Add users to Collection view model

sallybg · sallybg · commit 24476d5ca661 · 2024-12-06T12:41:54.000-08:00
Only collection admins can see all collection contributors.
Collection viewers and editors can only see a list of collection admins.
The rationale is that collection viewers and editors may want to
contact a collection admin, but do not need to know who other editors
or viewers of the collection are.
diff --git a/src/mavedb/routers/collections.py b/src/mavedb/routers/collections.py
@@ -60,14 +60,27 @@ def list_my_collections(
             .scalars()
             .all()
         )
-        # filter score sets and experiments based on user permissions
+
         for item in collection_bundle[role.value]:
+            # filter score sets and experiments based on user permissions
             item.score_sets = [
                 score_set for score_set in item.score_sets if has_permission(user_data, score_set, Action.READ)
             ]
             item.experiments = [
                 experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
             ]
+            # unless user is admin of this collection, filter users to only admins
+            # the rationale is that all collection contributors should be able to see admins
+            # to know who to contact, but only collection admins should be able to see viewers and editors
+            if role in (ContributionRole.viewer, ContributionRole.editor):
+                admins = []
+                for user_assoc in item.user_associations:
+                    if user_assoc.contribution_role == ContributionRole.admin:
+                        admin = user_assoc.user
+                        # role must be set in order to assign users to collection
+                        setattr(admin, "role", ContributionRole.admin)
+                        admins.append(admin)
+                item.users = admins
 
     return collection_bundle
 
@@ -101,6 +114,20 @@ def fetch_collection(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # unless user is admin of this collection, filter users to only admins
+    # the rationale is that all collection contributors should be able to see admins
+    # to know who to contact, but only collection admins should be able to see viewers and editors
+    # TODO either create permissions action for this or look up user's role outside of the permissions module
+    # for now, just assume that if user has permission to add role, they are a collection admin
+    if not has_permission(user_data, item, Action.ADD_ROLE):
+        admins = []
+        for user_assoc in item.user_associations:
+            if user_assoc.contribution_role == ContributionRole.admin:
+                admin = user_assoc.user
+                # role must be set in order to assign users to collection
+                setattr(admin, "role", ContributionRole.admin)
+                admins.append(admin)
+        item.users = admins
 
     return item
 
@@ -270,6 +297,20 @@ async def update_collection(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # unless user is admin of this collection, filter users to only admins
+    # the rationale is that all collection contributors should be able to see admins
+    # to know who to contact, but only collection admins should be able to see viewers and editors
+    # TODO either create permissions action for this or look up user's role outside of the permissions module
+    # for now, just assume that if user has permission to add role, they are a collection admin
+    if not has_permission(user_data, item, Action.ADD_ROLE):
+        admins = []
+        for user_assoc in item.user_associations:
+            if user_assoc.contribution_role == ContributionRole.admin:
+                admin = user_assoc.user
+                # role must be set in order to assign users to collection
+                setattr(admin, "role", ContributionRole.admin)
+                admins.append(admin)
+        item.users = admins
 
     return item
 
@@ -325,6 +366,20 @@ async def add_score_set_to_collection(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # unless user is admin of this collection, filter users to only admins
+    # the rationale is that all collection contributors should be able to see admins
+    # to know who to contact, but only collection admins should be able to see viewers and editors
+    # TODO either create permissions action for this or look up user's role outside of the permissions module
+    # for now, just assume that if user has permission to add role, they are a collection admin
+    if not has_permission(user_data, item, Action.ADD_ROLE):
+        admins = []
+        for user_assoc in item.user_associations:
+            if user_assoc.contribution_role == ContributionRole.admin:
+                admin = user_assoc.user
+                # role must be set in order to assign users to collection
+                setattr(admin, "role", ContributionRole.admin)
+                admins.append(admin)
+        item.users = admins
 
     return item
 
@@ -390,6 +445,20 @@ async def delete_score_set_from_collection(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # unless user is admin of this collection, filter users to only admins
+    # the rationale is that all collection contributors should be able to see admins
+    # to know who to contact, but only collection admins should be able to see viewers and editors
+    # TODO either create permissions action for this or look up user's role outside of the permissions module
+    # for now, just assume that if user has permission to add role, they are a collection admin
+    if not has_permission(user_data, item, Action.ADD_ROLE):
+        admins = []
+        for user_assoc in item.user_associations:
+            if user_assoc.contribution_role == ContributionRole.admin:
+                admin = user_assoc.user
+                # role must be set in order to assign users to collection
+                setattr(admin, "role", ContributionRole.admin)
+                admins.append(admin)
+        item.users = admins
 
     return item
 
@@ -445,6 +514,20 @@ async def add_experiment_to_collection(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # unless user is admin of this collection, filter users to only admins
+    # the rationale is that all collection contributors should be able to see admins
+    # to know who to contact, but only collection admins should be able to see viewers and editors
+    # TODO either create permissions action for this or look up user's role outside of the permissions module
+    # for now, just assume that if user has permission to add role, they are a collection admin
+    if not has_permission(user_data, item, Action.ADD_ROLE):
+        admins = []
+        for user_assoc in item.user_associations:
+            if user_assoc.contribution_role == ContributionRole.admin:
+                admin = user_assoc.user
+                # role must be set in order to assign users to collection
+                setattr(admin, "role", ContributionRole.admin)
+                admins.append(admin)
+        item.users = admins
 
     return item
 
@@ -508,6 +591,20 @@ async def delete_experiment_from_collection(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # unless user is admin of this collection, filter users to only admins
+    # the rationale is that all collection contributors should be able to see admins
+    # to know who to contact, but only collection admins should be able to see viewers and editors
+    # TODO either create permissions action for this or look up user's role outside of the permissions module
+    # for now, just assume that if user has permission to add role, they are a collection admin
+    if not has_permission(user_data, item, Action.ADD_ROLE):
+        admins = []
+        for user_assoc in item.user_associations:
+            if user_assoc.contribution_role == ContributionRole.admin:
+                admin = user_assoc.user
+                # role must be set in order to assign users to collection
+                setattr(admin, "role", ContributionRole.admin)
+                admins.append(admin)
+        item.users = admins
 
     return item
 
@@ -594,6 +691,8 @@ async def add_user_to_collection_role(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # TODO only collection admins can get to this point in the function, so shouldn't need to filter out
+    # viewers and editors before returning item, but should check with others
 
     return item
 
@@ -669,6 +768,8 @@ async def remove_user_from_collection_role(
     item.experiments = [
         experiment for experiment in item.experiments if has_permission(user_data, experiment, Action.READ)
     ]
+    # TODO only collection admins can get to this point in the function, so shouldn't need to filter out
+    # viewers and editors before returning item, but should check with others
 
     return item
 
diff --git a/src/mavedb/view_models/__init__.py b/src/mavedb/view_models/__init__.py
@@ -43,6 +43,6 @@ def get(self, key: Any, default: Any = ...) -> Any:
         # The standard is to name properties as the plural of the enum value
         if key[:-1] in ContributionRole._member_map_:
             user_assc = getattr(self._obj, "user_associations")
-            return [user.user for user in user_assc if key[:-1] == user_assc.role.name]
+            return [user.user for user in user_assc if key[:-1] == user.contribution_role.name]
         else:
             return super().get(key, default)
diff --git a/src/mavedb/view_models/collection.py b/src/mavedb/view_models/collection.py
@@ -17,7 +17,7 @@ def get(self, key: Any, default: Any = ...) -> Any:
             return sorted([score_set.urn for score_set in score_sets if score_set.superseding_score_set is None])
         elif key == "experiment_urns":
             experiments = getattr(self._obj, "experiments") or []
-            return [experiment.urn for experiment in experiments]
+            return sorted([experiment.urn for experiment in experiments])
         else:
             return super().get(key, default)
 
@@ -69,14 +69,17 @@ class Config:
 
 
 # Properties to return to non-admin clients
+# NOTE: Coupled to ContributionRole enum
 class Collection(SavedCollection):
     experiment_urns: list[str]
     score_set_urns: list[str]
+    admins: list[User]
+    viewers: list[User]
+    editors: list[User]
 
 
-# Properties to return to admin clients
+# Properties to return to admin clients or non-admin clients who are admins of the returned collection
 # NOTE: Coupled to ContributionRole enum
+# TODO should MaveDB admins get AdminUsers instead of Users?
 class AdminCollection(Collection):
-    viewers: list[User]
-    editors: list[User]
-    admins: list[User]
+    pass
