Skip to content

Commit

Permalink
Added has_field_filter_access() and filter_auth for schema to reduce …
Browse files Browse the repository at this point in the history
…list filtering
  • Loading branch information
vdboor committed Aug 1, 2024
1 parent 54eb65e commit f46f3f9
Show file tree
Hide file tree
Showing 2 changed files with 34 additions and 0 deletions.
24 changes: 24 additions & 0 deletions src/schematools/permissions/auth.py
Original file line number Diff line number Diff line change
Expand Up @@ -117,6 +117,30 @@ def has_field_access(self, field: DatasetFieldSchema) -> Permission:
# Otherwise, the field + table rules are checked from the profile.
return self._has_field_auth_access(field) or self._has_field_profile_access(field)

def has_field_filter_access(self, field: DatasetFieldSchema) -> Permission:
"""Tell whether a field may be used in searching.
Some fields do not allow filtering the data for privacy reasons.
An example is filtering all buildings by owner (hence knowing their portfolio),
while the user is still allowed to see the owner of each individual building.
This also checks whether the field has read access (:meth:`has_field_access`).
"""
# There is no profile option yet for profile checking here.
# Tell whether the 'filterAuth' gives extra permission to filter.
# As this logic is an extension of the existing read-access check,
# there is no dataset/table-level variant of the 'filterAuth'.
if self.has_any_scope(field.filter_auth) and (field_auth := self.has_field_access(field)):
# The if-statement checks filterAuth first. When it's defined, it likely denies access.
# That way the other more complex checks are not needed.
return (
Permission(PermissionLevel.highest, source="field.filter_auth")
if field.filter_auth
else field_auth # Return original permission if there is no filterAuth
)
else:
return Permission.none

def _has_dataset_auth_access(self, dataset: DatasetSchema) -> Permission:
"""Tell whether the 'auth' rules give access to the dataset."""
if self.has_any_scope(dataset.auth):
Expand Down
10 changes: 10 additions & 0 deletions src/schematools/types.py
Original file line number Diff line number Diff line change
Expand Up @@ -1780,6 +1780,16 @@ def auth(self) -> frozenset[str]:
return self.parent_field.auth
return _normalize_scopes(self.get("auth"))

@cached_property
def filter_auth(self) -> frozenset[str]:
"""Auth of the field, or OPENBAAR.
This setting allows denying access to query/search on fields,
e.g. to block searching all buildings from a certain owner.
"""
if self.is_subfield:
return self.parent_field.filter_auth
return _normalize_scopes(self.get("filterAuth"))

@cached_property
def is_composite_key(self):
"""Tell whether the relation uses a composite key"""
Expand Down

0 comments on commit f46f3f9

Please sign in to comment.