✨(models/api) add RBAC on templates linking accesses to a team name

We want to be able to control who can access a template via roles. I added this feature on the TeamAccess model assuming that the teams to which a user belongs can be retrieved via a `get_teams` method on the user model. The idea is that this method will get the teams either via a call to an external API or directly from the OIDC token upon user login. This list of teams will probably have to be cached for each user.
2024-03-03 08:49:27 +01:00
parent a23118bee4
commit f581eb8abd
15 changed files with 922 additions and 223 deletions
--- a/src/backend/core/api/serializers.py
+++ b/src/backend/core/api/serializers.py
@@ -1,4 +1,5 @@
 """Client serializers for the publish core app."""
+from django.db.models import Q
 from django.utils.translation import gettext_lazy as _

 from rest_framework import exceptions, serializers
@@ -31,7 +32,7 @@ class TemplateAccessSerializer(serializers.ModelSerializer):

    class Meta:
        model = models.TemplateAccess
-        fields = ["id", "user", "role", "abilities"]
+        fields = ["id", "user", "team", "role", "abilities"]
        read_only_fields = ["id", "abilities"]

    def update(self, instance, validated_data):
@@ -68,6 +69,7 @@ class TemplateAccessSerializer(serializers.ModelSerializer):

        # Create
        else:
+            teams = user.get_teams()
            try:
                template_id = self.context["template_id"]
            except KeyError as exc:
@@ -76,8 +78,8 @@ class TemplateAccessSerializer(serializers.ModelSerializer):
                ) from exc

            if not models.TemplateAccess.objects.filter(
+                Q(user=user) | Q(team__in=teams),
                template=template_id,
-                user=user,
                role__in=[models.RoleChoices.OWNER, models.RoleChoices.ADMIN],
            ).exists():
                raise exceptions.PermissionDenied(
@@ -87,8 +89,8 @@ class TemplateAccessSerializer(serializers.ModelSerializer):
            if (
                role == models.RoleChoices.OWNER
                and not models.TemplateAccess.objects.filter(
+                    Q(user=user) | Q(team__in=teams),
                    template=template_id,
-                    user=user,
                    role=models.RoleChoices.OWNER,
                ).exists()
            ):