Add bulk update buttons (#672)

Author: Dreamsorcerer

admin-js/src/App.js

@@ -1,5 +1,6 @@
 import {
     Admin, Create, Datagrid, Edit, EditButton, List, HttpError, Resource, SimpleForm,
+    BulkDeleteButton, BulkExportButton, BulkUpdateButton,
     SimpleShowLayout, Show,
     BooleanField, BooleanInput,
     DateField, DateInput,
@@ -61,6 +62,7 @@ const dataProvider = {
     },
     getOne: (resource, params) => dataRequest(resource, "get_one", params),
     update: (resource, params) => dataRequest(resource, "update", params),
+    updateMany: (resource, params) => dataRequest(resource, "update_many", params)
 }
 
 const authProvider = {
@@ -159,14 +161,40 @@ function createInputs(resource, name, perm_type, permissions) {
     return components;
 }
 
-const AiohttpList = (resource, name, permissions) => (
-    <List filters={createInputs(resource, name, "view", permissions)}>
-        <Datagrid rowClick="show">
-            {createFields(resource, name, permissions, true)}
-            <WithRecord render={(record) => hasPermission(`${name}.edit`, permissions, record) && <EditButton />} />
-        </Datagrid>
-    </List>
-);
+function createBulkUpdates(resource, name, permissions) {
+    let buttons = [];
+    for (const [label, data] of Object.entries(resource["bulk_update"])) {
+        let allowed = true;
+        for (const k of Object.keys(data)) {
+            if (!hasPermission(`${name}.${k}.edit`, permissions)) {
+                allowed = false;
+                break;
+            }
+        }
+        if (allowed)
+            buttons.push(<BulkUpdateButton label={label} data={data} />);
+    }
+    return buttons;
+}
+
+const AiohttpList = (resource, name, permissions) => {
+    const BulkActionButtons = () => (
+        <>
+            {hasPermission(`${name}.edit`, permissions) && createBulkUpdates(resource, name, permissions)}
+            <BulkExportButton />
+            {hasPermission(`${name}.delete`, permissions) && <BulkDeleteButton />}
+        </>
+    );
+
+    return (
+        <List filters={createInputs(resource, name, "view", permissions)}>
+            <Datagrid rowClick="show" bulkActionButtons={<BulkActionButtons />}>
+                {createFields(resource, name, permissions, true)}
+                <WithRecord render={(record) => hasPermission(`${name}.edit`, permissions, record) && <EditButton />} />
+            </Datagrid>
+        </List>
+    );
+}
 
 const AiohttpShow = (resource, name, permissions) => (
     <Show>

aiohttp_admin/backends/abc.py

@@ -67,6 +67,11 @@ class UpdateParams(_Params):
     previousData: Json[Record]
 
 
+class UpdateManyParams(_Params):
+    ids: Json[list[Union[int, str]]]
+    data: Json[Record]
+
+
 class DeleteParams(_Params):
     id: Union[int, str]
     previousData: Json[Record]
@@ -105,6 +110,10 @@ async def get_many(self, params: GetManyParams) -> list[Record]:
     async def update(self, params: UpdateParams) -> Record:
         """Update the record and return the updated record."""
 
+    @abstractmethod
+    async def update_many(self, params: UpdateManyParams) -> list[Union[int, str]]:
+        """Update multiple records and return the IDs of updated records."""
+
     @abstractmethod
     async def create(self, params: CreateParams) -> Record:
         """Create a new record and return the created record."""
@@ -192,6 +201,25 @@ async def _update(self, request: web.Request) -> web.Response:
         result = await self.filter_by_permissions(request, "view", result)
         return json_response({"data": result})
 
+    async def _update_many(self, request: web.Request) -> web.Response:
+        await check_permission(request, f"admin.{self.name}.edit", context=(request, None))
+        query = parse_obj_as(UpdateManyParams, request.query)
+
+        # Check original records are allowed by permission filters.
+        originals = await self.get_many({"ids": query["ids"]})
+        allowed = (permits(request, f"admin.{self.name}.edit", context=(request, r))
+                   for r in originals)
+        allowed_f = (permits(request, f"admin.{self.name}.{k}.edit", context=(request, r))
+                     for r in originals for k in query["data"])
+        if not all(await asyncio.gather(*allowed, *allowed_f)):
+            raise web.HTTPForbidden()
+        # Check new values are allowed by permission filters.
+        if not await permits(request, f"admin.{self.name}.edit", context=(request, query["data"])):
+            raise web.HTTPForbidden()
+
+        ids = await self.update_many(query)
+        return json_response({"data": ids})
+
     async def _delete(self, request: web.Request) -> web.Response:
         await check_permission(request, f"admin.{self.name}.delete", context=(request, None))
         query = parse_obj_as(DeleteParams, request.query)
@@ -230,6 +258,7 @@ def routes(self) -> tuple[web.RouteDef, ...]:
             web.get(url, self._get_many, name=self.name + "_get_many"),
             web.post(url, self._create, name=self.name + "_create"),
             web.put(url + "/update", self._update, name=self.name + "_update"),
+            web.put(url + "/update_many", self._update_many, name=self.name + "_update_many"),
             web.delete(url + "/one", self._delete, name=self.name + "_delete"),
             web.delete(url, self._delete_many, name=self.name + "_delete_many")
         )

aiohttp_admin/backends/sqlalchemy.py

@@ -10,7 +10,7 @@
 
 from .abc import (
     AbstractAdminResource, CreateParams, DeleteManyParams, DeleteParams, GetListParams,
-    GetManyParams, GetOneParams, Record, UpdateParams)
+    GetManyParams, GetOneParams, Record, UpdateManyParams, UpdateParams)
 
 logger = logging.getLogger(__name__)
 
@@ -155,6 +155,19 @@ async def update(self, params: UpdateParams) -> Record:
                 logger.warning("No result found (%s)", params["id"], exc_info=True)
                 raise web.HTTPNotFound()
 
+    async def update_many(self, params: UpdateManyParams) -> list[Union[str, int]]:
+        async with self._db.begin() as conn:
+            stmt = sa.update(self._table).where(self._table.c["id"].in_(params["ids"]))
+            stmt = stmt.values(params["data"]).returning(self._table.c["id"])
+            try:
+                r = await conn.scalars(stmt)
+            except sa.exc.CompileError as e:
+                logger.warning("CompileError (%s)", params["ids"], exc_info=True)
+                raise web.HTTPBadRequest(reason=str(e))
+            # The security check has already called get_many(), so we can be sure
+            # there will be results here.
+            return list(r)
+
     async def delete(self, params: DeleteParams) -> Record:
         async with self._db.begin() as conn:
             stmt = sa.delete(self._table).where(self._table.c["id"] == params["id"])

aiohttp_admin/routes.py

@@ -32,7 +32,8 @@ def setup_resources(admin: web.Application, schema: Schema) -> None:
                 v["props"]["alwaysOn"] = "alwaysOn"  # Always display filter
 
         state = {"fields": m.fields, "inputs": m.inputs, "display": display_fields,
-                 "repr": repr_field, "label": r.get("label"), "icon": r.get("icon")}
+                 "repr": repr_field, "label": r.get("label"), "icon": r.get("icon"),
+                 "bulk_update": r.get("bulk_update", {})}
         admin["state"]["resources"][m.name] = state
 
 

aiohttp_admin/types.py

@@ -62,6 +62,10 @@ class _Resource(TypedDict, total=False):
     # name of the field that should be used for repr
     # (e.g. when displaying a foreign key reference).
     repr: str
+    # Bulk update actions (which appear when selecting rows in the list view).
+    # Format: {"Button Label": {"field_to_update": "value_to_set"}}
+    # e.g. {"Reset Views": {"views": 0}}
+    bulk_update: dict[str, dict[str, Any]]
 
 
 class Resource(_Resource):
@@ -85,6 +89,7 @@ class _ResourceState(TypedDict):
     repr: str
     icon: Optional[str]
     urls: dict[str, tuple[str, str]]  # (method, url)
+    bulk_update: dict[str, dict[str, Any]]
 
 
 class State(TypedDict):

examples/permissions.py

@@ -99,7 +99,8 @@ async def create_app() -> web.Application:
             "secure": False
         },
         "resources": (
-            {"model": SAResource(engine, Simple)},
+            {"model": SAResource(engine, Simple),
+             "bulk_update": {"Set to 7": {"optional_num": 7}}},
             {"model": SAResource(engine, SimpleParent)}
         )
     }

tests/test_security.py

@@ -317,6 +317,24 @@ async def identity_callback(identity: Optional[str]) -> UserDetails:
         assert r.msg == "Test"
 
 
+async def test_update_many_resource_finegrained_permission(  # type: ignore[no-any-unimported]
+        create_admin_client: _CreateClient, login: _Login) -> None:
+    async def identity_callback(identity: Optional[str]) -> UserDetails:
+        assert identity == "admin"
+        return {"permissions": {"admin.*", "~admin.dummy2.msg.edit"}}
+
+    admin_client = await create_admin_client(identity_callback)
+
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy2_update_many"].url_for()
+    h = await login(admin_client)
+    p = {"ids": "[1]", "data": json.dumps({"msg": "ABC"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 403
+        # TODO(aiohttp-security05)
+        # expected = "403: User does not have 'admin.dummy2.msg.edit' permission"
+
+
 async def test_delete_resource_filtered_permission(create_admin_client: _CreateClient,  # type: ignore[no-any-unimported] # noqa: B950
                                                    login: _Login) -> None:
     async def identity_callback(identity: Optional[str]) -> UserDetails:
@@ -543,6 +561,50 @@ async def identity_callback(identity: Optional[str]) -> UserDetails:
         assert resp.status == 200
 
 
+async def test_permission_filter_update_many(  # type: ignore[no-any-unimported]
+    create_admin_client: _CreateClient, login: _Login
+) -> None:
+    async def identity_callback(identity: Optional[str]) -> UserDetails:
+        return {"permissions": ("admin.*", 'admin.dummy2.*|msg="Test"')}
+
+    admin_client = await create_admin_client(identity_callback)
+
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy2_update_many"].url_for()
+    h = await login(admin_client)
+    p = {"ids": "[3]", "data": json.dumps({"msg": "Test"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 403
+    p = {"ids": "[1]", "data": json.dumps({"msg": "Foo"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 403
+    p = {"ids": "[1, 2]", "data": json.dumps({"msg": "Test"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 200
+
+
+async def test_permission_filter_update_many2(  # type: ignore[no-any-unimported]
+    create_admin_client: _CreateClient, login: _Login
+) -> None:
+    async def identity_callback(identity: Optional[str]) -> UserDetails:
+        return {"permissions": ("admin.*", 'admin.dummy2.edit|msg="Test"')}
+
+    admin_client = await create_admin_client(identity_callback)
+
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy2_update_many"].url_for()
+    h = await login(admin_client)
+    p = {"ids": "[3]", "data": json.dumps({"msg": "Test"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 403
+    p = {"ids": "[1]", "data": json.dumps({"msg": "Foo"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 403
+    p = {"ids": "[1, 2]", "data": json.dumps({"msg": "Test"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 200
+
+
 async def test_permission_filter_delete(create_admin_client: _CreateClient,  # type: ignore[no-any-unimported] # noqa: B950
                                         login: _Login) -> None:
     async def identity_callback(identity: Optional[str]) -> UserDetails:
@@ -823,3 +885,43 @@ async def identity_callback(identity: Optional[str]) -> UserDetails:
         assert r is None
         r = await sess.get(admin_client.app["model2"], 5)
         assert r.msg == "Test"
+
+
+async def test_permission_filter_field_update_many(  # type: ignore[no-any-unimported]
+    create_admin_client: _CreateClient, login: _Login
+) -> None:
+    async def identity_callback(identity: Optional[str]) -> UserDetails:
+        return {"permissions": ("admin.*", "admin.dummy2.msg.*|id=1|id=2")}
+
+    admin_client = await create_admin_client(identity_callback)
+
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy2_update_many"].url_for()
+    h = await login(admin_client)
+    p = {"ids": "[3]", "data": json.dumps({"msg": "Spam"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 403
+    p = {"ids": "[1, 2]", "data": json.dumps({"msg": "Spam"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 200
+        assert await resp.json() == {"data": [1, 2]}
+
+
+async def test_permission_filter_field_update_many2(  # type: ignore[no-any-unimported]
+    create_admin_client: _CreateClient, login: _Login
+) -> None:
+    async def identity_callback(identity: Optional[str]) -> UserDetails:
+        return {"permissions": ("admin.*", "admin.dummy2.msg.edit|id=1|id=2")}
+
+    admin_client = await create_admin_client(identity_callback)
+
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy2_update_many"].url_for()
+    h = await login(admin_client)
+    p = {"ids": "[3]", "data": json.dumps({"msg": "Spam"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 403
+    p = {"ids": "[1, 2]", "data": json.dumps({"msg": "Spam"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 200
+        assert await resp.json() == {"data": [1, 2]}

tests/test_views.py

@@ -186,6 +186,7 @@ async def test_update(admin_client: TestClient, login: _Login) -> None:
         r = await sess.get(admin_client.app["model"], 4)
         assert r.id == 4
 
+        assert await sess.get(admin_client.app["model"], 1) is None
         assert await sess.get(admin_client.app["model"], 2) is None
 
 
@@ -208,6 +209,41 @@ async def test_update_invalid_attributes(admin_client: TestClient, login: _Login
         assert "foo" in await resp.text()
 
 
+async def test_update_many(admin_client: TestClient, login: _Login) -> None:
+    h = await login(admin_client)
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy2_update_many"].url_for()
+    p = {"ids": "[1, 2]", "data": json.dumps({"msg": "ABC"})}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 200
+        assert await resp.json() == {"data": [1, 2]}
+
+    async with admin_client.app["db"]() as sess:
+        r = await sess.get(admin_client.app["model2"], 1)
+        assert r.msg == "ABC"
+        r = await sess.get(admin_client.app["model2"], 2)
+        assert r.msg == "ABC"
+
+
+async def test_update_many_deleted_entity(admin_client: TestClient, login: _Login) -> None:
+    h = await login(admin_client)
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy_update_many"].url_for()
+    p = {"ids": "[2]", "data": '{"id": 4}'}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 404
+
+
+async def test_update_many_invalid_attributes(admin_client: TestClient, login: _Login) -> None:
+    h = await login(admin_client)
+    assert admin_client.app
+    url = admin_client.app["admin"].router["dummy_update_many"].url_for()
+    p = {"ids": "[1]", "data": '{"foo": "invalid"}'}
+    async with admin_client.put(url, params=p, headers=h) as resp:
+        assert resp.status == 400
+        assert "foo" in await resp.text()
+
+
 async def test_delete(admin_client: TestClient, login: _Login) -> None:
     h = await login(admin_client)
     assert admin_client.app