Enable users to call the add-member API #9200
Conversation
seanh
changed the title
| Permission.Group.MEMBER_ADD: [ | ||
| [p.group_member_add], | ||
| [p.group_matches_authenticated_client_authority], | ||
| ], |
There was a problem hiding this comment.
So the MEMBER_ADD permission will be granted if either group_member_add() returns True or group_matches_authenticated_client_authority() returns True.
If you're wondering what this "permission map" is DD: Group Owners, Admins and Moderators contains a section explaining how security permissions work in Pyramid and h.
seanh
force-pushed
the
enable-users-to-call-add-member-API
branch
from
c522c82 to
a5d7e31
Compare
seanh
changed the base branch from
add-membership-request-body
to
refactor-contexts
seanh
force-pushed
the
enable-users-to-call-add-member-API
branch
from
a5d7e31 to
5297204
Compare
| @requires(authenticated_user, group_found) | ||
| def group_member_add(identity, context: AddGroupMembershipContext): | ||
| assert ( | ||
| context.new_roles is not None | ||
| ), "new_roles must be set before checking permissions" | ||
|
|
||
| def get_authenticated_users_roles(): | ||
| """Return the authenticated users roles in the target group.""" | ||
| for membership in identity.user.memberships: | ||
| if membership.group.id == context.group.id: | ||
| return membership.roles | ||
|
|
||
| return [] | ||
|
|
||
| authenticated_users_roles = get_authenticated_users_roles() | ||
|
|
||
| if GroupMembershipRoles.OWNER in authenticated_users_roles: | ||
| # Owners can add members with any roles. | ||
| return True | ||
|
|
||
| if GroupMembershipRoles.ADMIN in authenticated_users_roles: | ||
| # Admins can add members with any role below admin. | ||
| return ( | ||
| GroupMembershipRoles.OWNER not in context.new_roles | ||
| and GroupMembershipRoles.ADMIN not in context.new_roles | ||
| ) | ||
|
|
||
| return False |
There was a problem hiding this comment.
Now that the add-member API can be called by users we need this need security permissions predicate function to check that the authenticated user should be permitted to make the request: to add a user to a group with role "owner" or "admin" the authenticated user must be a member of the group also with role "owner". Or, if the authenticated user has role "admin", they can add a user with role "member" or "moderator". If you're not an owner or admin of a group then you're not allowed to add users to that group with any role.
(This predicate wasn't needed previously because the add-member API could only be called by authclients and authclients are permitted to do anything.)
The get_authenticated_users_roles() helper has been duplicated a few times now, I'll send a follow-up PR to refactor and deduplicate this and other duplication in predicates.py (#9205).
seanh
force-pushed
the
enable-users-to-call-add-member-API
branch
from
5297204 to
d349530
Compare
seanh
force-pushed
the
refactor-contexts
branch
from
b171774 to
fc5dbd6
Compare
seanh
force-pushed
the
enable-users-to-call-add-member-API
branch
2 times, most recently
from
de08675 to
e79457b
Compare
There was a problem hiding this comment.
Copilot reviewed 5 out of 9 changed files in this pull request and generated no suggestions.
Files not reviewed (4)
- h/security/predicates.py: Evaluated as low risk
- h/services/group_members.py: Evaluated as low risk
- h/views/api/group_members.py: Evaluated as low risk
- tests/functional/api/groups/members_test.py: Evaluated as low risk
|
Tested it locally seems to be working just fine. |
seanh
force-pushed
the
refactor-contexts
branch
from
fc5dbd6 to
a3a946a
Compare
Allow users (not just authclients) to call the add-membership API.
seanh
force-pushed
the
enable-users-to-call-add-member-API
branch
from
e79457b to
8491ea9
Compare
h's add-member-to-group API can only be called by authclients, not users, even though other membership APIs (list members, edit-membership, remove-membership) can all be called by users.
This PR enhances the add-membership API to allow it to be called by users as well as authclients.
This PR doesn't update the API docs, I'll send a follow-up PR to do that.
Testing
Log in as
devdata_admin(password:pass).Go to http://localhost:5000/groups/new and create a new group.
Go to http://localhost:5000/account/developer and create an API key.
Use the API key to authenticate a request to the add-member API: