Add raise_exception arg to @group_required #10658

[jacobtylerwalls]

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Description of Change

Allows raising a 403 Forbidden for API-style requests, instead of a 302 redirect to nowhere.

More info about the use case in the linked issue.

Issues Solved

Closes #10658

Checklist

• Unit tests pass locally with my changes
• I have added tests that prove my fix is effective or that my feature works
• I have added necessary documentation (if appropriate)

Ticket Background

• Sponsored by:
• Found by: @
• Tested by: @
• Designed by: @

[jacobtylerwalls]

Noticed this wasn't testing what it I had intended (because the user wasn't even a resource editor), so I added a comment and adjusted the request so that it's an editor user and actually has some data.

[jacobtylerwalls]

I borrowed the idea from @permission_required.

[apeters]

Will the UI be able to handle the fact that we used to return a JSON object and are now returning a python exception?

[jacobtylerwalls]

Good question. I just retested. No change on the frontend because the frontend doesn't even check the response for success:

Notice no try/catch here:

arches/arches/app/media/js/views/components/workflows/workflow-component-abstract.js

Line 776 in a1c2b42

await fetch(arches.urls.workflow_history + workflowid, {

This is probably because you shouldn't be able to end up in this scenario (editing someone else's workflow) through the UI. You'd need to be trying to hack the endpoint with your own POST requests to reach this. I tested by leaving the UI open and then changing the owner of the workflow in the database.

In terms of the motivation for this change, I figured it was better to have all the permission failure cases return the same shape of a response so that we don't expose any information about what workflows exist.

[apeters]

what about here?
https://github.com/archesproject/arches/blob/dev/7.6.x/arches/app/media/js/viewmodels/workflow.js#L371-L394

[jacobtylerwalls]

Retested this one also. Same. Both 7.6 and this PR show the same in the UI:

The fact that the response changes from:

dev/7.6.x

{
    "message": "Permission Denied",
    "status": "false",
    "success": false,
    "title": "Request Failed"
}

to

<!doctype html>
<html lang="en">
<head>
  <title>403 Forbidden</title>
</head>
<body>
  <h1>403 Forbidden</h1><p></p>
</body>
</html>

doesn't seem to matter.

[jacobtylerwalls]

All we're using is the statusText which remains the same.

[apeters]

can we add the line at the top of the workflow_tests.py file that specifies the command to run this test file individually?

[apeters]

looks good to me