Skip to content

Migrate user scopes to boolean attributes on users

https://redmine.teklia.com/issues/8012

To make user scopes simpler to understand and use for both admins and users, as well as simplify their implementation, we need to migrate those to boolean attributes on users:

  • User.can_upload_s3_image, equivalent to a UserScope using the Scope.UploadS3Image
  • User.can_create_iiif_image, equivalent to a UserScope using the Scope.CreateIIIFImage
  • User.can_ingest, equivalent to a UserScope using the Scope.S3Ingest
  • User.can_create_worker_version, equivalent to a UserScope using the Scope.CreateDockerWorkerVersion

Those four boolean attributes all default to False. They should be visible in the Django admin, under the Permissions fieldset, and must also be returned by the RetrieveUser API.

They should have a help_text defined: it will be shown both in the Django admin and the API, helping admins understand what exactly they are giving a user access to and API users what they can use to check their own access rights. You could use the current docstrings on the Scope enum.

A data migration should set the boolean attributes to True anytime a UserScope instance exists with the relevant scope. This can be done with a User.objects.update() and four Exists(). The reverse migration should re-create the UserScope instances based on the booleans, using a bulk_create.

After this migration, the UserScope model and the Scope enum can be deleted.

The scope check in arkindex.project.permissions.check_scopes can be split into multiple functions, require_upload_s3_image, require_create_iiif_image, etc. Each of those functions should return True when the user has the boolean attribute set, or raise a PermissionDenied error with a message explaining in plain English what permission the user needs. For example You do not have permission to upload an image to S3..

Those generic functions can be added to new permission classes like CanUploadS3Image. Those classes can be added to the existing endpoints that require permission checks, in the permission_classes attribute, on top of the existing IsVerified classes or equivalents. Multiple permission classes are combined, so those new classes only need to check for the attributes and do not need to reuse other check functions; you do not need to create a IsVerifiedAndCanUploadS3ImageOrReadOnly or something of that sort.

Those functions will replace the scopes attribute found on some views, which was used by the check_scopes function that was just removed. This should affect CreateIIIFURL, CreateIIIFInformation, CreateImage, ListBuckets and CreateS3Import.

Note that can_create_worker_version currently does not have any effect, as it was only used on CreateDockerWorkerVersion which has been removed. This will be handled in a separate issue.