Added has_field_filter_access() and filter_auth for schema to reduce …

…list filtering
Amsterdam · Jul 23, 2024 · 956c7d5 · 956c7d5
1 parent 7c745f4
commit 956c7d5
Show file tree

Hide file tree

Showing 2 changed files with 34 additions and 0 deletions.
diff --git a/src/schematools/permissions/auth.py b/src/schematools/permissions/auth.py
@@ -117,6 +117,30 @@ def has_field_access(self, field: DatasetFieldSchema) -> Permission:
         # Otherwise, the field + table rules are checked from the profile.
         return self._has_field_auth_access(field) or self._has_field_profile_access(field)
 
+    def has_field_filter_access(self, field: DatasetFieldSchema) -> Permission:
+        """Tell whether a field may be used in searching.
+
+        Some fields do not allow filtering the data for privacy reasons.
+        An example is filtering all buildings by owner (hence knowing their portfolio),
+        while the user is still allowed to see the owner of each individual building.
+
+        This also checks whether the field has read access (:meth:`has_field_access`).
+        """
+        # There is no profile option yet for profile checking here.
+        # Tell whether the 'filterAuth' gives extra permission to filter.
+        # As this logic is an extension of the existing read-access check,
+        # there is no dataset/table-level variant of the 'filterAuth'.
+        if self.has_any_scope(field.filter_auth) and (field_auth := self.has_field_access(field)):
+            # The if-statement checks filterAuth first. When it's defined, it likely denies access.
+            # That way the other more complex checks are not needed.
+            return (
+                Permission(PermissionLevel.highest, source="field.filter_auth")
+                if field.filter_auth
+                else field_auth  # Return original permission if there is no filterAuth
+            )
+        else:
+            return Permission.none
+
     def _has_dataset_auth_access(self, dataset: DatasetSchema) -> Permission:
         """Tell whether the 'auth' rules give access to the dataset."""
         if self.has_any_scope(dataset.auth):

diff --git a/src/schematools/types.py b/src/schematools/types.py
@@ -1780,6 +1780,16 @@ def auth(self) -> frozenset[str]:
             return self.parent_field.auth
         return _normalize_scopes(self.get("auth"))
 
+    @cached_property
+    def filter_auth(self) -> frozenset[str]:
+        """Auth of the field, or OPENBAAR.
+        This setting allows denying access to query/search on fields,
+        e.g. to block searching all buildings from a certain owner.
+        """
+        if self.is_subfield:
+            return self.parent_field.filter_auth
+        return _normalize_scopes(self.get("filterAuth"))
+
     @cached_property
     def is_composite_key(self):
         """Tell whether the relation uses a composite key"""