CDD-3173: add the base code for the DB permission filtering of privat…#3201
Conversation
…e APIs (using /api/charts/v3 as the first example)
…nctions/classes are
…an' into CDD-3173-BE-Update-DB-queries-to-ensure-that-user-permissions-are-used-when-requesting-data
|
| token_validator = self.get_token_validator(request) | ||
| jwt_payload = token_validator.validate(jwt_token) | ||
| except TokenError: | ||
| except TokenError as error: |
There was a problem hiding this comment.
Arguably unneccessary? It's already throwing an error and I'm worried there's a risk that some permission set info or user info could be spat out as part of the error log
There was a problem hiding this comment.
@dandammann Please can we avoid including work that is not related to the ticket in the same PR.
It makes it harder to review as reviewers have to figure out which code changes are related to the ticket, and which are achieving some other unknown goal.
If you find tech debt that need to be improved In existing code (and it's a quick fix), then these should be added to a seperate PR with a description that explains it and then it can be reviewed on it own merits.
Also in this instance, all these changes within the JWT code are going to cause a big headache of conflicts once the PR for CDD-3147 gets merged in too.
| geography=geography, | ||
| ) | ||
| else: | ||
| # THESE LEGACY RBAC PERMISSIONS ARE NOT IN USE AND TO BE REMOVED IN A FUTURE RELEASE |
There was a problem hiding this comment.
If they aren't in use in this file can we remove them as part of this work? I don't see any reason to keep them in, as you are essentially replacing what they are trying to do with the new solution :)
There was a problem hiding this comment.
I mentioned that RBAC permissions need removing (at some point), but you said that's out-of-scope, because there is a ticket for that in the backlog.
There was a problem hiding this comment.
For the areas of the code you are already touching, it's fine to replace the RBAC parts with the new permission_sets bits, rather than adding if/else statements for code we know is going to disappear soon.
The endpoints are going to be thoroughly tested by updated unit tests and by the QA team anyway, so there's no issues with doing it that way, it's just that we don't need to make more work by extending the scope of the ticket to cover removing all the other areas of the codebase that have RBAC bits, along with all the additional updated tests and additional QA time that would go along with that work. That part can be done a future ticket.
We want to focus on what's required for our MVP deliverable, and keeping that work as simple as possible.
| geography=geography, | ||
| ) | ||
| else: | ||
| # THESE LEGACY RBAC PERMISSIONS ARE NOT IN USE AND TO BE REMOVED IN A FUTURE RELEASE |
There was a problem hiding this comment.
Same reply from me too.
|
|
||
| @return {dict} example: | ||
| { | ||
| "permission_set_hierarchy": [ |
There was a problem hiding this comment.
What's the value in this over using the raw permissions?
There was a problem hiding this comment.
@dandammann I''m not sure what this is for. I was under the impression that the permission set hierarchy was already returning the permissions sets into the JWT in the most usable format for the endpoints to consume when filtering the data.
If the permission sets are not in the right format when we come to use them for filtering for pages, DB data etc, then we should be updating the format of the permission sets before they go into the JWT, so it happens just once, rather than on 100s of requests at the point it is being consumed (although there is also a tradeoff to consider here too, of avoiding making the JWT too large).
| @return {bool} | ||
| """ | ||
|
|
||
| topic_record = None |
There was a problem hiding this comment.
Can we not extend the function already created in CDD-3171? I find this hard to read (could just be me though)
There was a problem hiding this comment.
I agree, we want to make sure we're not duplicating the core permissions checking functions
There was a problem hiding this comment.
Hi @kathryn-dale and @mattjreynolds . Please look at my comments and examples in this current function and filter_permissions() and let me know, if you think your check_permissions() can achieve that.
I myself think it is too simplistic for that, because it only checks permissions for EITHER theme, sub_theme or topic, but with the charts we need to check permissions cross-cutting (taking them all into consideration).
if you do think check_permissions() is adequate, please try it out ...
There was a problem hiding this comment.
There is also that difference that with GetPages the input arguments are theme/sub_theme/topic IDS, whereas with charts they are theme/sub_theme/topic NAMES.
mattjreynolds
force-pushed
the
task/CDD-3171-update-getpages-endpoint-for-non-public-ian
branch
from
2303ee5 to
5219d16
Compare
| token_validator = self.get_token_validator(request) | ||
| jwt_payload = token_validator.validate(jwt_token) | ||
| except TokenError: | ||
| except TokenError as error: |
There was a problem hiding this comment.
@dandammann Please can we avoid including work that is not related to the ticket in the same PR.
It makes it harder to review as reviewers have to figure out which code changes are related to the ticket, and which are achieving some other unknown goal.
If you find tech debt that need to be improved In existing code (and it's a quick fix), then these should be added to a seperate PR with a description that explains it and then it can be reviewed on it own merits.
Also in this instance, all these changes within the JWT code are going to cause a big headache of conflicts once the PR for CDD-3147 gets merged in too.
|
|
||
| @return {dict} example: | ||
| { | ||
| "permission_set_hierarchy": [ |
There was a problem hiding this comment.
@dandammann I''m not sure what this is for. I was under the impression that the permission set hierarchy was already returning the permissions sets into the JWT in the most usable format for the endpoints to consume when filtering the data.
If the permission sets are not in the right format when we come to use them for filtering for pages, DB data etc, then we should be updating the format of the permission sets before they go into the JWT, so it happens just once, rather than on 100s of requests at the point it is being consumed (although there is also a tradeoff to consider here too, of avoiding making the JWT too large).
|
|
||
|
|
||
| class EncodedChartsView(APIView): | ||
| authentication_classes = [SessionAuthentication, JSONWebTokenAuthentication] |
There was a problem hiding this comment.
This should not be being set.
Authenticaion is already being handled for all views by the JWT token code, and the permission sets are being made available in the request object (request.user.permission_sets)
| has_global_access = jwt_permissions.get("has_global_access", False) | ||
|
|
||
| if has_global_access: | ||
| has_access_to_non_public_data = True |
There was a problem hiding this comment.
Could simplify this has_global_access check to just be part of the return value from check_any_permissions_allow_access
This is how it's being done in 3171, are we not able to just reuse those functions for these endpoints too? They should be doing the same job and we don't want to have 2 different function that both check permissions
| **plot_params, rbac_permissions=self.chart_request_params.rbac_permissions | ||
| **plot_params, | ||
| rbac_permissions=self.chart_request_params.rbac_permissions, # legacy permissions to be removed | ||
| jwt_permissions=extract_jwt_permissions(request=self.chart_request_params.request), # new permissions |
There was a problem hiding this comment.
as with previous comment, you should be able to just use something like:
jwt_permissions=request.user.permission_sets if request.auth else None,
| @return {bool} | ||
| """ | ||
|
|
||
| topic_record = None |
There was a problem hiding this comment.
I agree, we want to make sure we're not duplicating the core permissions checking functions
3 participants
Description
This PR includes the following:
CDD-3174: Similar to the changes that were implemented for the getPages endpoint as part of https://ukhsa.atlassian.net/browse/CDD-3171, this ticket concerns endpoints that are used for displaying data / generating charts should be updated to make use of the authorisation header. If the user provides an authorization header then the data returned from the endpoint should be customised depending on the permissions that the user has been granted.
CDD-3173: The database queries will need to be updated for non-public users so that they only return non-public data and they only return data that the user is permitted to view.
When a request is made by an authenticated user, the query to the DB should be made for only the data that the user is able to see. This will be driven from the user permission hierarchy
When a request is made by an authenticated user the returned data should only be for non-public data. it should not contain public data.
Type of change
Please select the options that are relevant.
Checklist: