diff --git a/seacatauth/authz/role/service.py b/seacatauth/authz/role/service.py index 97c54071..c27607b7 100644 --- a/seacatauth/authz/role/service.py +++ b/seacatauth/authz/role/service.py @@ -121,13 +121,15 @@ async def _ensure_builtin_roles(self): L.log(asab.LOG_NOTICE, "System role updated.", struct_data={"role_id": role_id}) - def _prepare_views(self, tenant_id: str | None): + def _prepare_views(self, tenant_id: str | None, exclude_global: bool = False, exclude_propagated: bool = False): assert tenant_id != "*" views = [] if tenant_id: views.append(CustomTenantRoleView(self.StorageService, self.RoleCollection, tenant_id)) - views.append(PropagatedRoleView(self.StorageService, self.RoleCollection, tenant_id)) - views.append(GlobalRoleView(self.StorageService, self.RoleCollection)) + if not exclude_propagated: + views.append(PropagatedRoleView(self.StorageService, self.RoleCollection, tenant_id)) + if not exclude_global: + views.append(GlobalRoleView(self.StorageService, self.RoleCollection)) return views @@ -146,13 +148,15 @@ async def list( limit: int = None, name_filter: str = None, resource_filter: str = None, + exclude_global: bool = False, + exclude_propagated: bool = False, ): if tenant_id in {"*", None}: tenant_id = None else: self.validate_tenant_access(tenant_id) - views = self._prepare_views(tenant_id) + views = self._prepare_views(tenant_id, exclude_global, exclude_propagated) counts = [ await view.count(name_filter, resource_filter) for view in views diff --git a/seacatauth/tenant/service.py b/seacatauth/tenant/service.py index 7e000e3b..e5dead0c 100644 --- a/seacatauth/tenant/service.py +++ b/seacatauth/tenant/service.py @@ -116,7 +116,11 @@ async def delete_tenant(self, tenant_id: str): # Unassign and delete tenant roles role_svc = self.App.get_service("seacatauth.RoleService") - tenant_roles = (await role_svc.list(tenant_id=tenant_id, exclude_global=True))["data"] + tenant_roles = (await role_svc.list( + tenant_id=tenant_id, + exclude_global=True, + exclude_propagated=True + ))["data"] for role in tenant_roles: role_id = role["_id"] try: