VariantEffect · bencap · Feb 25, 2025 · Dec 5, 2024 · Dec 13, 2024 · Dec 13, 2024
diff --git a/alembic/versions/aa73d39b3705_score_set_level_score_thresholds.py b/alembic/versions/aa73d39b3705_score_set_level_score_thresholds.py
@@ -0,0 +1,29 @@
+"""score set level score thresholds
+
+Revision ID: aa73d39b3705
+Revises: 68a0ec57694e
+Create Date: 2024-11-13 11:23:57.917725
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+from sqlalchemy.dialects import postgresql
+
+# revision identifiers, used by Alembic.
+revision = "aa73d39b3705"
+down_revision = "68a0ec57694e"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.add_column("scoresets", sa.Column("score_calibrations", postgresql.JSONB(astext_type=sa.Text()), nullable=True))
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_column("scoresets", "score_calibrations")
+    # ### end Alembic commands ###
diff --git a/alembic/versions/c404b6719110_collections_data_model.py b/alembic/versions/c404b6719110_collections_data_model.py
@@ -0,0 +1,117 @@
+"""Collections data model
+
+Revision ID: c404b6719110
+Revises: aa73d39b3705
+Create Date: 2024-10-15 12:57:29.682271
+
+"""
+
+from alembic import op
+import sqlalchemy as sa
+
+
+# revision identifiers, used by Alembic.
+revision = "c404b6719110"
+down_revision = "aa73d39b3705"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.create_table(
+        "collections",
+        sa.Column("id", sa.Integer(), nullable=False),
+        sa.Column("urn", sa.String(length=64), nullable=True),
+        sa.Column("private", sa.Boolean(), nullable=False),
+        sa.Column("name", sa.String(), nullable=False),
+        sa.Column("badge_name", sa.String(), nullable=True),
+        sa.Column("description", sa.String(), nullable=True),
+        sa.Column("created_by_id", sa.Integer(), nullable=True),
+        sa.Column("modified_by_id", sa.Integer(), nullable=True),
+        sa.Column("creation_date", sa.Date(), nullable=False),
+        sa.Column("modification_date", sa.Date(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["created_by_id"],
+            ["users.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["modified_by_id"],
+            ["users.id"],
+        ),
+        sa.PrimaryKeyConstraint("id"),
+    )
+    op.create_index(op.f("ix_collections_created_by_id"), "collections", ["created_by_id"], unique=False)
+    op.create_index(op.f("ix_collections_modified_by_id"), "collections", ["modified_by_id"], unique=False)
+    op.create_index(op.f("ix_collections_urn"), "collections", ["urn"], unique=True)
+
+    op.create_table(
+        "collection_user_associations",
+        sa.Column("collection_id", sa.Integer(), nullable=False),
+        sa.Column("user_id", sa.Integer(), nullable=False),
+        sa.Column(
+            "contribution_role",
+            sa.Enum(
+                "admin",
+                "editor",
+                "viewer",
+                name="contributionrole",
+                native_enum=False,
+                create_constraint=True,
+                length=32,
+            ),
+            nullable=False,
+        ),
+        sa.ForeignKeyConstraint(
+            ["collection_id"],
+            ["collections.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["user_id"],
+            ["users.id"],
+        ),
+        sa.PrimaryKeyConstraint("collection_id", "user_id"),
+    )
+
+    op.create_table(
+        "collection_experiments",
+        sa.Column("collection_id", sa.Integer(), nullable=False),
+        sa.Column("experiment_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["collection_id"],
+            ["collections.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["experiment_id"],
+            ["experiments.id"],
+        ),
+        sa.PrimaryKeyConstraint("collection_id", "experiment_id"),
+    )
+
+    op.create_table(
+        "collection_score_sets",
+        sa.Column("collection_id", sa.Integer(), nullable=False),
+        sa.Column("score_set_id", sa.Integer(), nullable=False),
+        sa.ForeignKeyConstraint(
+            ["collection_id"],
+            ["collections.id"],
+        ),
+        sa.ForeignKeyConstraint(
+            ["score_set_id"],
+            ["scoresets.id"],
+        ),
+        sa.PrimaryKeyConstraint("collection_id", "score_set_id"),
+    )
+    # ### end Alembic commands ###
+
+
+def downgrade():
+    # ### commands auto generated by Alembic - please adjust! ###
+    op.drop_table("collection_score_sets")
+    op.drop_table("collection_experiments")
+    op.drop_table("collection_user_associations")
+    op.drop_index(op.f("ix_collections_urn"), table_name="collections")
+    op.drop_index(op.f("ix_collections_modified_by_id"), table_name="collections")
+    op.drop_index(op.f("ix_collections_created_by_id"), table_name="collections")
+    op.drop_table("collections")
+    # ### end Alembic commands ###
diff --git a/pyproject.toml b/pyproject.toml
@@ -4,7 +4,7 @@ build-backend = "poetry.core.masonry.api"
 
 [tool.poetry]
 name = "mavedb"
-version = "2025.0.0"
+version = "2025.1.0"
 description = "API for MaveDB, the database of Multiplexed Assays of Variant Effect."
 license = "AGPL-3.0-only"
 readme = "README.md"

diff --git a/src/mavedb/__init__.py b/src/mavedb/__init__.py
@@ -6,6 +6,6 @@
 logger = module_logging.getLogger(__name__)
 
 __project__ = "mavedb-api"
-__version__ = "2025.0.0"
+__version__ = "2025.1.0"
 
 logger.info(f"MaveDB {__version__}")
diff --git a/src/mavedb/lib/experiments.py b/src/mavedb/lib/experiments.py
@@ -8,7 +8,9 @@
 from mavedb.models.contributor import Contributor
 from mavedb.models.controlled_keyword import ControlledKeyword
 from mavedb.models.experiment import Experiment
-from mavedb.models.experiment_controlled_keyword import ExperimentControlledKeywordAssociation
+from mavedb.models.experiment_controlled_keyword import (
+    ExperimentControlledKeywordAssociation,
+)
 from mavedb.models.publication_identifier import PublicationIdentifier
 from mavedb.models.score_set import ScoreSet
 from mavedb.models.user import User
@@ -117,6 +119,9 @@ def search_experiments(
         items = []
 
     save_to_logging_context({"matching_resources": len(items)})
-    logger.debug(msg="Experiment search yielded {len(items)} matching resources.", extra=logging_context())
+    logger.debug(
+        msg="Experiment search yielded {len(items)} matching resources.",
+        extra=logging_context(),
+    )
 
     return items
diff --git a/src/mavedb/lib/permissions.py b/src/mavedb/lib/permissions.py
@@ -5,6 +5,8 @@
 from mavedb.db.base import Base
 from mavedb.lib.authentication import UserData
 from mavedb.lib.logging.context import logging_context, save_to_logging_context
+from mavedb.models.collection import Collection
+from mavedb.models.enums.contribution_role import ContributionRole
 from mavedb.models.enums.user_role import UserRole
 from mavedb.models.experiment import Experiment
 from mavedb.models.experiment_set import ExperimentSet
@@ -15,6 +17,7 @@
 
 
 class Action(Enum):
+    LOOKUP = "lookup"
     READ = "read"
     UPDATE = "update"
     DELETE = "delete"
@@ -23,6 +26,7 @@ class Action(Enum):
     SET_SCORES = "set_scores"
     ADD_ROLE = "add_role"
     PUBLISH = "publish"
+    ADD_BADGE = "add_badge"
 
 
 class PermissionResponse:
@@ -33,9 +37,15 @@ def __init__(self, permitted: bool, http_code: int = 403, message: Optional[str]
 
         save_to_logging_context({"permission_message": self.message, "access_permitted": self.permitted})
         if self.permitted:
-            logger.debug(msg="Access to the requested resource is permitted.", extra=logging_context())
+            logger.debug(
+                msg="Access to the requested resource is permitted.",
+                extra=logging_context(),
+            )
         else:
-            logger.debug(msg="Access to the requested resource is not permitted.", extra=logging_context())
+            logger.debug(
+                msg="Access to the requested resource is not permitted.",
+                extra=logging_context(),
+            )
 
 
 class PermissionException(Exception):
@@ -59,6 +69,7 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) ->
     user_is_owner = False
     user_is_self = False
     user_may_edit = False
+    user_may_view_private = False
     active_roles = user_data.active_roles if user_data else []
 
     if isinstance(item, ExperimentSet) or isinstance(item, Experiment) or isinstance(item, ScoreSet):
@@ -72,6 +83,27 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) ->
 
         save_to_logging_context({"resource_is_published": published})
 
+    if isinstance(item, Collection):
+        assert item.private is not None
+        private = item.private
+        published = item.private is False
+        user_is_owner = item.created_by_id == user_data.user.id if user_data is not None else False
+        admin_user_ids = set()
+        editor_user_ids = set()
+        viewer_user_ids = set()
+        for user_association in item.user_associations:
+            if user_association.contribution_role == ContributionRole.admin:
+                admin_user_ids.add(user_association.user_id)
+            elif user_association.contribution_role == ContributionRole.editor:
+                editor_user_ids.add(user_association.user_id)
+            elif user_association.contribution_role == ContributionRole.viewer:
+                viewer_user_ids.add(user_association.user_id)
+        user_is_admin = user_is_owner or (user_data is not None and user_data.user.id in admin_user_ids)
+        user_may_edit = user_is_admin or (user_data is not None and user_data.user.id in editor_user_ids)
+        user_may_view_private = user_may_edit or (user_data is not None and (user_data.user.id in viewer_user_ids))
+
+        save_to_logging_context({"resource_is_published": published})
+
     if isinstance(item, User):
         user_is_self = item.id == user_data.user.id if user_data is not None else False
         user_may_edit = user_is_self
@@ -254,7 +286,109 @@ def has_permission(user_data: Optional[UserData], item: Base, action: Action) ->
         else:
             raise NotImplementedError(f"has_permission(User, ScoreSet, {action}, Role)")
 
+    elif isinstance(item, Collection):
+        if action == Action.READ:
+            if user_may_view_private or not private:
+                return PermissionResponse(True)
+            # Roles which may perform this operation.
+            elif roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            elif user_data is None or user_data.user is None:
+                return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        elif action == Action.UPDATE:
+            if user_may_edit:
+                return PermissionResponse(True)
+            # Roles which may perform this operation.
+            elif roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"score set with URN '{item.urn}' not found")
+            elif user_data is None or user_data.user is None:
+                return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        elif action == Action.DELETE:
+            # A collection may be deleted even if it has been published, as long as it is not an official collection.
+            if user_is_owner:
+                return PermissionResponse(
+                    not item.badge_name,
+                    403,
+                    f"insufficient permissions for URN '{item.urn}'",
+                )
+            # MaveDB admins may delete official collections.
+            elif roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            else:
+                return PermissionResponse(False)
+        elif action == Action.PUBLISH:
+            if user_is_admin:
+                return PermissionResponse(True)
+            elif roles_permitted(active_roles, []):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"score set with URN '{item.urn}' not found")
+            else:
+                return PermissionResponse(False)
+        elif action == Action.ADD_SCORE_SET:
+            # Whether the collection is private or public, only permitted users can add a score set to a collection.
+            if user_may_edit or roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private and not user_may_view_private:
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        elif action == Action.ADD_EXPERIMENT:
+            # Only permitted users can add an experiment to an existing collection.
+            return PermissionResponse(
+                user_may_edit or roles_permitted(active_roles, [UserRole.admin]),
+                404 if private and not user_may_view_private else 403,
+                (
+                    f"collection with URN '{item.urn}' not found"
+                    if private and not user_may_view_private
+                    else f"insufficient permissions for URN '{item.urn}'"
+                ),
+            )
+        elif action == Action.ADD_ROLE:
+            # Both collection admins and MaveDB admins can add a user to a collection role
+            if user_is_admin or roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            else:
+                return PermissionResponse(False, 403, "Insufficient permissions to add user role.")
+        # only MaveDB admins may add a badge name to a collection, which makes the collection considered "official"
+        elif action == Action.ADD_BADGE:
+            # Roles which may perform this operation.
+            if roles_permitted(active_roles, [UserRole.admin]):
+                return PermissionResponse(True)
+            elif private:
+                # Do not acknowledge the existence of a private entity.
+                return PermissionResponse(False, 404, f"collection with URN '{item.urn}' not found")
+            elif user_data is None or user_data.user is None:
+                return PermissionResponse(False, 401, f"insufficient permissions for URN '{item.urn}'")
+            else:
+                return PermissionResponse(False, 403, f"insufficient permissions for URN '{item.urn}'")
+        else:
+            raise NotImplementedError(f"has_permission(User, ScoreSet, {action}, Role)")
+
     elif isinstance(item, User):
+        if action == Action.LOOKUP:
+            # any existing user can look up any mavedb user by Orcid ID
+            # lookup differs from read because lookup means getting the first name, last name, and orcid ID of the user,
+            # while read means getting an admin view of the user's details
+            if user_data is not None and user_data.user is not None:
+                return PermissionResponse(True)
+            else:
+                # TODO is this inappropriately acknowledging the existence of the user?
+                return PermissionResponse(False, 401, "Insufficient permissions for user lookup.")
         if action == Action.READ:
             if user_is_self:
                 return PermissionResponse(True)