Add access_uploader_capability and implement its usage (#705)

Author: Repumba

docs/user-guide/9-Sharing-objects.rst

@@ -173,7 +173,12 @@ Each capability has its own name and scope:
 * 
   **sharing_with_all - Can share objects with all groups in system**
 
-  Implies the access to the list of all group names, but without access to the membership information and management features. Allows to share object with arbitrary group in MWDB.
+  Implies the access to the list of all group names, but without access to the membership information and management features. Allows to share object with arbitrary group in MWDB. It also allows the user to view full history of sharing an object (if the user has access to the object).
+
+*
+  **access_uploader_info - Can view who uploaded object and filter by uploader**
+
+  Can view who uploaded object and filter by uploader. Without this capability users can filter by / see only users in their workspaces.
 
 * 
   **adding_tags - Can add tags**

mwdb/core/capabilities.py

@@ -7,6 +7,8 @@ class Capabilities(object):
     access_all_objects = "access_all_objects"
     # Can share objects with all groups, have access to complete list of groups
     sharing_with_all = "sharing_with_all"
+    # Can view who uploaded object and filter by uploader
+    access_uploader_info = "access_uploader_info"
     # Can add tags
     adding_tags = "adding_tags"
     # Can remove tags

mwdb/core/search/fields.py

@@ -388,6 +388,17 @@ def _get_condition(
                 .join(Member.group)
                 .filter(Group.name == value)
             ).all()
+        elif g.auth_user.has_rights(Capabilities.access_uploader_info):
+            uploaders = (
+                db.session.query(User)
+                .join(User.memberships)
+                .join(Member.group)
+                .filter(Group.name == value)
+            ).all()
+            # Regular users can see only uploads to its own groups
+            condition = and_(
+                condition, g.auth_user.is_member(ObjectPermission.group_id)
+            )
         else:
             uploaders = (
                 db.session.query(User)

mwdb/model/migrations/versions/25ea40a798ac_add_access_uploader_info_capability.py

@@ -0,0 +1,34 @@
+"""Add access uploader info capability
+
+Revision ID: 25ea40a798ac
+Revises: c7c72fd7fac5
+Create Date: 2022-11-03 09:56:45.546628
+
+"""
+import sqlalchemy as sa
+from alembic import op
+
+# revision identifiers, used by Alembic.
+revision = "25ea40a798ac"
+down_revision = "c7c72fd7fac5"
+branch_labels = None
+depends_on = None
+
+
+def upgrade():
+    op.execute(
+        """
+            UPDATE public.group
+            SET capabilities = array_append(capabilities, 'access_uploader_info')
+            WHERE name='public' OR array_position(capabilities, 'manage_users') IS NOT NULL;
+        """
+    )
+
+
+def downgrade():
+    op.execute(
+        """
+            UPDATE public.group
+            SET capabilities = array_remove(capabilities, 'access_uploader_info');
+        """
+    )

mwdb/model/object.py

@@ -907,7 +907,7 @@ def get_shares(self):
         shares = (
             db.session.query(ObjectPermission)
             .filter(permission_filter)
-            .order_by(ObjectPermission.access_time.desc())
+            .order_by(ObjectPermission.access_time.asc())
         ).all()
         return shares
 

mwdb/resources/share.py

@@ -1,10 +1,10 @@
 from flask import g, request
 from flask_restful import Resource
-from werkzeug.exceptions import NotFound
+from werkzeug.exceptions import Forbidden, NotFound
 
 from mwdb.core.capabilities import Capabilities
 from mwdb.core.rate_limit import rate_limited_resource
-from mwdb.model import Group, User, db
+from mwdb.model import Group, Member, User, db
 from mwdb.model.object import AccessType
 from mwdb.schema.share import (
     ShareGroupListResponseSchema,
@@ -118,14 +118,39 @@ def get(self, type, identifier):
         )
 
         group_names = [group[0] for group in groups.all()]
+        # User cannot share object with themself
+        if g.auth_user.login in group_names:
+            group_names.remove(g.auth_user.login)
 
         db_object = access_object(type, identifier)
         if db_object is None:
             raise NotFound("Object not found")
 
         shares = db_object.get_shares()
-        schema = ShareInfoResponseSchema()
-        return schema.dump({"groups": group_names, "shares": shares})
+
+        if g.auth_user.has_rights(Capabilities.access_uploader_info):
+            schema = ShareInfoResponseSchema()
+            return schema.dump({"groups": group_names, "shares": shares})
+        else:
+            # list of user_ids who are in a common workspace with auth_user
+            users = (
+                db.session.query(User)
+                .join(User.memberships)
+                .join(Member.group)
+                .filter(g.auth_user.is_member(Group.id))
+                .filter(Group.workspace.is_(True))
+            ).all()
+            visible_users = [u.login for u in users]
+
+            schema = ShareInfoResponseSchema()
+            response = schema.dump({"groups": group_names, "shares": shares})
+
+            for share in response["shares"]:
+                if "related_user_login" in share.keys():
+                    if share["related_user_login"] not in visible_users:
+                        share["related_user_login"] = "$hidden"
+
+            return response
 
     @requires_authorization
     def put(self, type, identifier):
@@ -166,6 +191,9 @@ def put(self, type, identifier):
                     schema: ShareListResponseSchema
             400:
                 description: When request body is invalid.
+            403:
+                description: |
+                    When user tries to share object with themself.
             404:
                 description: |
                     When object or group doesn't exist
@@ -190,6 +218,9 @@ def put(self, type, identifier):
         if group is None or group.pending_group:
             raise NotFound(f"Group {group_name} doesn't exist")
 
+        if group.name == g.auth_user.login:
+            raise Forbidden("You cannot share object with yourself")
+
         db_object.give_access(group.id, AccessType.SHARED, db_object, g.auth_user)
 
         shares = db_object.get_shares()

mwdb/web/src/commons/auth/capabilities.js

@@ -5,6 +5,7 @@ export const Capability = {
     shareQueriedObjects: "share_queried_objects",
     accessAllObjects: "access_all_objects",
     sharingWithAll: "sharing_with_all",
+    accessUploaderInfo: "access_uploader_info",
     addingTags: "adding_tags",
     removingTags: "removing_tags",
     addingComments: "adding_comments",
@@ -33,6 +34,8 @@ export let capabilitiesList = {
     [Capability.accessAllObjects]:
         "Has access to all new uploaded objects into system",
     [Capability.sharingWithAll]: "Can share objects with all groups in system",
+    [Capability.accessUploaderInfo]:
+        "Can view who uploaded object and filter by uploader",
     [Capability.addingTags]: "Can add tags",
     [Capability.removingTags]: "Can remove tags",
     [Capability.addingComments]: "Can add comments",

mwdb/web/src/components/ShowObject/Views/SharesBox.js

@@ -62,7 +62,18 @@ function ShareGroupItem({ reason, shares }) {
             <thead>
                 <tr>
                     <th colSpan="2">
-                        <ShareReasonString {...reason} />
+                        {(() => {
+                            if (reason.relatedUserLogin !== "$hidden") {
+                                return <ShareReasonString {...reason} />;
+                            } else {
+                                return (
+                                    <span class="text-muted">
+                                        You do not have permission to see the
+                                        uploader.
+                                    </span>
+                                );
+                            }
+                        })()}
                     </th>
                 </tr>
             </thead>

tests/backend/test_multigroup_groups.py

@@ -148,7 +148,6 @@ def test_multigroup_sharing(admin_session):
     assert set(shares["groups"]) == {
         "public",
         "registered",
-        Alice.identity,
         Workgroup.identity,
     }
     assert set(gr["group_name"] for gr in shares["shares"]) == {
@@ -157,7 +156,7 @@ def test_multigroup_sharing(admin_session):
     }
 
     shares = Bob.session.get_shares(File.dhash)
-    assert set(shares["groups"]) == {"public", "registered", Bob.identity}
+    assert set(shares["groups"]) == {"public", "registered"}
     assert set(gr["group_name"] for gr in shares["shares"]) == {Bob.identity}
 
     shares = Joe.session.get_shares(File.dhash)
@@ -166,7 +165,6 @@ def test_multigroup_sharing(admin_session):
         "registered",
         Alice.identity,
         Bob.identity,
-        Joe.identity,
         Workgroup.identity,
     }
     assert set(shares["groups"]).intersection(groups) == groups

tests/backend/test_search.py

@@ -604,6 +604,9 @@ def test_uploader_query(admin_session):
 
     Alice = testCase.new_user("Alice")
     Bob = testCase.new_user("Bob")
+    Charlie = testCase.new_user("Charlie", capabilities=["access_uploader_info"])
+    # David does not have capability and not in workgroup
+    David = testCase.new_user("David")
 
     Workgroup = testCase.new_group("Workgroup")
 
@@ -642,6 +645,15 @@ def test_uploader_query(admin_session):
         Bob.session.search(f"uploader:{Alice.identity}")
     ]
     assert sorted(results) == sorted([FileC.dhash])
+    # Charlie looks for files uploaded by Alice
+    results = [
+        result["id"] for result in
+        Charlie.session.search(f"uploader:{Alice.identity}")
+    ]
+    assert sorted(results) == sorted([FileC.dhash])
+    # David looks for files uploaded by Alice
+    with ShouldRaise(status_code=400):
+        results = David.session.search(f"uploader:{Alice.identity}")
 
 
 def test_search_multi(admin_session):