Merge pull request #1105 from AI4Bharat/permissions

Permissions
AI4Bharat · Oct 7, 2024 · f229f8e · f229f8e
2 parents b8df5db + 5a20049
commit f229f8e
Show file tree

Hide file tree

Showing 6 changed files with 409 additions and 1 deletion.
diff --git a/backend/organizations/decorators.py b/backend/organizations/decorators.py
@@ -2,6 +2,9 @@
 from rest_framework.response import Response
 from .models import Organization
 from functools import wraps
+from django.http import HttpResponse
+from workspaces.models import Workspace
+
 
 PERMISSION_ERROR = {
     "message": "You do not have enough permissions to access this view!"
@@ -44,3 +47,51 @@ def wrapper(self, request, pk=None, *args, **kwargs):
             return Response(PERMISSION_ERROR, status=403)
 
     return wrapper
+
+
+def is_admin(f):
+    @wraps(f)
+    def wrapper(self, request, *args, **kwargs):
+        if request.user.is_authenticated and (
+            request.user.role == User.ADMIN or request.user.is_superuser
+        ):
+            return f(self, request, *args, **kwargs)
+        return Response("Permission Denied", status=403)
+
+    return wrapper
+
+
+def is_permitted(f):
+    @wraps(f)
+    def wrapper(self, request, *args, **kwargs):
+        if "organization" not in request.data or "workspace" not in request.data:
+            return Response(
+                {
+                    "message": "Please send the complete request data for organization and workspace"
+                },
+                status=403,
+            )
+        organization = Organization.objects.get(id=request.data["organization"])
+        workspace = Workspace.objects.get(id=request.data["workspace"])
+        if Organization.objects.filter(
+            id=request.user.organization.id
+        ) != Organization.objects.filter(id=int(organization)):
+            return Response(NO_ORGANIZATION_OWNER_ERROR, status=403)
+        if workspace.organization != request.user.organization:
+            Response(NO_ORGANIZATION_OWNER_ERROR, status=403)
+        org_permissions = Organization.objects.filter(
+            id=request.user.organization.id
+        ).permission_json
+        requested_permission = request.data.get("requested_permission")
+        allowed_roles = org_permissions.get(requested_permission, 0)
+        if not allowed_roles:
+            return Response({"message": "Requested Permission is invalid"}, status=403)
+        for a in allowed_roles:
+            if (a == "org_owner" and request.user.role != User.ORGANIZATION_OWNER) or (
+                a == "workspace_manager" and request.user not in workspace.managers
+            ):
+                return Response({"message": "Access Denied"}, status=403)
+            return f(self, request, *args, **kwargs)
+        return Response(PERMISSION_ERROR, status=403)
+
+    return wrapper
diff --git a/backend/organizations/migrations/0009_permission_json_organizations.py b/backend/organizations/migrations/0009_permission_json_organizations.py
@@ -0,0 +1,24 @@
+# Generated by Django 3.2.14 on 2024-07-31 10:12
+
+from django.db import migrations, models
+import organizations.models
+
+
+class Migration(migrations.Migration):
+    dependencies = [
+        ("organizations", "0008_auto_20220930_0451"),
+    ]
+
+    operations = [
+        migrations.AddField(
+            model_name="organization",
+            name="permission_json",
+            field=models.JSONField(
+                blank=True,
+                default=organizations.models.default_permissions,
+                help_text="Permissions for user role",
+                null=True,
+                verbose_name="permission json",
+            ),
+        ),
+    ]
diff --git a/backend/organizations/models.py b/backend/organizations/models.py
@@ -8,12 +8,164 @@
 import os
 from dotenv import load_dotenv
 
-
 load_dotenv()
 
 from django.conf import settings
 
+
 # Create your models here.
+def default_permissions():
+    from users.models import User
+
+    return {
+        "PROJECT_PERMISSIONS": {
+            "can_view_add_annotators_to_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_add_annotators_to_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_add_reviewers_to_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_add_reviewers_to_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_add_superchecker_to_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_add_superchecker_to_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_basic_project_settings": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_basic_project_settings": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_publish_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_publish_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_archive_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_archive_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_export_project_into_dataset": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_export_project_into_dataset": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_pull_new_data_items_from_source_dataset": [
+                "org_owner",
+                "workspace_manager",
+            ],
+            "can_use_pull_new_data_items_from_source_dataset": [
+                "org_owner",
+                "workspace_manager",
+            ],
+            "can_view_download_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_download_project": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_delete_project_tasks": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_delete_project_tasks": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_deallocate_user_tasks": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_deallocate_user_tasks": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_project_stage": [User.ORGANIZATION_OWNER, User.WORKSPACE_MANAGER],
+            "can_use_project_stage": [User.ORGANIZATION_OWNER, User.WORKSPACE_MANAGER],
+            "can_view_supercheck_settings": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_supercheck_settings": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_user_profile_details_of_other_users": [
+                "org_owner",
+                "workspace_manager",
+            ],
+            "can_access_user_profile_details_of_other_users": [
+                "org_owner",
+                "workspace_manager",
+            ],
+        },
+        "DATASET_PERMISSIONS": {
+            "can_view_basic_dataset_settings": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_basic_dataset_settings": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_download_dataset": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_download_dataset": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_upload_dataset": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_upload_dataset": [User.ORGANIZATION_OWNER, User.WORKSPACE_MANAGER],
+            "can_view_delete_data_item": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_delete_data_item": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_view_deduplicate_data_items": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+            "can_use_deduplicate_data_items": [
+                User.ORGANIZATION_OWNER,
+                User.WORKSPACE_MANAGER,
+            ],
+        },
+    }
 
 
 class Organization(models.Model):
@@ -47,6 +199,13 @@ class Organization(models.Model):
 
     created_at = models.DateTimeField(verbose_name="created_at", auto_now_add=True)
     updated_at = models.DateTimeField(verbose_name="updated_at", auto_now=True)
+    permission_json = models.JSONField(
+        verbose_name="permission json",
+        null=True,
+        blank=True,
+        default=default_permissions,
+        help_text=("Permissions for user role"),
+    )
 
     def __str__(self):
         return self.title + ", id=" + str(self.pk)