Fix permissions error (#974)

* fix error in translating old permissions to new this would have allowed read access permissions to upsert samples * fix other permission inconsistencies
populationgenomics · Oct 9, 2024 · d433e62 · d433e62
1 parent f2de605
commit d433e62
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 6 deletions.
diff --git a/api/routes/cohort.py b/api/routes/cohort.py
@@ -3,7 +3,12 @@
 from api.utils.db import Connection, get_project_db_connection
 from db.python.layers.cohort import CohortLayer
 from models.models.cohort import CohortBody, CohortCriteria, CohortTemplate, NewCohort
-from models.models.project import ProjectId, ProjectMemberRole, ReadAccessRoles
+from models.models.project import (
+    FullWriteAccessRoles,
+    ProjectId,
+    ProjectMemberRole,
+    ReadAccessRoles,
+)
 from models.utils.cohort_template_id_format import (
     cohort_template_id_format,
     cohort_template_id_transform_to_raw,
@@ -85,7 +90,7 @@ async def create_cohort_template(
     if template.criteria.projects:
         projects_for_criteria = connection.get_and_check_access_to_projects_for_names(
             project_names=template.criteria.projects,
-            allowed_roles=ReadAccessRoles,
+            allowed_roles=FullWriteAccessRoles,
         )
         criteria_project_ids = [p.id for p in projects_for_criteria if p.id]
 

diff --git a/db/python/layers/family.py b/db/python/layers/family.py
@@ -16,7 +16,7 @@
 from models.models import PRIMARY_EXTERNAL_ORG
 from models.models.family import FamilyInternal, PedRow, PedRowInternal
 from models.models.participant import ParticipantUpsertInternal
-from models.models.project import ProjectId, ReadAccessRoles
+from models.models.project import FullWriteAccessRoles, ProjectId, ReadAccessRoles
 
 
 class FamilyLayer(BaseLayer):
@@ -138,7 +138,7 @@ async def update_family(
         project_ids = await self.ftable.get_projects_by_family_ids([id_])
 
         self.connection.check_access_to_projects_for_ids(
-            project_ids, allowed_roles=ReadAccessRoles
+            project_ids, allowed_roles=FullWriteAccessRoles
         )
 
         return await self.ftable.update_family(

diff --git a/db/python/layers/sample.py b/db/python/layers/sample.py
@@ -287,7 +287,7 @@ async def upsert_samples(
         if sids:
             pjcts = await self.st.get_project_ids_for_sample_ids(sids)
             self.connection.check_access_to_projects_for_ids(
-                pjcts, allowed_roles=ReadAccessRoles
+                pjcts, allowed_roles=FullWriteAccessRoles
             )
 
         async with with_function():
@@ -438,7 +438,7 @@ async def get_history_of_sample(self, id_: int) -> list[SampleInternal]:
 
         projects = set(r.project for r in rows)
         self.connection.check_access_to_projects_for_ids(
-            projects, allowed_roles=FullWriteAccessRoles
+            projects, allowed_roles=ReadAccessRoles
         )
 
         return rows