default requiring permissions to run a script to True w/ burnettk

spiffworkflow-backend/src/spiffworkflow_backend/scripts/add_permission.py

@@ -14,10 +14,6 @@ from spiffworkflow_backend.services.group_service import GroupService
 class AddPermission(Script):
     """AddUserToGroup."""
 
-    @staticmethod
-    def requires_privileged_permissions() -> bool:
-        return True
-
     def get_description(self) -> str:
         """Get_description."""
         return """Add a permission to a group. ex: add_permission("read", "test/*", "Editors") """

spiffworkflow-backend/src/spiffworkflow_backend/scripts/fact_service.py

@@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
 class FactService(Script):
     """FactService."""
 
+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
     def get_description(self) -> str:
         """Get_description."""
         return """Just your basic class that can pull in data from a few api endpoints and

spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_current_user.py

@@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetCurrentUser(Script):
     """GetCurrentUser."""
 
+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
     def get_description(self) -> str:
         """Get_description."""
         return """Return the current user."""

spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_env.py

@@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetEnv(Script):
     """GetEnv."""
 
+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
     def get_description(self) -> str:
         """Get_description."""
         return """Returns the current environment - ie testing, staging, production."""

spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_frontend_url.py

@@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetFrontendUrl(Script):
     """GetFrontendUrl."""
 
+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
     def get_description(self) -> str:
         """Get_description."""
         return """Return the url to the frontend."""

spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_group_members.py

@@ -12,6 +12,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetGroupMembers(Script):
     """GetGroupMembers."""
 
+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
     def get_description(self) -> str:
         """Get_description."""
         return """Return the list of usernames of the users in the given group."""

spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_localtime.py

@@ -14,6 +14,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetLocaltime(Script):
     """GetLocaltime."""
 
+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
     def get_description(self) -> str:
         """Get_description."""
         return """Converts a Datetime object into a Datetime object for a specific timezone.

spiffworkflow-backend/src/spiffworkflow_backend/scripts/get_process_info.py

@@ -10,6 +10,11 @@ from spiffworkflow_backend.scripts.script import Script
 class GetProcessInfo(Script):
     """GetProcessInfo."""
 
+    @staticmethod
+    def requires_privileged_permissions() -> bool:
+        """We have deemed this function safe to run without elevated permissions."""
+        return False
+
     def get_description(self) -> str:
         """Get_description."""
         return """Returns a dictionary of information about the currently running process."""

spiffworkflow-backend/src/spiffworkflow_backend/scripts/script.py

@@ -51,6 +51,7 @@ class Script:
 
     @staticmethod
     def requires_privileged_permissions() -> bool:
+        """It seems safer to default to True and make safe functions opt in for any user to run them."""
         return True
 
     @staticmethod
@@ -82,7 +83,7 @@ class Script:
             """
             instance = subclass()
 
-            def run_subclass(*ar: Any, **kw: Any) -> Any:
+            def check_script_permission() -> None:
                 if subclass.requires_privileged_permissions():
                     script_function_name = get_script_function_name(subclass)
                     uri = f"/v1.0/can-run-privileged-script/{script_function_name}"
@@ -100,13 +101,16 @@ class Script:
                         raise ScriptUnauthorizedForUserError(
                             f"User {user.username} does not have access to run privileged script '{script_function_name}'"
                         )
+
+            def run_script_if_allowed(*ar: Any, **kw: Any) -> Any:
+                check_script_permission()
                 return subclass.run(
                     instance,
                     script_attributes_context,
                     *ar,
                     **kw,
                 )
-            return run_subclass
+            return run_script_if_allowed
 
         def get_script_function_name(subclass: type[Script]) -> str:
             return subclass.__module__.split(".")[-1]