fixes get tag

pcrespov · pcrespov · commit bf8f92226ad3 · 2024-10-02T17:39:46.000+02:00
diff --git a/packages/postgres-database/src/simcore_postgres_database/utils_tags.py b/packages/postgres-database/src/simcore_postgres_database/utils_tags.py
@@ -7,7 +7,7 @@
 
 from .utils_repos import pass_or_acquire_connection, transaction_context
 from .utils_tags_sql import (
-    count_users_with_given_access_rights_stmt,
+    count_groups_with_given_access_rights_stmt,
     create_tag_stmt,
     delete_tag_stmt,
     get_tag_stmt,
@@ -67,7 +67,7 @@ async def access_count(
         Returns >0 if it does and represents the number of groups granting this access to the user
         """
         async with pass_or_acquire_connection(self.engine, connection) as conn:
-            count_stmt = count_users_with_given_access_rights_stmt(
+            count_stmt = count_groups_with_given_access_rights_stmt(
                 user_id=user_id, tag_id=tag_id, read=read, write=write, delete=delete
             )
             permissions_count: int | None = await conn.scalar(count_stmt)
@@ -237,7 +237,7 @@ async def create_access_rights(
         write: bool,
         delete: bool,
     ):
-        ...
+        raise NotImplementedError
 
     async def update_access_rights(
         self,
@@ -250,9 +250,13 @@ async def update_access_rights(
         write: bool,
         delete: bool,
     ):
-        ...
+        raise NotImplementedError
 
     async def delete_access_rights(
-        self, connection: AsyncConnection | None = None, *, user_id: int, tag_id: int
+        self,
+        connection: AsyncConnection | None = None,
+        *,
+        user_id: int,
+        tag_id: int,
     ):
-        ...
+        raise NotImplementedError
diff --git a/packages/postgres-database/src/simcore_postgres_database/utils_tags_sql.py b/packages/postgres-database/src/simcore_postgres_database/utils_tags_sql.py
@@ -54,20 +54,30 @@ def get_tag_stmt(
     user_id: int,
     tag_id: int,
 ):
-    return sa.select(*_TAG_COLUMNS, *_ACCESS_RIGHTS_COLUMNS).select_from(
-        _join_user_to_given_tag(
-            access_condition=tags_access_rights.c.read.is_(True),
-            tag_id=tag_id,  # makes it unique result or None
-            user_id=user_id,
+    return (
+        sa.select(
+            *_TAG_COLUMNS,
+            # aggregation ensures MOST PERMISSIVE policy of access-rights
+            sa.func.bool_or(tags_access_rights.c.read).label("read"),
+            sa.func.bool_or(tags_access_rights.c.write).label("write"),
+            sa.func.bool_or(tags_access_rights.c.delete).label("delete")
+        )
+        .select_from(
+            _join_user_to_given_tag(
+                access_condition=tags_access_rights.c.read.is_(True),
+                tag_id=tag_id,
+                user_id=user_id,
+            )
         )
+        .group_by(tags.c.id)
     )
 
 
 def list_tags_stmt(*, user_id: int):
     return (
         sa.select(
             *_TAG_COLUMNS,
-            # MOST permisive aggregation of access-rights
+            # aggregation ensures MOST PERMISSIVE policy of access-rights
             sa.func.bool_or(tags_access_rights.c.read).label("read"),
             sa.func.bool_or(tags_access_rights.c.write).label("write"),
             sa.func.bool_or(tags_access_rights.c.delete).label("delete")
@@ -87,7 +97,7 @@ def create_tag_stmt(**values):
     return tags.insert().values(**values).returning(*_TAG_COLUMNS)
 
