Metadata form 7: Access control and deletion behaviour

backend/dataall/core/environment/services/environment_service.py

@@ -46,6 +46,8 @@
 from dataall.core.permissions.services.tenant_permissions import MANAGE_ENVIRONMENTS
 from dataall.core.stacks.db.stack_repositories import StackRepository
 from dataall.core.vpc.db.vpc_repositories import VpcRepository
+from dataall.modules.metadata_forms.db.enums import MetadataFormEntityTypes, MetadataFormVisibility
+from dataall.modules.metadata_forms.db.metadata_form_repository import MetadataFormRepository
 
 log = logging.getLogger(__name__)
 
@@ -525,7 +527,6 @@ def list_group_permissions_internal(session, uri, group_uri):
         environment = EnvironmentService.get_environment_by_uri(session, uri)
 
         return ResourcePolicyService.get_resource_policy_permissions(
-            session=session,
             group_uri=group_uri,
             resource_uri=environment.environmentUri,
         )
@@ -885,6 +886,12 @@ def delete_environment(uri):
                 KeyValueTagRepository.delete_key_value_tags(session, environment.environmentUri, 'environment')
                 EnvironmentResourceManager.delete_env(session, environment)
                 EnvironmentParameterRepository(session).delete_params(environment.environmentUri)
+                MetadataFormRepository.delete_attached_entity_metadata_forms(
+                    session, environment.environmentUri, MetadataFormEntityTypes.Environments.value
+                )
+                MetadataFormRepository.delete_all_home_metadata_forms(
+                    session, environment.environmentUri, MetadataFormVisibility.Environment.value
+                )
 
                 for group in env_groups:
                     session.delete(group)

backend/dataall/core/organizations/services/organization_service.py

@@ -21,6 +21,8 @@
     ORGANIZATION_INVITED_READONLY,
     ORGANIZATION_INVITED_DESCRIPTIONS,
 )
+from dataall.modules.metadata_forms.db.enums import MetadataFormEntityTypes, MetadataFormVisibility
+from dataall.modules.metadata_forms.db.metadata_form_repository import MetadataFormRepository
 
 
 class OrganizationService:
@@ -175,6 +177,12 @@ def archive_organization(uri):
                 resource_uri=org.organizationUri,
                 resource_type=models.Organization.__name__,
             )
+            MetadataFormRepository.delete_attached_entity_metadata_forms(
+                session, org.organizationUri, MetadataFormEntityTypes.Organizations.value
+            )
+            MetadataFormRepository.delete_all_home_metadata_forms(
+                session, org.organizationUri, MetadataFormVisibility.Organization.value
+            )
 
             return True
 
@@ -309,11 +317,7 @@ def resolve_organization_by_env(uri):
     @staticmethod
     @ResourcePolicyService.has_resource_permission(GET_ORGANIZATION)
     def list_group_organization_permissions(uri, groupUri):
-        context = get_context()
-        with context.db_engine.scoped_session() as session:
-            return ResourcePolicyService.get_resource_policy_permissions(
-                session=session, group_uri=groupUri, resource_uri=uri
-            )
+        return ResourcePolicyService.get_resource_policy_permissions(group_uri=groupUri, resource_uri=uri)
 
     @staticmethod
     def list_invited_organization_permissions_with_descriptions():

backend/dataall/core/permissions/services/resource_policy_service.py

@@ -212,20 +212,21 @@ def associate_permission_to_resource_policy(session, policy, permission):
         session.commit()
 
     @staticmethod
-    def get_resource_policy_permissions(session, group_uri, resource_uri) -> List[ResourcePolicyPermission]:
+    def get_resource_policy_permissions(group_uri, resource_uri) -> List[ResourcePolicyPermission]:
         if not group_uri:
             raise exceptions.RequiredParameter(param_name='group_uri')
         if not resource_uri:
             raise exceptions.RequiredParameter(param_name='resource_uri')
-        policy = ResourcePolicyRepository.find_resource_policy(
-            session=session,
-            group_uri=group_uri,
-            resource_uri=resource_uri,
-        )
-        permissions = []
-        for p in policy.permissions:
-            permissions.append(p.permission)
-        return permissions
+        with get_context().db_engine.scoped_session() as session:
+            policy = ResourcePolicyRepository.find_resource_policy(
+                session=session,
+                group_uri=group_uri,
+                resource_uri=resource_uri,
+            )
+            permissions = []
+            for p in policy.permissions:
+                permissions.append(p.permission)
+            return permissions
 
     @staticmethod
     def has_resource_permission(

backend/dataall/modules/metadata_forms/api/queries.py

@@ -5,6 +5,7 @@
     get_metadata_form,
     get_attached_metadata_form,
     list_attached_forms,
+    get_entity_metadata_form_permissions,
 )
 
 listUserMetadataForms = gql.QueryField(
@@ -47,3 +48,11 @@
     resolver=get_attached_metadata_form,
     test_scope='MetadataForm',
 )
+
+getEntityMetadataFormPermissions = gql.QueryField(
+    name='getEntityMetadataFormPermissions',
+    args=[gql.Argument('entityUri', gql.NonNullableType(gql.String))],
+    type=gql.ArrayType(gql.String),
+    resolver=get_entity_metadata_form_permissions,
+    test_scope='MetadataForm',
+)

backend/dataall/modules/metadata_forms/api/resolvers.py

@@ -94,3 +94,7 @@ def has_tenant_permissions_for_metadata_forms(context: Context, source: Metadata
 
 def resolve_metadata_form_field(context: Context, source: AttachedMetadataFormField):
     return MetadataFormService.get_metadata_form_field_by_uri(uri=source.fieldUri)
+
+
+def get_entity_metadata_form_permissions(context: Context, source, entityUri):
+    return MetadataFormService.get_mf_permissions(entityUri=entityUri)

backend/dataall/modules/metadata_forms/db/metadata_form_repository.py

@@ -247,3 +247,27 @@ def query_attached_metadata_forms(session, is_da_admin, groups, user_envs_uris,
         if filter and filter.get('metadataFormUri'):
             query = query.filter(AttachedMetadataForm.metadataFormUri == filter.get('metadataFormUri'))
         return query
+
+    @staticmethod
+    def get_all_attached_metadata_forms_for_entity(session, entityUri, entityType):
+        return (
+            session.query(AttachedMetadataForm)
+            .filter(and_(AttachedMetadataForm.entityType == entityType, AttachedMetadataForm.entityUri == entityUri))
+            .all()
+        )
+
+    @staticmethod
+    def delete_attached_entity_metadata_forms(session, entityUri, entityType):
+        mfs = MetadataFormRepository.get_all_attached_metadata_forms_for_entity(session, entityUri, entityType)
+        for mf in mfs:
+            session.delete(mf)
+
+    @staticmethod
+    def delete_all_home_metadata_forms(session, homeEntityUri, visibility):
+        mfs = (
+            session.query(MetadataForm)
+            .filter(and_(MetadataForm.homeEntity == homeEntityUri, MetadataForm.visibility == visibility))
+            .all()
+        )
+        for mf in mfs:
+            session.delete(mf)

backend/dataall/modules/metadata_forms/services/attached_metadata_form_service.py

@@ -2,9 +2,12 @@
 from dataall.base.db import exceptions, paginate
 from dataall.core.environment.db.environment_repositories import EnvironmentRepository
 from dataall.core.organizations.db.organization_repositories import OrganizationRepository
+from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService
 from dataall.core.permissions.services.tenant_policy_service import TenantPolicyValidationService
+from dataall.modules.metadata_forms.db.enums import MetadataFormVisibility
 from dataall.modules.metadata_forms.db.metadata_form_repository import MetadataFormRepository
 from dataall.modules.metadata_forms.services.metadata_form_access_service import MetadataFormAccessService
+from dataall.modules.metadata_forms.services.metadata_form_permissions import ATTACH_METADATA_FORM
 
