Merge pull request #374 from VariantEffect/feature/bencap/288/data-collections

Data collections

Author: bencap

alembic/versions/c404b6719110_collections_data_model.py

@@ -0,0 +1,117 @@
+"""Collections data model
+
+Revision ID: c404b6719110
+Revises: 2b6f40ea2fb6
+Create Date: 2024-10-15 12:57:29.682271
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = "c404b6719110"
+down_revision = "2b6f40ea2fb6"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "collections",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("urn", sa.String(length=64), nullable=True),
+        sa.Column("private", sa.Boolean(), nullable=False),
+        sa.Column("name", sa.String(), nullable=False),
+        sa.Column("badge_name", sa.String(), nullable=True),
+        sa.Column("description", sa.String(), nullable=True),
+        sa.Column("created_by_id", sa.Integer(), nullable=True),
+        sa.Column("modified_by_id", sa.Integer(), nullable=True),
+        sa.Column("creation_date", sa.Date(), nullable=False),
+        sa.Column("modification_date", sa.Date(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["created_by_id"],
+            ["users.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["modified_by_id"],
+            ["users.id"],
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(op.f("ix_collections_created_by_id"), "collections", ["created_by_id"], unique=False)
+    op.create_index(op.f("ix_collections_modified_by_id"), "collections", ["modified_by_id"], unique=False)
+    op.create_index(op.f("ix_collections_urn"), "collections", ["urn"], unique=True)
+
+    op.create_table(
+        "collection_user_associations",
+        sa.Column("collection_id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column(
+            "contribution_role",
+            sa.Enum(
+                "admin",
+                "editor",
+                "viewer",
+                name="contributionrole",
+                native_enum=False,
+                create_constraint=True,
+                length=32,
+            ),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(
+            ["collection_id"],
+            ["collections.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+        ),
+        sa.PrimaryKeyConstraint("collection_id", "user_id"),
+    )
+
+    op.create_table(
+        "collection_experiments",
+        sa.Column("collection_id", sa.Integer(), nullable=False),
+        sa.Column("experiment_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["collection_id"],
+            ["collections.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["experiment_id"],
+            ["experiments.id"],
+        ),
+        sa.PrimaryKeyConstraint("collection_id", "experiment_id"),
+    )
+
+    op.create_table(
+        "collection_score_sets",
+        sa.Column("collection_id", sa.Integer(), nullable=False),
+        sa.Column("score_set_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["collection_id"],
+            ["collections.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["score_set_id"],
+            ["scoresets.id"],
+        ),
+        sa.PrimaryKeyConstraint("collection_id", "score_set_id"),
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table("collection_score_sets")
+    op.drop_table("collection_experiments")
+    op.drop_table("collection_user_associations")
+    op.drop_index(op.f("ix_collections_urn"), table_name="collections")
+    op.drop_index(op.f("ix_collections_modified_by_id"), table_name="collections")
+    op.drop_index(op.f("ix_collections_created_by_id"), table_name="collections")
+    op.drop_table("collections")
+    # ### end Alembic commands ###

src/mavedb/lib/experiments.py

@@ -8,7 +8,9 @@
 from mavedb.models.contributor import Contributor
 from mavedb.models.controlled_keyword import ControlledKeyword
 from mavedb.models.experiment import Experiment
-from mavedb.models.experiment_controlled_keyword import ExperimentControlledKeywordAssociation
+from mavedb.models.experiment_controlled_keyword import (
+    ExperimentControlledKeywordAssociation,
+)
 from mavedb.models.publication_identifier import PublicationIdentifier
 from mavedb.models.score_set import ScoreSet
 from mavedb.models.user import User
@@ -117,6 +119,9 @@ def search_experiments(
         items = []
 
     save_to_logging_context({"matching_resources": len(items)})
-    logger.debug(msg="Experiment search yielded {len(items)} matching resources.", extra=logging_context())
+    logger.debug(
+        msg="Experiment search yielded {len(items)} matching resources.",
+        extra=logging_context(),
+    )
 
     return items

src/mavedb/lib/permissions.py

@@ -5,6 +5,8 @@
 from mavedb.db.base import Base
 from mavedb.lib.authentication import UserData
 from mavedb.lib.logging.context import logging_context, save_to_logging_context
+from mavedb.models.collection import Collection
+from mavedb.models.enums.contribution_role import ContributionRole
 from mavedb.models.enums.user_role import UserRole
 from mavedb.models.experiment import Experiment
 from mavedb.models.experiment_set import ExperimentSet
@@ -15,6 +17,7 @@
 
 
 class Action(Enum):
+    LOOKUP = "lookup"
     READ = "read"
     UPDATE = "update"
     DELETE = "delete"
@@ -23,6 +26,7 @@ class Action(Enum):
     SET_SCORES = "set_scores"
     ADD_ROLE = "add_role"
     PUBLISH = "publish"
+    ADD_BADGE = "add_badge"
 
 
 class PermissionResponse:
@@ -33,9 +37,15 @@ def __init__(self, permitted: bool, http_code: int = 403, message: Optional[str]
 
         save_to_logging_context({"permission_message": self.message, "access_permitted": self.permitted})
         if self.permitted:
-            logger.debug(msg="Access to the requested resource is permitted.", extra=logging_context())
+            logger.debug(
+                msg="Access to the requested resource is permitted.",
+                extra=logging_context(),
+            )
         else:
-            logger.debug(msg="Access to the requested resource is not permitted.", extra=logging_context())
+            logger.debug(
+                msg="Access to the requested resource is not permitted.",
+                extra=logging_context(),
+            )
 
 
 class PermissionException(Exception):
@@ -59,6 +69,7 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) ->
     user_is_owner = False
     user_is_self = False
     user_may_edit = False
+    user_may_view_private = False
     active_roles = user_data.active_roles if user_data else []
 
     if isinstance(item, ExperimentSet) or isinstance(item, Experiment) or isinstance(item, ScoreSet):
@@ -72,6 +83,27 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) ->
 
         save_to_logging_context({"resource_is_published": published})
 
+    if isinstance(item, Collection):
+        assert item.private is not None
+        private = item.private
+        published = item.private is False
+        user_is_owner = item.created_by_id == user_data.user.id if user_data is not None else False
+        admin_user_ids = set()
+        editor_user_ids = set()
+        viewer_user_ids = set()
+        for user_association in item.user_associations:
+            if user_association.contribution_role == ContributionRole.admin:
+                admin_user_ids.add(user_association.user_id)
+            elif user_association.contribution_role == ContributionRole.editor:
+                editor_user_ids.add(user_association.user_id)
+            elif user_association.contribution_role == ContributionRole.viewer:
+                viewer_user_ids.add(user_association.user_id)
+        user_is_admin = user_is_owner or (user_data is not None and user_data.user.id in admin_user_ids)
+        user_may_edit = user_is_admin or (user_data is not None and user_data.user.id in editor_user_ids)
+        user_may_view_private = user_may_edit or (user_data is not None and (user_data.user.id in viewer_user_ids))
+
+        save_to_logging_context({"resource_is_published": published})
+
     if isinstance(item, User):
         user_is_self = item.id == user_data.user.id if user_data is not None else False
         user_may_edit = user_is_self
@@ -254,7 +286,109 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) ->
         else:
             raise NotImplementedError(f"has_permission(User, ScoreSet, {action}, Role)")
 
+    elif isinstance(item, Collection):
+        if action == Action.READ:
+            if user_may_view_private or not private:
+                return PermissionResponse(True)
+            # Roles which may perform this operation.
+            elif roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            elif user_data is None or user_data.user is None:
+                return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        elif action == Action.UPDATE:
+            if user_may_edit:
+                return PermissionResponse(True)
+            # Roles which may perform this operation.
+            elif roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"score set with URN '{item.urn}' not found")
+            elif user_data is None or user_data.user is None:
+                return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        elif action == Action.DELETE:
+            # A collection may be deleted even if it has been published, as long as it is not an official collection.
+            if user_is_owner:
+                return PermissionResponse(
+                    not item.badge_name,
+                    403,
+                    f"insufficient permissions for URN '{item.urn}'",
+                )
+            # MaveDB admins may delete official collections.
+            elif roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            else:
+                return PermissionResponse(False)
+        elif action == Action.PUBLISH:
+            if user_is_admin:
+                return PermissionResponse(True)
+            elif roles_permitted(active_roles, []):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"score set with URN '{item.urn}' not found")
+            else:
+                return PermissionResponse(False)
+        elif action == Action.ADD_SCORE_SET:
+            # Whether the collection is private or public, only permitted users can add a score set to a collection.
+            if user_may_edit or roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        elif action == Action.ADD_EXPERIMENT:
+            # Only permitted users can add an experiment to an existing collection.
+            return PermissionResponse(
+                user_may_edit or roles_permitted(active_roles, [UserRole.admin]),
+                404 if private and not user_may_view_private else 403,
+                (
+                    f"collection with URN '{item.urn}' not found"
+                    if private and not user_may_view_private
+                    else f"insufficient permissions for URN '{item.urn}'"
+                ),
+            )
+        elif action == Action.ADD_ROLE:
+            # Both collection admins and MaveDB admins can add a user to a collection role
+            if user_is_admin or roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            else:
+                return PermissionResponse(False, 403, "Insufficient permissions to add user role.")
+        # only MaveDB admins may add a badge name to a collection, which makes the collection considered "official"
+        elif action == Action.ADD_BADGE:
+            # Roles which may perform this operation.
+            if roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            elif user_data is None or user_data.user is None:
+                return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        else:
+            raise NotImplementedError(f"has_permission(User, ScoreSet, {action}, Role)")
+
     elif isinstance(item, User):
+        if action == Action.LOOKUP:
+            # any existing user can look up any mavedb user by Orcid ID
+            # lookup differs from read because lookup means getting the first name, last name, and orcid ID of the user,
+            # while read means getting an admin view of the user's details
+            if user_data is not None and user_data.user is not None:
+                return PermissionResponse(True)
+            else:
+                # TODO is this inappropriately acknowledging the existence of the user?
+                return PermissionResponse(False, 401, "Insufficient permissions for user lookup.")
         if action == Action.READ:
             if user_is_self:
                 return PermissionResponse(True)

src/mavedb/lib/urns.py

@@ -1,6 +1,7 @@
 import logging
 import re
 import string
+from uuid import uuid4
 
 from sqlalchemy import func
 from sqlalchemy.orm import Session
@@ -130,3 +131,14 @@ def generate_score_set_urn(db: Session, experiment: Experiment):
                 max_suffix_number = suffix_number
     next_suffix_number = max_suffix_number + 1
     return f"{experiment_urn}-{next_suffix_number}"
+
+
+def generate_collection_urn():
+    """
+    Generate a new URN for a collection.
+
+    Collection URNs include a 16-digit UUID.
+
+    :return: A new collection URN
+    """
+    return f"urn:mavedb:collection-{uuid4()}"

src/mavedb/lib/validation/urn_re.py

@@ -24,6 +24,10 @@
 MAVEDB_VARIANT_URN_PATTERN = rf"{MAVEDB_SCORE_SET_URN_PATTERN}#[1-9]\d*"
 MAVEDB_VARIANT_URN_RE = re.compile(MAVEDB_VARIANT_URN_PATTERN)
 
+# Collection URN
+MAVEDB_COLLECTION_URN_PATTERN = r"urn:mavedb:collection-[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12}"
+MAVEDB_COLLECTION_URN_RE = re.compile(MAVEDB_COLLECTION_URN_PATTERN)
+
 # Any URN
 MAVEDB_ANY_URN_PATTERN = "|".join(
     [

src/mavedb/models/__init__.py

@@ -1,5 +1,6 @@
 __all__ = [
     "access_key",
+    "collection",
     "controlled_keyword",
     "doi_identifier",
     "ensembl_identifier",