ..users.exceptions import UserDefaultWalletNotFoundError
 from ..utils_aiohttp import envelope_json_response
 from ..wallets.errors import WalletNotEnoughCreditsError
@@ -88,6 +90,7 @@ async def wrapper(request: web.Request) -> web.StreamResponse:
             NodeNotFoundError,
             UserDefaultWalletNotFoundError,
             DefaultPricingUnitNotFoundError,
+            GroupNotFoundError,
         ) as exc:
             raise web.HTTPNotFound(reason=f"{exc}") from exc
         except WalletNotEnoughCreditsError as exc:
@@ -469,23 +472,54 @@ async def get_project_services_access_for_gid(request: web.Request) -> web.Respo
         ]
     )
 
+    # Initialize groups to compare with everyone group ID
+    groups_to_compare = {EVERYONE_GROUP_ID}
+
+    # Get the group from the provided group ID
+    _sharing_with_group: Group | None = await get_group_from_gid(
+        app=request.app, gid=query_params.for_gid
+    )
+
+    # Check if the group exists
+    if _sharing_with_group is None:
+        raise GroupNotFoundError(gid=query_params.for_gid)
+
+    # Update groups to compare based on the type of sharing group
+    if _sharing_with_group.group_type == GroupTypeInModel.PRIMARY:
+        _user_id = await get_user_id_from_gid(
+            app=request.app, primary_gid=query_params.for_gid
+        )
+        _, _user_groups, _ = await list_user_groups(app=request.app, user_id=_user_id)
+        groups_to_compare.update({int(item.get("gid")) for item in _user_groups})
+        groups_to_compare.add(query_params.for_gid)
+    elif _sharing_with_group.group_type == GroupTypeInModel.STANDARD:
+        groups_to_compare = {query_params.for_gid}
+
+    # Initialize a list for inaccessible services
     inaccessible_services = []
+
+    # Check accessibility of each service
     for service in project_services_access_rights:
         service_access_rights = service.gids_with_access_rights
 
-        # Ignore services shared with everyone
-        if service_access_rights.get(EVERYONE_GROUP_ID):
-            continue
-
-        # Check if service is accessible to the provided group
-        service_access_rights_for_gid = service_access_rights.get(
-            query_params.for_gid, {}
+        # Find common groups between service access rights and groups to compare
+        _groups_intersection = set(service_access_rights.keys()).intersection(
+            groups_to_compare
         )
 
-        if (
-            not service_access_rights_for_gid
-            or service_access_rights_for_gid.get("execute_access", False) is False
-        ):
+        _is_service_accessible = False
+
+        # Iterate through common groups
+        for group in _groups_intersection:
+            service_access_rights_for_gid = service_access_rights.get(group)
+            assert service_access_rights_for_gid is not None  # nosec
+            # Check if execute access is granted for the group
+            if service_access_rights_for_gid.get("execute_access", False):
+                _is_service_accessible = True
+                break
+
+        # If service is not accessible, add it to the list of inaccessible services
+        if not _is_service_accessible:
             inaccessible_services.append(service)
 
     project_accessible = not inaccessible_services

services/web/server/tests/unit/with_dbs/02/test_projects_nodes_handlers__services_access.py

@@ -95,13 +95,14 @@ def mock_catalog_api_get_service_access_rights_response(mocker: MockerFixture):
 async def test_user_role_access(
     client: TestClient,
     user_project: ProjectDict,
+    logged_user: dict,
     expected: HTTPStatus,
     mock_catalog_api_get_service_access_rights_response,
 ):
     assert client.app
 
     project_id = user_project["uuid"]
-    for_gid = 3
+    for_gid = logged_user["primary_gid"]
 
     expected_url = client.app.router["get_project_services_access_for_gid"].url_for(
         project_id=project_id
@@ -119,7 +120,10 @@ async def test_user_role_access(
 
 @pytest.mark.parametrize("user_role", [UserRole.USER])
 async def test_accessible_thanks_to_everyone_group_id(
-    client: TestClient, user_project: ProjectDict, mocker: MockerFixture
+    client: TestClient,
+    user_project: ProjectDict,
+    mocker: MockerFixture,
+    logged_user: dict,
 ):
     mocker.patch(
         "simcore_service_webserver.projects._nodes_handlers.catalog_client.get_service_access_rights",
@@ -152,7 +156,7 @@ async def test_accessible_thanks_to_everyone_group_id(
     assert client.app
 
     project_id = user_project["uuid"]
-    for_gid = 3
+    for_gid = logged_user["primary_gid"]
 
     expected_url = client.app.router["get_project_services_access_for_gid"].url_for(
         project_id=project_id
@@ -169,8 +173,13 @@ async def test_accessible_thanks_to_everyone_group_id(
 
 @pytest.mark.parametrize("user_role", [UserRole.USER])
 async def test_accessible_thanks_to_concrete_group_id(
-    client: TestClient, user_project: ProjectDict, mocker: MockerFixture
+    client: TestClient,
+    user_project: ProjectDict,
+    mocker: MockerFixture,
+    logged_user: dict,
 ):
+    for_gid = logged_user["primary_gid"]
+
     mocker.patch(
         "simcore_service_webserver.projects._nodes_handlers.catalog_client.get_service_access_rights",
         spec=True,
@@ -179,7 +188,7 @@ async def test_accessible_thanks_to_concrete_group_id(
                 service_key="simcore/services/comp/itis/sleeper",
                 service_version="2.1.4",
                 gids_with_access_rights={
-                    3: {"execute_access": True},
+                    for_gid: {"execute_access": True},
                     5: {"execute_access": True},
                 },
             ),
@@ -193,15 +202,14 @@ async def test_accessible_thanks_to_concrete_group_id(
             ServiceAccessRightsGet(
                 service_key="simcore/services/comp/itis/sleeper",
                 service_version="2.1.5",
-                gids_with_access_rights={3: {"execute_access": True}},
+                gids_with_access_rights={for_gid: {"execute_access": True}},
             ),
         ],
     )
 
     assert client.app
 
     project_id = user_project["uuid"]
-    for_gid = 3
 
     expected_url = client.app.router["get_project_services_access_for_gid"].url_for(
         project_id=project_id
@@ -218,8 +226,13 @@ async def test_accessible_thanks_to_concrete_group_id(
 
 @pytest.mark.parametrize("user_role", [UserRole.USER])
 async def test_not_accessible_for_one_service(
-    client: TestClient, user_project: ProjectDict, mocker: MockerFixture
+    client: TestClient,
+    user_project: ProjectDict,
+    mocker: MockerFixture,
+    logged_user: dict,
 ):
+    for_gid = logged_user["primary_gid"]
+
     mocker.patch(
         "simcore_service_webserver.projects._nodes_handlers.catalog_client.get_service_access_rights",
         spec=True,
@@ -236,22 +249,21 @@ async def test_not_accessible_for_one_service(
                 service_key="simcore/services/frontend/parameter/integer",
                 service_version="1.0.0",
                 gids_with_access_rights={
-                    3: {"execute_access": True},
+                    for_gid: {"execute_access": True},
                     2: {"execute_access": True},
                 },
             ),
             ServiceAccessRightsGet(
                 service_key="simcore/services/comp/itis/sleeper",
                 service_version="2.1.5",
-                gids_with_access_rights={3: {"execute_access": True}},
+                gids_with_access_rights={for_gid: {"execute_access": True}},
             ),
         ],
     )
 
     assert client.app
 
     project_id = user_project["uuid"]
-    for_gid = 3
 
     expected_url = client.app.router["get_project_services_access_for_gid"].url_for(
         project_id=project_id
@@ -274,7 +286,10 @@ async def test_not_accessible_for_one_service(
 
 @pytest.mark.parametrize("user_role", [UserRole.USER])
 async def test_not_accessible_for_more_services(
-    client: TestClient, user_project: ProjectDict, mocker: MockerFixture
+    client: TestClient,
+    user_project: ProjectDict,
+    mocker: MockerFixture,
+    logged_user: dict,
 ):
     mocker.patch(
         "simcore_service_webserver.projects._nodes_handlers.catalog_client.get_service_access_rights",
@@ -310,7 +325,7 @@ async def test_not_accessible_for_more_services(
     assert client.app
 
     project_id = user_project["uuid"]
-    for_gid = 3
+    for_gid = logged_user["primary_gid"]
 
     expected_url = client.app.router["get_project_services_access_for_gid"].url_for(
         project_id=project_id
@@ -335,34 +350,40 @@ async def test_not_accessible_for_more_services(
 
 @pytest.mark.parametrize("user_role", [UserRole.USER])
 async def test_not_accessible_for_service_because_of_execute_access_false(
-    client: TestClient, user_project: ProjectDict, mocker: MockerFixture
+    client: TestClient,
+    user_project: ProjectDict,
+    mocker: MockerFixture,
+    logged_user: dict,
 ):
+    for_gid = logged_user["primary_gid"]
+
     mocker.patch(
         "simcore_service_webserver.projects._nodes_handlers.catalog_client.get_service_access_rights",
         spec=True,
         side_effect=[
             ServiceAccessRightsGet(
                 service_key="simcore/services/comp/itis/sleeper",
                 service_version="2.1.4",
-                gids_with_access_rights={3: {"execute_access": False}},  # <-- FALSE
+                gids_with_access_rights={
+                    for_gid: {"execute_access": False}
+                },  # <-- FALSE
             ),
             ServiceAccessRightsGet(
                 service_key="simcore/services/frontend/parameter/integer",
                 service_version="1.0.0",
-                gids_with_access_rights={3: {"execute_access": True}},
+                gids_with_access_rights={for_gid: {"execute_access": True}},
             ),
             ServiceAccessRightsGet(
                 service_key="simcore/services/comp/itis/sleeper",
                 service_version="2.1.5",
-                gids_with_access_rights={3: {"execute_access": True}},
+                gids_with_access_rights={for_gid: {"execute_access": True}},
             ),
         ],
     )
 
     assert client.app
 
     project_id = user_project["uuid"]
-    for_gid = 3
 
     expected_url = client.app.router["get_project_services_access_for_gid"].url_for(
         project_id=project_id