 
-def count_users_with_given_access_rights_stmt(
+def count_groups_with_given_access_rights_stmt(
     *,
     user_id: int,
     tag_id: int,
@@ -96,7 +106,7 @@ def count_users_with_given_access_rights_stmt(
     delete: bool | None
 ):
     """
-    How many users are given EXACTLY these access permissions
+    How many groups (from this user_id) are given EXACTLY these access permissions
     """
     access = []
     if read is not None:
diff --git a/packages/postgres-database/tests/test_utils_tags.py b/packages/postgres-database/tests/test_utils_tags.py
@@ -437,7 +437,7 @@ async def test_tags_repo_list_and_get(
     )
 
 
-async def test_tags_repo_uniquely_list_shared_tags(
+async def test_tags_repo_uniquely_list_or_get_shared_tags(
     asyncpg_engine: AsyncEngine,
     connection: SAConnection,
     user: RowProxy,
@@ -446,7 +446,7 @@ async def test_tags_repo_uniquely_list_shared_tags(
     conn = connection
     tags_repo = TagsRepo(asyncpg_engine)
 
-    # (setup): create a tag and share with group
+    # (1) create a tag which cannot be written
     expected_tag_id = await create_tag(
         conn,
         name="T1",
@@ -457,6 +457,15 @@ async def test_tags_repo_uniquely_list_shared_tags(
         write=False,  # <-- cannot write
         delete=True,
     )
+
+    got = await tags_repo.get(user_id=user.id, tag_id=expected_tag_id)
+    assert got
+    assert got["id"] == expected_tag_id
+    assert got["read"] is True
+    assert got["write"] is False  # <--
+    assert got["delete"] is True
+
+    # (2) share with standard group
     await create_tag_access(
         conn,
         tag_id=expected_tag_id,
@@ -466,18 +475,17 @@ async def test_tags_repo_uniquely_list_shared_tags(
         delete=False,
     )
 
-    # (check) can read
+    # checks that the agregattion is the MOST permisive
+    # checks that user_id has now full access via its primary and its stadard group
     got = await tags_repo.get(user_id=user.id, tag_id=expected_tag_id)
     assert got
-    assert got["write"] is False
+    assert got["id"] == expected_tag_id
+    assert got["read"] is True
+    assert got["write"] is True  # <--
+    assert got["delete"] is True
 
     user_tags = await tags_repo.list_all(user_id=user.id)
-    assert len(user_tags) == 1
-    # checks that the agregattion is the MOST permisive
-    assert user_tags[0]["id"] == expected_tag_id
-    assert user_tags[0]["read"] is True
-    assert user_tags[0]["write"] is True
-    assert user_tags[0]["delete"] is True
+    assert user_tags == [got]
 
 
 async def test_tags_repo_update(
diff --git a/services/web/server/src/simcore_service_webserver/tags/_handlers.py b/services/web/server/src/simcore_service_webserver/tags/_handlers.py
@@ -39,7 +39,7 @@ async def wrapper(request: web.Request) -> web.StreamResponse:
             raise web.HTTPNotFound(reason=f"{exc}") from exc
 
         except TagOperationNotAllowedError as exc:
-            raise web.HTTPUnauthorized(reason=f"{exc}") from exc
+            raise web.HTTPForbidden(reason=f"{exc}") from exc
 
     return wrapper
 
@@ -110,6 +110,11 @@ async def delete_tag(request: web.Request):
     raise web.HTTPNoContent(content_type=MIMETYPE_APPLICATION_JSON)
 
 
+#
+# tags ACCESS RIGHTS is exposed as a sub-resource groups
+#
+
+
 @routes.get(f"/{VTAG}/tags/{{tag_id}}/groups", name="list_tag_groups")
 @login_required
 @permission_required("tag.crud.*")
@@ -123,11 +128,6 @@ async def list_tag_groups(request: web.Request):
     raise NotImplementedError
 
 
-#
-# tags ACCESS RIGHTS is exposed as a sub-resource groups
-#
-
-
 @routes.post(f"/{VTAG}/tags/{{tag_id}}/groups/{{group_id}}", name="create_tag_group")
 @login_required
 @permission_required("tag.crud.*")
