open-law/app/controllers/require_permission.py

from flask_login import current_user
from flask import flash, redirect, url_for, request, make_response
import functools

from app import models as m, db
from app.logger import log


def check_permissions(
    entity_type: m.Permission.Entity,
    access: list[m.Permission.Access],
    entities: list[dict],
):
    if not current_user.is_authenticated:
        flash("You do not have permission", "danger")
        return make_response(redirect(url_for("home.get_all")))

    request_args = (
        {**request.view_args, **request.args} if request.view_args else {**request.args}
    )
    entity = None
    for model in entities:
        if not entity:
            entity_id_field = (model.__name__ + "_id").lower()
            entity_id = request_args.get(entity_id_field)
            entity: m.Book | m.Collection | m.Section | m.Interpretation | m.Comment = (
                db.session.get(model, entity_id)
            )

    if entity is None:
        log(log.INFO, "No entity [%s] found", entities)
        flash("You do not have permission", "danger")
        return make_response(redirect(url_for("home.get_all")))

    book_id = request_args.get("book_id")
    if book_id:
        book: m.Book = db.session.get(m.Book, book_id)
        if book and book.user_id == current_user.id:
            # user has access because he is book owner
            log(log.INFO, "User [%s] is book owner [%s]", current_user, book)
            return None

    if type(entity) == m.Comment:
        log(log.INFO, "Entity is Comment. Replace it by entity.interpretation")
        entity = entity.interpretation
    elif type(entity) == m.Interpretation and entity.user_id == current_user.id:
        log(log.INFO, "User [%s] is interpretation creator [%s]", current_user, entity)
        return None

    if not entity or not entity.access_groups:
        log(
            log.INFO,
            "Entity [%s] of entity.access_groups [%s] not found",
            access,
            entity,
        )
        flash("You do not have permission", "warning")
        return make_response(redirect(url_for("home.get_all")))

    # check if user is not owner of book
    if not book_id and entity.access_groups[0].book.user_id == current_user.id:
        # user has access because he is book owner
        log(
            log.INFO,
            "User [%s] is book owner [%s]",
            current_user,
            entity.access_groups[0].book,
        )
        return None

    access_group_query = (
        m.AccessGroup.query.join(
            m.PermissionAccessGroups,
            m.PermissionAccessGroups.access_group_id == m.AccessGroup.id,
        )
        .join(m.Permission, m.PermissionAccessGroups.permission_id == m.Permission.id)
        .filter(
            m.AccessGroup.id.in_(
                [access_group.id for access_group in entity.access_groups]
            )
        )
        .filter(m.AccessGroup.users.any(id=current_user.id))
        .filter(m.Permission.entity_type == entity_type)
    )

    for access in access:
        access_group_query = access_group_query.filter(
            m.Permission.access.op("&")(access) > 0
        )

    access_groups = access_group_query.all()

    if access_groups:
        log(
            log.INFO,
            "User [%s] has permission to [%s] [%s]",
            access,
            current_user,
            entity,
        )
        return

    log(
        log.INFO,
        "User [%s] dont have permission to [%s] [%s]",
        current_user,
        access,
        entity,
    )
    flash("You do not have permission", "danger")
    return make_response(redirect(url_for("home.get_all")))


def require_permission(
    entity_type: m.Permission.Entity,
    access: list[m.Permission.Access],
    entities: list[dict],
):
    def decorator(f):
        @functools.wraps(f)
        def permission_checker(*args, **kwargs):
            if response := check_permissions(
                entity_type=entity_type,
                access=access,
                entities=entities,
            ):
                return response
            return f(*args, **kwargs)

        return permission_checker

    return decorator