def update_member_role(
organization_id: int,
user_id: int,
*,
role: str = Body(..., embed=True),
auth=Depends(authorization("organizations:edit_member")),
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
):
roles_order = [
"admin", "owner", "manager", "contributor", "reader", "guest"
]
if role not in roles_order:
raise HTTPException(status_code=400,
detail=f"This role : {role} does not exist")
user_in_db = user.get(db, id=user_id)
if not user_in_db:
raise HTTPException(status_code=404, detail="User not found")
# Convert to sqlalchemy obj to UserOut schema for hidding password
user_in_db = UserOut(**user_in_db.as_dict())
current_user_roles = enforcer.get_roles_for_user_in_domain(
str(current_user.id), str(organization_id))
if len(current_user_roles) > 0:
current_user_role = current_user_roles[0]
if roles_order.index(current_user_role) >= roles_order.index(role):
raise HTTPException(status_code=403,
detail="You can only set roles below yours")
user_roles = enforcer.get_roles_for_user_in_domain(str(user_id),
str(organization_id))
# Role exist for this user (it's a patch)
if len(user_roles) > 0:
user_role = user_roles[0]
if roles_order.index(current_user_role) >= roles_order.index(
user_role):
raise HTTPException(status_code=403,
detail="You can't edit a role above yours")
enforcer.delete_roles_for_user_in_domain(str(user_id), user_role,
str(organization_id))
enforcer.add_role_for_user_in_domain(str(user_id), role,
str(organization_id))
# need ro reload handle new policy
enforcer.load_policy()
return dict(user_in_db, role=role)
def remove_team(
organization_id: int,
team_id: int,
*,
auth=Depends(authorization("organizations:delete_team")),
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
):
"""
delete one team and its members by id
"""
organization_in_db = organization.get(db, id=team_id)
if not organization_in_db:
raise HTTPException(status_code=404, detail="Team not found")
try:
members_in_db = crud.organization.get_members(db, id=team_id)
for member in members_in_db:
current_roles = enforcer.get_roles_for_user_in_domain(
str(member["id"]), str(team_id))
for current_role in current_roles:
enforcer.delete_roles_for_user_in_domain(
str(member["id"]), current_role, str(team_id))
except Exception as e:
logging.error(e)
return False
organization.remove(db, id=team_id)
return True
def delete_teams(
organization_id: int,
*,
auth=Depends(authorization("organizations:delete_team")),
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
team_ids_in: List[int],
):
"""
bulk delete teams and their members
"""
teams_out = []
for team_id in team_ids_in:
organization_in_db = organization.get(db, id=team_id)
if not organization_in_db:
raise HTTPException(status_code=404, detail="Team not found")
try:
members_in_db = crud.organization.get_members(db, id=team_id)
for member in members_in_db:
current_roles = enforcer.get_roles_for_user_in_domain(
str(member["id"]), str(team_id))
for current_role in current_roles:
enforcer.delete_roles_for_user_in_domain(
str(member["id"]), current_role, str(team_id))
except Exception as e:
logging.error(e)
organization.remove(db, id=team_id)
teams_out.append(dict(organization_in_db.as_dict()))
return teams_out
def get_one(
organization_id: Union[str, int],
*,
auth=Depends(permissive_authorization("organizations:get_one")),
current_user: User = Depends(get_optional_current_active_user),
db: Session = Depends(get_db)
) -> Optional[Organization]:
"""
get one organization by id
"""
organization_in_db = crud.organization.get_by_id_or_slug(
db, id=organization_id)
if not organization_in_db:
raise HTTPException(status_code=404, detail="Organization not found")
organization = organization_in_db.to_schema()
if current_user:
current_roles = enforcer.get_roles_for_user_in_domain(
str(current_user.id), str(organization_in_db.id))
if len(current_roles) > 0:
organization.current_user_role = current_roles[0]
if current_user.is_superuser:
organization.current_user_role = 'admin'
return organization
def get_organization_root_nodes(
*,
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
) -> Optional[List[Organization]]:
"""
**Admin only**; Get all organizations trees root nodes;
"""
if not current_user.is_superuser:
raise HTTPException(
status_code=403,
detail="You are not authorized to perform this action.")
root_nodes_in_db = crud.organization.get_root_nodes(db)
root_nodes = []
for org_in_db in root_nodes_in_db:
current_roles = enforcer.get_roles_for_user_in_domain(
str(current_user.id), str(org_in_db.id))
org = org_in_db.to_schema()
if len(current_roles) > 0:
org.current_user_role = current_roles[0]
root_nodes.append(org)
else:
root_nodes.append(org)
return root_nodes
def create_organization_root_node(
*,
db: Session = Depends(get_db),
organization_in: OrganizationCreateRoot,
current_user: User = Depends(get_current_user),
) -> Optional[Organization]:
"""
Create a new **root node for organizations tree**;
If `owner_email` is present organization tree ownership will be affected to *existing or newly created user*,
else organizations tree ownership will be affected to *superuser*.
"""
if not current_user.is_superuser:
raise HTTPException(
status_code=403,
detail="You are not authorized to perform this action.")
new_organization_root_node = organization.create_root(
db, obj_in=organization_in).to_schema()
if organization_in.owner_email:
user_in_db = user.get_by_email(db, email=organization_in.owner_email)
if not user_in_db:
user_in_db = user.create(
db,
obj_in=UserCreate(
full_name=organization_in.owner_email.split("@")[0],
email=organization_in.owner_email,
password=pwd.genword(),
),
)
if new_organization_root_node:
send_new_invitation_email_task.delay(
full_name=user_in_db.full_name,
email_to=user_in_db.email,
organization=new_organization_root_node.name,
role="owner")
enforcer.add_role_for_user_in_domain(
str(user_in_db.id), "owner",
str(new_organization_root_node.id))
enforcer.load_policy()
else:
enforcer.add_role_for_user_in_domain(
str(current_user.id), "owner", str(new_organization_root_node.id))
enforcer.load_policy()
current_roles = enforcer.get_roles_for_user_in_domain(
str(current_user.id), str(new_organization_root_node.id))
if len(current_roles) > 0:
new_organization_root_node.current_user_role = current_roles[0]
if current_user.is_superuser:
new_organization_root_node.current_user_role = 'admin'
# new_organization_root_node.current_user_role = current_roles[0]
return new_organization_root_node
def remove_member(
organization_id: int,
user_id: int,
*,
auth=Depends(authorization("organizations:remove_member")),
db: Session = Depends(get_db),
current_user: User = Depends(get_current_user),
):
user_in_db = user.get(db, id=user_id)
if not user_in_db:
raise HTTPException(status_code=404, detail="User not found")
current_roles = enforcer.get_roles_for_user_in_domain(
str(user_id), str(organization_id))
for current_role in current_roles:
enforcer.delete_roles_for_user_in_domain(str(user_id), current_role,
str(organization_id))
return True
def init_db(db: Session) -> None:
# Tables should be created with Alembic migrations
# But if you don't want to use migrations, create
# the tables un-commenting the next line
# Base.metadata.create_all(bind=engine)
# insert_organizations(db=db)
organization_in_db = organization.get_by_name(db,
name=settings.ORGANIZATION)
if not organization_in_db:
organization_in = OrganizationCreate(name=settings.ORGANIZATION,
slug=slug.slug(
settings.ORGANIZATION),
mode="private")
organization_in_db = organization.create(db, obj_in=organization_in)
user_in_db = user.get_by_email(db, email=settings.FIRST_SUPERUSER)
if not user_in_db:
user_in = UserCreate(
full_name=settings.FIRST_SUPERUSER_FULLNAME,
email=settings.FIRST_SUPERUSER,
password=settings.FIRST_SUPERUSER_PASSWORD,
)
user_in_db = user.create(db, obj_in=user_in) # noqa: F841
user_in_db.is_superuser = True
user_in_db.is_verified = True
db.add(user_in_db)
db.commit()
db.refresh(user_in_db)
if len(enforcer.get_roles_for_user_in_domain("1", "1")) == 0:
enforcer.add_role_for_user_in_domain("1", "admin", "1")
