Ready: Row and field level security for users

.github/ISSUE_TEMPLATE/update-table.md

@@ -1,6 +1,6 @@
 ---
 name: Update Table
-about: Describe this issue template's purpose here.
+about: Describe the purpose of the issue template here
 title: 'Update Table: [TABLE NAME]'
 labels: 'feature: update table, good first issue, milestone: missing, role: back end,
   size: 0.25pt, stakeholder: missing'

.pre-commit-config.yaml

@@ -32,7 +32,7 @@ repos:
       - id: fix-byte-order-marker
       - id: name-tests-test
         args: [--pytest-test-first]
-
+        exclude: ^app/core/tests/utils/
       # general quality checks
       - id: mixed-line-ending
       - id: trailing-whitespace

app/constants.py

@@ -1,5 +1,5 @@
-global_admin = "globalAdmin"
+admin_global = "adminGlobal"
 admin_project = "adminProject"
 practice_lead_project = "practiceLeadProject"
 member_project = "memberProject"
-self_value = "self"
+field_permissions_csv_file = "core/api/field_permissions.csv"

app/core/api/field_permissions.csv

@@ -0,0 +1,54 @@
+table_name,field_name,get,patch,post
+User,username,memberProject,,adminGlobal
+User,is_active,,,
+User,is_staff,,,
+User,first_name,memberProject,adminBrigade,adminGlobal
+User,last_name,memberProject,adminBrigade,adminGlobal
+User,gmail,practiceLeadProject,adminBrigade,adminGlobal
+User,preferred_email,practiceLeadProject,adminBrigade,adminGlobal
+User,created_at,adminProject,,,
+User,user_status_id,adminBrigade,adminBrigade,adminGlobal
+User,current_job_title,adminBrigade,adminBrigade,adminGlobal
+User,target_job_title,adminBrigade,adminBrigade,adminGlobal
+User,current_skills,adminBrigade,adminBrigade,adminGlobal
+User,target_skills,adminBrigade,adminBrigade,adminGlobal
+User,linkedin_account,memberProject,adminBrigade,adminGlobal
+User,github_handle,memberProject,adminBrigade,adminGlobal
+User,phone,practiceLeadProject,adminBrigade,adminGlobal
+User,texting_ok,practiceLeadProject,adminBrigade,adminGlobal
+User,slack_id,memberProject,adminBrigade,adminGlobal
+User,time_zone,memberProject,adminBrigade,adminGlobal
+User,last_updated,adminBrigade,,adminGlobal
+User,password,,adminBrigade,adminGlobal,,,,
+UserPermission,field1,memberProject,adminProject,adminProject
+
+John Smith adminGlobal
+
+Wanda adminProject website-project
+Wally memberProject website-project
+Paul memberProjbect peopledepot-project
+
+If Wanda tries to read Wally, the highest privilege is adminProject for Wanda, gmail should be includded
+If Wanda tries to read Paul, there is no project in common, the highest privilege is None
+
+UserPermissions
+user
+
+blackBox(logged in user, self.user, "UserPermission")
+
+
+blackBox(logged in user, target user, table)
+
+UserOpportunities
+user
+blackBox(logged in user, self.user, "UserPermission")
+
+
+User =< UserEvent =< UserAttendance
+
+UserEvent
+user
+
+UserAttendance
+user userEvent.user
+userEvent

app/core/api/permission_validation.py

@@ -0,0 +1,145 @@
+import csv
+from pathlib import Path
+from typing import Any
+
+from rest_framework.exceptions import PermissionDenied
+
+from constants import admin_global  # Assuming you have this constant
+from constants import field_permissions_csv_file
+from core.models import PermissionType
+from core.models import UserPermission
+
+
+class PermissionValidation:
+    @staticmethod
+    def is_admin(user) -> bool:
+        """Check if a user has admin permissions."""
+        permission_type = PermissionType.objects.filter(name=admin_global).first()
+        # return True
+        return UserPermission.objects.filter(
+            permission_type=permission_type, user=user
+        ).exists()
+
+    @staticmethod
+    def get_rank_dict() -> dict[str, int]:
+        """Return a dictionary mapping permission names to their ranks."""
+        permissions = PermissionType.objects.values("name", "rank")
+        return {perm["name"]: perm["rank"] for perm in permissions}
+
+    @staticmethod
+    def get_csv_field_permissions() -> dict[str, dict[str, list[dict[str, Any]]]]:
+        """Read the field permissions from a CSV file."""
+        file_path = Path(field_permissions_csv_file)
+        with file_path.open() as file:
+            reader = csv.DictReader(file)
+            return list(reader)
+
+    @classmethod
+    def get_fields(
+        cls, operation: str, permission_type: str, table_name: str
+    ) -> list[str]:
+        """Return the valid fields for the given permission type."""
+
+        valid_fields = []
+        if permission_type == "":
+            return valid_fields
+        for field in cls.get_csv_field_permissions():
+            if cls.is_field_valid(
+                operation=operation,
+                permission_type=permission_type,
+                table_name=table_name,
+                field=field,
+            ):
+                valid_fields += [field["field_name"]]
+        return valid_fields
+
+    @classmethod
+    def get_fields_for_post_request(cls, request, table_name):
+        requesting_user = request.user
+        if not cls.is_admin(requesting_user):
+            raise PermissionDenied("You do not have privilges to create.")
+        fields = cls.get_fields(
+            operation="post",
+            table_name=table_name,
+            permission_type=admin_global,
+        )
+        return fields
+
+    @classmethod
+    def get_fields_for_patch_request(cls, request, table_name, response_related_user):
+        requesting_user = request.user
+        requesting_user = request.user
+        most_privileged_perm_type = cls.get_most_privileged_perm_type(
+            requesting_user, response_related_user
+        )
+        fields = cls.get_fields(
+            operation="patch",
+            table_name=table_name,
+            permission_type=most_privileged_perm_type,
+        )
+        return fields
+
+    @classmethod
+    def get_fields_for_response(cls, request, table_name, response_related_user):
+        requesting_user = request.user
+        most_privileged_perm_type = cls.get_most_privileged_perm_type(
+            requesting_user, response_related_user
+        )
+        fields = cls.get_fields(
+            operation="get",
+            table_name=table_name,
+            permission_type=most_privileged_perm_type,
+        )
+        return fields
+
+    @classmethod
+    def get_most_privileged_perm_type(
+        cls, requesting_user, response_related_user
+    ) -> str:
+        """Return the most privileged permission type between users."""
+        if cls.is_admin(requesting_user):
+            return admin_global
+
+        target_projects = UserPermission.objects.filter(
+            user=response_related_user
+        ).values_list("project__name", flat=True)
+        target_projects = UserPermission.objects.filter(
+            user=response_related_user
+        ).values_list("project__name", flat=True)
+
+        permissions = UserPermission.objects.filter(
+            user=requesting_user, project__name__in=target_projects
+        ).values("permission_type__name", "permission_type__rank")
+
+        if not permissions:
+            return ""
+
+        min_permission = min(permissions, key=lambda p: p["permission_type__rank"])
+        return min_permission["permission_type__name"]
+
+    @classmethod
+    def get_response_fields(cls, request, table_name, response_related_user) -> None:
+        """Ensure the requesting user can patch the provided fields."""
+        requesting_user = request.user
+        most_privileged_perm_type = cls.get_most_privileged_perm_type(
+            requesting_user, response_related_user
+        )
+        fields = cls.get_fields(
+            operation="get",
+            table_name=table_name,
+            permission_type=most_privileged_perm_type,
+        )
+        return fields
+
+    @classmethod
+    def is_field_valid(
+        cls, operation: str, permission_type: str, table_name: str, field: dict
+    ):
+        operation_permission_type = field[operation]
+        if operation_permission_type == "" or field["table_name"] != table_name:
+            return False
+        rank_dict = cls.get_rank_dict()
+        source_rank = rank_dict[permission_type]
+        source_rank = rank_dict[permission_type]
+        rank_match = source_rank <= rank_dict[operation_permission_type]
+        return rank_match

app/core/api/permissions.py

@@ -1,9 +1,25 @@
 from rest_framework.permissions import BasePermission
 
+from core.api.user_related_request import UserRelatedRequest
+
 
 class DenyAny(BasePermission):
-    def has_permission(self, request, view):
+    def has_permission(self, __request__, __view__):
         return False
 
-    def has_object_permission(self, request, view, obj):
+    def has_object_permission(self, __request__, __view__, __obj__):
         return False
+
+
+class GenericPermission(BasePermission):
+    def has_permission(self, request, view):
+        if request.method == "POST":
+            UserRelatedRequest.validate_post_fields(request=request, view=view)
+        return True  # Default to allow the request
+
+    def has_object_permission(self, request, view, obj):
+        if request.method == "PATCH":
+            UserRelatedRequest.validate_patch_fields(
+                view=view, obj=obj, request=request
+            )
+        return True

app/core/api/serializers.py

@@ -1,6 +1,7 @@
 from rest_framework import serializers
 from timezone_field.rest_framework import TimeZoneSerializerField
 
+from core.api.user_related_request import UserRelatedRequest
 from core.models import Affiliate
 from core.models import Affiliation
 from core.models import CheckType
@@ -68,13 +69,60 @@ class UserSerializer(serializers.ModelSerializer):
 
     time_zone = TimeZoneSerializerField(use_pytz=False)
 
+    def to_representation(self, instance):
+        representation = super().to_representation(instance)
+        return UserRelatedRequest.get_serializer_representation(
+            self, instance, representation
+        )
+
+    class Meta:
+        model = User
+        fields = (
+            "uuid",
+            "username",
+            "created_at",
+            "updated_at",
+            "is_superuser",
+            "is_active",
+            "is_staff",
+            "email",
+            "first_name",
+            "last_name",
+            "gmail",
+            "preferred_email",
+            "current_job_title",
+            "target_job_title",
+            "current_skills",
+            "target_skills",
+            "linkedin_account",
+            "github_handle",
+            "slack_id",
+            "phone",
+            "texting_ok",
+            "time_zone",
+        )
+        read_only_fields = (
+            "uuid",
+            "created_at",
+            "updated_at",
+            "username",
+            "email",
+        )
+
+
+class UserProfileSerializer(serializers.ModelSerializer):
+    time_zone = TimeZoneSerializerField(use_pytz=False)
+
     class Meta:
         model = User
         fields = (
             "uuid",
             "username",
             "created_at",
             "updated_at",
+            "is_superuser",
+            "is_active",
+            "is_staff",
             "email",
             "first_name",
             "last_name",