-
Notifications
You must be signed in to change notification settings - Fork 19
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Restrict analytics for unpublish engagement (#2236)
* Changes to show all survey results to superusers * removing hard coded values * fixing linting * splitting to seperate end points * fixing auth check * fixing linting * merging method in service * Handle no data error for graphs * adding new nodata component * adding new email for submission response * fixing linting and testing * Upgrades to Issue Tracking Table * removing try catch * Updated dagster user code deployment name * Restrict analytics for unpublish engagement
- Loading branch information
1 parent
6240bfe
commit 8cba3d0
Showing
10 changed files
with
136 additions
and
23 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
25 changes: 25 additions & 0 deletions
25
analytics-api/src/analytics_api/constants/engagement_status.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,25 @@ | ||
# Copyright © 2021 Province of British Columbia | ||
# | ||
# Licensed under the Apache License, Version 2.0 (the 'License'); | ||
# you may not use this file except in compliance with the License. | ||
# You may obtain a copy of the License at | ||
# | ||
# http://www.apache.org/licenses/LICENSE-2.0 | ||
# | ||
# Unless required by applicable law or agreed to in writing, software | ||
# distributed under the License is distributed on an 'AS IS' BASIS, | ||
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
# See the License for the specific language governing permissions and | ||
# limitations under the License. | ||
"""Constants of engagement status.""" | ||
from enum import Enum | ||
|
||
|
||
class Status(Enum): | ||
"""Enum of engagement status.""" | ||
|
||
Draft = 'Draft' | ||
Published = 'Published' | ||
Closed = 'Closed' | ||
Scheduled = 'Scheduled' | ||
Unpublished = 'Unpublished' |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
26 changes: 26 additions & 0 deletions
26
analytics-api/src/analytics_api/utils/engagement_access_validator.py
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
"""Check Engagement Access Service.""" | ||
from sqlalchemy import and_, exists | ||
from sqlalchemy.sql.expression import true | ||
from analytics_api.constants.engagement_status import Status | ||
from analytics_api.models.db import db | ||
from analytics_api.models.engagement import Engagement as EngagementModel | ||
from analytics_api.utils.roles import Role | ||
from analytics_api.utils.token_info import TokenInfo | ||
|
||
|
||
def check_engagement_access(engagement_id): | ||
"""Check if user has access to get engagement details.""" | ||
is_engagement_unpublished = db.session.query( | ||
exists() | ||
.where( | ||
and_( | ||
EngagementModel.source_engagement_id == engagement_id, | ||
EngagementModel.is_active == true(), | ||
EngagementModel.status_name == Status.Unpublished.value | ||
) | ||
) | ||
).scalar() | ||
|
||
user_roles = set(TokenInfo.get_user_roles()) | ||
|
||
return not is_engagement_unpublished or Role.ACCESS_DASHBOARD.value in user_roles |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,43 @@ | ||
"""Helper for token decoding.""" | ||
from flask import current_app, g | ||
|
||
from analytics_api.utils.roles import Role | ||
from analytics_api.utils.user_context import UserContext, user_context | ||
|
||
|
||
class TokenInfo: | ||
"""Token info.""" | ||
|
||
@staticmethod | ||
@user_context | ||
def get_id(**kwargs): | ||
"""Get the user identifier.""" | ||
try: | ||
user_from_context: UserContext = kwargs['user_context'] | ||
return user_from_context.sub | ||
except AttributeError: | ||
return None | ||
|
||
@staticmethod | ||
def get_user_data(): | ||
"""Get the user data.""" | ||
token_info = g.jwt_oidc_token_info | ||
user_data = { | ||
'external_id': token_info.get('sub', None), | ||
'first_name': token_info.get('given_name', None), | ||
'last_name': token_info.get('family_name', None), | ||
'email_address': token_info.get('email', None), | ||
'username': token_info.get('preferred_username', None), | ||
'identity_provider': token_info.get('identity_provider', ''), | ||
'roles': TokenInfo.get_user_roles(), | ||
} | ||
return user_data | ||
|
||
@staticmethod | ||
def get_user_roles(): | ||
"""Get the user roles from token.""" | ||
if not hasattr(g, 'jwt_oidc_token_info') or not g.jwt_oidc_token_info: | ||
return [] | ||
valid_roles = set(item.value for item in Role) | ||
token_roles = current_app.config['JWT_ROLE_CALLBACK'](g.jwt_oidc_token_info) | ||
return valid_roles.intersection(token_roles) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters