global: add roles info in /me endpoint

ParthS007 · ParthS007 · commit bdb6223cfdba · 2023-03-21T16:15:26.000+01:00
Signed-off-by: Parth Shandilya &lt;parth.shandilya@cern.ch&gt;
diff --git a/cap/modules/schemas/imp.py b/cap/modules/schemas/imp.py
@@ -25,12 +25,13 @@
 from itertools import groupby
 
 from invenio_access.models import ActionRoles, ActionUsers
-from invenio_access.permissions import Permission
+from invenio_access.permissions import Permission, superuser_access
 from invenio_cache import current_cache
 from sqlalchemy.event import listen
 
 from .models import Schema
 from .permissions import (
+    AdminSchemaPermission,
     ReadSchemaPermission,
     deposit_schema_create_action,
     deposit_schema_read_action,
@@ -153,6 +154,41 @@ def _filter_by_read_access(schemas_list):
     return [x for x in schemas_list if ReadSchemaPermission(x).can()]
 
 
+def _filter_by_admin_access(schemas_list):
+    """Return only schemas that user has admin access to."""
+    return [x for x in schemas_list if AdminSchemaPermission(x).can()]
+
+
+def is_super_user():
+    return Permission(superuser_access).can()
+
+
+def get_admin_roles_for_user(latest=True):
+    """Return list of roles in schemas, current user has admin/superuser access to."""
+    roles = []
+    schemas = get_indexed_schemas(latest=latest)
+    schemas = _filter_by_admin_access(schemas)
+    if latest:
+        schemas = _filter_only_latest(schemas)
+
+    for schema in schemas:
+        roles.append(f"{schema.name}")
+
+    return roles
+
+
+def generate_roles(mapping):
+    roles = []
+    for method_name, method in mapping.items():
+        result = method()
+        if isinstance(result, bool) and result:
+            roles.append(method_name)
+        elif isinstance(result, list):
+            for role in result:
+                roles.append(f"{method_name}:{role}")
+    return roles
+
+
 def get_schemas_for_user(latest=True):
     """Return all schemas current user has read access to."""
     schemas = Schema.query.order_by(
diff --git a/cap/modules/schemas/permissions.py b/cap/modules/schemas/permissions.py
@@ -113,15 +113,15 @@ def __init__(self, schema):
 
 
 class AdminSchemaPermission(Permission):
-    """Schema read permission."""
+    """Schema admin permission."""
 
     def __init__(self, schema):
         """Initialize state.
 
-        Read access for:
+        Admin access for:
 
         * all members of experiment assigned to schema
-        * all users/roles assigned to schema-object-read action
+        * all users/roles assigned to schema-object-admin action
 
         """
         _needs = set()
diff --git a/cap/modules/user/views.py b/cap/modules/user/views.py
@@ -36,14 +36,25 @@
 
 from cap.config import DEBUG
 from cap.modules.access.utils import login_required
-from cap.modules.schemas.imp import get_cached_indexed_schemas_for_user_create
+from cap.modules.schemas.imp import (
+    get_admin_roles_for_user,
+    get_cached_indexed_schemas_for_user_create,
+    generate_roles,
+    is_super_user,
+)
 from cap.modules.user.utils import get_remote_account_by_id
 
 _datastore = LocalProxy(lambda: current_app.extensions['security'].datastore)
 
 user_blueprint = Blueprint('cap_user', __name__, template_folder='templates')
 
 
+USER_UI_ROLES = {
+    'superuser': is_super_user,
+    'schema-admin': get_admin_roles_for_user,
+}
+
+
 @user_blueprint.route('/me')
 @login_required
 def get_user():
@@ -62,6 +73,7 @@ def get_user():
         "email": current_user.email,
         "deposit_groups": deposit_groups,
         "profile": extra_data,
+        "roles": generate_roles(USER_UI_ROLES),
     }
 
     response = jsonify(_user)
diff --git a/tests/integration/test_user_api.py b/tests/integration/test_user_api.py
@@ -54,7 +54,8 @@ def test_me_when_superuser_returns_correct_user_data(
         }],
         "email": superuser.email,
         "id": superuser.id,
-        "profile": {}
+        "profile": {},
+        'roles':  ['superuser', 'schema-admin:cms', 'schema-admin:lhcb']
     }
 
 
@@ -83,7 +84,8 @@ def test_me_when_cms_user_returns_correct_user_data(client, create_schema,
         }],
         "email": user.email,
         "id": user.id,
-        "profile": {}
+        "profile": {},
+        'roles': [],
     }
 
     lhcb_schema.process_action_roles('allow',
@@ -104,5 +106,6 @@ def test_me_when_cms_user_returns_correct_user_data(client, create_schema,
         }],
         "email": user.email,
         "id": user.id,
-        "profile": {}
-    }
+        "profile": {},
+        'roles': [],
+    }
