Create SingleGroupResourceAccessControl

RafaelLyra8 · RafaelLyra8 · commit 41ef2adbab3c · 2025-09-04T10:13:45.000-03:00
This resource access control returns the first user group
setted to the current user on the APIAccess policy
diff --git a/bluesky_httpserver/authorization/resource_access.py b/bluesky_httpserver/authorization/resource_access.py
@@ -61,7 +61,7 @@ def __init__(self, *, default_group=None):
         default_group = default_group or _DEFAULT_RESOURCE_ACCESS_GROUP
         self._default_group = default_group
 
-    def get_resource_group(self, username):
+    def get_resource_group(self, username, group):
         """
         Returns the name of the user group based on the user name.
 
@@ -76,3 +76,54 @@ def get_resource_group(self, username):
             Name of the user group.
         """
         return self._default_group
+
+
+class SingleGroupResourceAccessControl(DefaultResourceAccessControl):
+    """
+    Single group resource access policy.
+    The resource access policy associates users with its correspondent first user group. The groups
+    define the resources, such as plans and devices users can access. The
+    single group policy assumes that one user belong to a single group or if they are unauthenticated or 
+    have authenticated with a single-user API key, it uses the default user group.
+    The arguments of the class constructor are the same as the one specified in the DefaultResourceAccessControl configuration
+    file as shown in the example below.
+
+    Parameters
+    ----------
+    default_group: str
+        The name of the group returned by the access manager by default.
+
+    Examples
+    --------
+    Configure ``SingleGroupResourceAccessControl`` policy. The default group name is ``test_user``.
+
+    .. code-block::
+
+        resource_access:
+          policy: bluesky_httpserver.authorization:SingleGroupResourceAccessControl
+          args:
+            default_group: test_user
+    """
+
+    def get_resource_group(self, username, group):
+        """
+        Returns the name of the user group based on the user name.
+
+        Parameters
+        ----------
+        username: str
+            User name.
+
+        Returns
+        -------
+        str
+            Name of the user group.
+        """
+        if isinstance(group, list):
+            if group[0] in ['unauthenticated_public', 'unauthenticated_single_user']:
+                return self.get_resource_group(username, group)
+            return group[0]
+        return group
+
+
+
diff --git a/bluesky_httpserver/routers/core_api.py b/bluesky_httpserver/routers/core_api.py
@@ -199,7 +199,7 @@ async def queue_item_add_handler(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
         displayed_name = api_access_manager.get_displayed_user_name(username)
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
         payload.update({"user": displayed_name, "user_group": user_group})
 
         if "item" not in payload:
@@ -228,7 +228,7 @@ async def queue_item_execute_handler(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
         displayed_name = api_access_manager.get_displayed_user_name(username)
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
         payload.update({"user": displayed_name, "user_group": user_group})
 
         if "item" not in payload:
@@ -257,7 +257,7 @@ async def queue_item_add_batch_handler(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
         displayed_name = api_access_manager.get_displayed_user_name(username)
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
         payload.update({"user": displayed_name, "user_group": user_group})
 
         if "items" not in payload:
@@ -330,7 +330,7 @@ async def queue_upload_spreadsheet(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
         displayed_name = api_access_manager.get_displayed_user_name(username)
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
 
         if custom_module:
             logger.info("Processing spreadsheet using function from external module ...")
@@ -399,7 +399,7 @@ async def queue_item_update_handler(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
         displayed_name = api_access_manager.get_displayed_user_name(username)
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
         payload.update({"user": displayed_name, "user_group": user_group})
 
         msg = await SR.RM.item_update(**payload)
@@ -719,7 +719,7 @@ async def plans_allowed_handler(
         username = get_current_username(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
 
         if "reduced" in payload:
             reduced = payload["reduced"]
@@ -751,7 +751,7 @@ async def devices_allowed_handler(
         username = get_current_username(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
 
         payload.update({"user_group": user_group})
 
@@ -866,7 +866,7 @@ async def function_execute_handler(
             principal=principal, settings=settings, api_access_manager=api_access_manager
         )[0]
         displayed_name = api_access_manager.get_displayed_user_name(username)
-        user_group = resource_access_manager.get_resource_group(username)
+        user_group = resource_access_manager.get_resource_group(username, principal.roles)
         payload.update({"user": displayed_name, "user_group": user_group})
 
         if "item" not in payload:
