Allow site admin to view other tree details (#467)

* Allow site admin to view other tree details

* Fix test

Author: DavidMStraub

gramps_webapi/api/resources/trees.py

@@ -22,7 +22,7 @@
 import os
 import re
 import uuid
-from typing import Dict, Optional
+from typing import Dict, List, Optional
 
 from flask import abort, current_app
 from gramps.gen.config import config
@@ -36,11 +36,12 @@
     PERM_EDIT_OTHER_TREE,
     PERM_EDIT_TREE,
     PERM_EDIT_TREE_QUOTA,
+    PERM_VIEW_OTHER_TREE,
 )
 from ...const import TREE_MULTI
 from ...dbmanager import WebDbManager
-from ..auth import require_permissions
-from ..util import abort_with_message, get_tree_from_jwt, use_args
+from ..auth import has_permissions, require_permissions
+from ..util import abort_with_message, get_tree_from_jwt, use_args, list_trees
 from . import ProtectedResource
 
 # legal tree dirnames
@@ -79,14 +80,23 @@ def validate_tree_id(tree_id: str) -> None:
         abort_with_message(422, "Invalid tree ID")
 
 
+def get_tree_ids() -> List[str]:
+    """Get a list of all existing tree IDs."""
+    tree_details = list_trees()
+    return [os.path.basename(details[1]) for details in tree_details]
+
+
 class TreesResource(ProtectedResource):
     """Resource for getting info about trees."""
 
     def get(self):
         """Get info about all trees."""
-        user_tree_id = get_tree_from_jwt()
-        # only allowed to see details about our own tree
-        tree_ids = [user_tree_id]
+        if has_permissions([PERM_VIEW_OTHER_TREE]):
+            tree_ids = get_tree_ids()
+        else:
+            # only allowed to see details about our own tree
+            user_tree_id = get_tree_from_jwt()
+            tree_ids = [user_tree_id]
         return [get_tree_details(tree_id) for tree_id in tree_ids]
 
     @use_args(
@@ -129,10 +139,11 @@ def get(self, tree_id: str):
             tree_id = get_tree_from_jwt()
         else:
             validate_tree_id(tree_id)
-            user_tree_id = get_tree_from_jwt()
-            if tree_id != user_tree_id:
-                # only allowed to see details about our own tree
-                abort_with_message(403, "Not authorized to view other trees")
+            if not has_permissions([PERM_VIEW_OTHER_TREE]):
+                user_tree_id = get_tree_from_jwt()
+                if tree_id != user_tree_id:
+                    # only allowed to see details about our own tree
+                    abort_with_message(403, "Not authorized to view other trees")
         return get_tree_details(tree_id)
 
     @use_args(

gramps_webapi/auth/const.py

@@ -39,6 +39,7 @@
 PERM_DEL_OTHER_TREE_USER = "DeleteOtherTreeUser"
 PERM_EDIT_USER_TREE = "EditUserTree"
 PERM_EDIT_OTHER_TREE = "EditOtherTree"
+PERM_VIEW_OTHER_TREE = "ViewOtherTree"
 PERM_ADD_TREE = "AddTree"
 PERM_EDIT_TREE_QUOTA = "EditTreeQuota"
 PERM_DISABLE_TREE = "DisableTree"
@@ -108,6 +109,7 @@
     PERM_DEL_OTHER_TREE_USER,
     PERM_VIEW_SETTINGS,
     PERM_EDIT_SETTINGS,
+    PERM_VIEW_OTHER_TREE,
     PERM_EDIT_OTHER_TREE,
     PERM_EDIT_TREE_QUOTA,
     PERM_ADD_TREE,

gramps_webapi/data/apispec.yaml

@@ -6894,6 +6894,8 @@ paths:
             $ref: "#/definitions/Tree"
         401:
           description: "Unauthorized: Missing authorization header."
+        403:
+          description: "Unauthorized: insufficient permissions."
         404:
           description: "Not found: tree does not exist."
         422:

tests/test_endpoints/test_trees.py

@@ -69,7 +69,7 @@ def tearDown(self):
         self.ctx.pop()
         self.dbman.remove_database(self.name)
 
-    def test_list_trees(self):
+    def test_list_trees_admin(self):
         rv = self.client.post(
             BASE_URL + "/token/", json={"username": "admin", "password": "123"}
         )
@@ -78,21 +78,49 @@ def test_list_trees(self):
             BASE_URL + "/trees/", headers={"Authorization": f"Bearer {token}"}
         )
         assert rv.status_code == 200
-        assert rv.json == [{"name": self.name, "id": self.tree}]
+        trees = rv.json
+        trees_dict = {tree["id"]: tree["name"] for tree in trees}
+        assert trees_dict[self.tree] == self.name
+        # admin can see more trees
+        assert len(trees) > 1
+
+    def test_list_trees_owner(self):
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"}
+        )
+        token = rv.json["access_token"]
+        rv = self.client.get(
+            BASE_URL + "/trees/", headers={"Authorization": f"Bearer {token}"}
+        )
+        assert rv.status_code == 200
+        trees = rv.json
+        # owner can see only one tree
+        assert trees == [{"id": self.tree, "name": self.name}]
 
     def test_get_tree(self):
         rv = self.client.post(
             BASE_URL + "/token/", json={"username": "admin", "password": "123"}
         )
         token = rv.json["access_token"]
+        rv = self.client.post(
+            BASE_URL + "/token/", json={"username": "owner", "password": "123"}
+        )
+        token_owner = rv.json["access_token"]
         rv = self.client.get(
             BASE_URL + "/trees/..", headers={"Authorization": f"Bearer {token}"}
         )
         assert rv.status_code == 422
+        # owner should get a 403 for non existing tree - not authorized
         rv = self.client.get(
-            BASE_URL + "/trees/notexist", headers={"Authorization": f"Bearer {token}"}
+            BASE_URL + "/trees/notexist",
+            headers={"Authorization": f"Bearer {token_owner}"},
         )
         assert rv.status_code == 403
+        # admin should get 404 thouogh
+        rv = self.client.get(
+            BASE_URL + "/trees/notexist", headers={"Authorization": f"Bearer {token}"}
+        )
+        assert rv.status_code == 404
         rv = self.client.get(
             BASE_URL + f"/trees/{self.tree}",
             headers={"Authorization": f"Bearer {token}"},