 
 class AttachedMetadataFormValidationService:
@@ -35,13 +38,20 @@ class AttachedMetadataFormService:
     @staticmethod
     def create_attached_metadata_form(uri, data):
         AttachedMetadataFormValidationService.validate_filled_form_params(uri, data)
-        with get_context().db_engine.scoped_session() as session:
+        context = get_context()
+        with context.db_engine.scoped_session() as session:
             mf = MetadataFormRepository.get_metadata_form(session, uri)
             if not mf:
                 raise exceptions.ObjectNotFound('MetadataForm', uri)
             mf_fields = MetadataFormRepository.get_metadata_form_fields(session, uri)
             AttachedMetadataFormValidationService.validate_enrich_fields_params(mf_fields, data)
-
+            ResourcePolicyService.check_user_resource_permission(
+                session=session,
+                username=context.username,
+                groups=context.groups,
+                resource_uri=data.get('entityUri'),
+                permission_name=ATTACH_METADATA_FORM,
+            )
             amf = MetadataFormRepository.create_attached_metadata_form(session, uri, data)
             for f in data.get('fields'):
                 MetadataFormRepository.create_attached_metadata_form_field(
@@ -76,5 +86,13 @@ def list_attached_forms(filter=None):
     @staticmethod
     def delete_attached_metadata_form(uri):
         mf = AttachedMetadataFormService.get_attached_metadata_form(uri)
-        with get_context().db_engine.scoped_session() as session:
+        context = get_context()
+        with context.db_engine.scoped_session() as session:
+            ResourcePolicyService.check_user_resource_permission(
+                session=session,
+                username=context.username,
+                groups=context.groups,
+                resource_uri=mf.entityUri,
+                permission_name=ATTACH_METADATA_FORM,  # attach and delete are the same for now
+            )
             return session.delete(mf)

backend/dataall/modules/metadata_forms/services/metadata_form_permissions.py

@@ -1,6 +1,50 @@
+from dataall.core.permissions.services.environment_permissions import ENVIRONMENT_INVITED, ENVIRONMENT_ALL
+from dataall.core.permissions.services.organization_permissions import (
+    ORGANIZATION_ALL,
+    ORGANIZATION_INVITED_DESCRIPTIONS,
+)
 from dataall.core.permissions.services.tenant_permissions import TENANT_ALL, TENANT_ALL_WITH_DESC
+from dataall.core.permissions.services.resources_permissions import RESOURCES_ALL, RESOURCES_ALL_WITH_DESC
+from dataall.modules.s3_datasets.services.dataset_permissions import DATASET_WRITE, DATASET_ALL
 
-
+# ------------------------TENANT-----------------------------------
 MANAGE_METADATA_FORMS = 'MANAGE_METADATA_FORMS'
 TENANT_ALL.append(MANAGE_METADATA_FORMS)
 TENANT_ALL_WITH_DESC[MANAGE_METADATA_FORMS] = 'Manage metadata forms'
+
+# ------------------------RESOURCE---------------------------------
+# permissions to attach MF to the entity, ot make the entity the visibility base for MF
+# these permissions are attached to Organizations, Environments, Datasets etc.
+ATTACH_METADATA_FORM = 'ATTACH_METADATA_FORM'
+CREATE_METADATA_FORM = 'CREATE_METADATA_FORM'
+ALL_METADATA_FORMS_ENTITY_PERMISSIONS = [ATTACH_METADATA_FORM, CREATE_METADATA_FORM]
+RESOURCES_ALL.extend(ALL_METADATA_FORMS_ENTITY_PERMISSIONS)
+RESOURCES_ALL_WITH_DESC[CREATE_METADATA_FORM] = 'Create metadata form within this visibility scope'
+RESOURCES_ALL_WITH_DESC[ATTACH_METADATA_FORM] = 'Attach metadata form'
+
+ORGANIZATION_ALL.extend(ALL_METADATA_FORMS_ENTITY_PERMISSIONS)
+ORGANIZATION_INVITED_DESCRIPTIONS[CREATE_METADATA_FORM] = 'Create metadata form within this visibility scope'
+ORGANIZATION_INVITED_DESCRIPTIONS[ATTACH_METADATA_FORM] = 'Attach metadata form'
+
+ENVIRONMENT_INVITED.extend(ALL_METADATA_FORMS_ENTITY_PERMISSIONS)
+ENVIRONMENT_ALL.extend(ALL_METADATA_FORMS_ENTITY_PERMISSIONS)
+
+DATASET_WRITE.extend(ALL_METADATA_FORMS_ENTITY_PERMISSIONS)
+DATASET_ALL.extend(ALL_METADATA_FORMS_ENTITY_PERMISSIONS)
+# ------------------------METADATA FORM----------------------------
+# permissions to change and delete metadata forms
+# these permissions are attached to MFs
+UPDATE_METADATA_FORM_FIELD = 'UPDATE_METADATA_FORM_FIELD'
+DELETE_METADATA_FORM_FIELD = 'DELETE_METADATA_FORM_FIELD'
+DELETE_METADATA_FORM = 'DELETE_METADATA_FORM'
+EDIT_METADATA_FORM = 'EDIT_METADATA_FORM'
+
+METADATA_FORM_PERMISSIONS_ALL = [UPDATE_METADATA_FORM_FIELD, DELETE_METADATA_FORM_FIELD, DELETE_METADATA_FORM]
+
+METADATA_FORM_EDIT_PERMISSIONS = [
+    EDIT_METADATA_FORM,
+    UPDATE_METADATA_FORM_FIELD,
+    DELETE_METADATA_FORM_FIELD,
+]
+
+RESOURCES_ALL.extend(METADATA_FORM_PERMISSIONS_ALL)

backend/dataall/modules/metadata_forms/services/metadata_form_service.py

@@ -2,6 +2,7 @@
 from dataall.base.db import exceptions, paginate
 from dataall.core.organizations.db.organization_repositories import OrganizationRepository
 from dataall.core.environment.db.environment_repositories import EnvironmentRepository
+from dataall.core.permissions.services.resource_policy_service import ResourcePolicyService
 from dataall.core.permissions.services.tenant_policy_service import TenantPolicyValidationService, TenantPolicyService
 from dataall.modules.metadata_forms.db.enums import (
     MetadataFormVisibility,
@@ -10,7 +11,14 @@
 from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository
 from dataall.modules.metadata_forms.db.metadata_form_repository import MetadataFormRepository
 from dataall.modules.metadata_forms.services.metadata_form_access_service import MetadataFormAccessService
-from dataall.modules.metadata_forms.services.metadata_form_permissions import MANAGE_METADATA_FORMS
+from dataall.modules.metadata_forms.services.metadata_form_permissions import (
+    MANAGE_METADATA_FORMS,
+    DELETE_METADATA_FORM,
+    DELETE_METADATA_FORM_FIELD,
+    UPDATE_METADATA_FORM_FIELD,
+    CREATE_METADATA_FORM,
+    ALL_METADATA_FORMS_ENTITY_PERMISSIONS,
+)
 
 
 class MetadataFormParamValidationService:
@@ -91,7 +99,20 @@ class MetadataFormService:
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
     def create_metadata_form(data):
         MetadataFormParamValidationService.validate_create_form_params(data)
-        with get_context().db_engine.scoped_session() as session:
+        context = get_context()
+        with context.db_engine.scoped_session() as session:
+            if data.get('visibility') in [
+                MetadataFormVisibility.Organization.value,
+                MetadataFormVisibility.Environment.value,
+            ]:
+                ResourcePolicyService.check_user_resource_permission(
+                    session=session,
+                    username=context.username,
+                    groups=context.groups,
+                    resource_uri=data.get('homeEntity'),
+                    permission_name=CREATE_METADATA_FORM,
+                )
+
             form = MetadataFormRepository.create_metadata_form(session, data)
             return form
 
@@ -104,7 +125,7 @@ def get_metadata_form_by_uri(uri):
     # toDo: deletion logic
     @staticmethod
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
-    @MetadataFormAccessService.can_perform('DELETE')
+    @MetadataFormAccessService.can_perform(DELETE_METADATA_FORM)
     def delete_metadata_form_by_uri(uri):
         if mf := MetadataFormService.get_metadata_form_by_uri(uri):
             with get_context().db_engine.scoped_session() as session:
@@ -181,15 +202,15 @@ def get_metadata_form_field_by_uri(uri):
 
     @staticmethod
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
-    @MetadataFormAccessService.can_perform('ADD FIELD')
+    @MetadataFormAccessService.can_perform(UPDATE_METADATA_FORM_FIELD)
     def create_metadata_form_field(uri, data):
         MetadataFormParamValidationService.validate_create_field_params(data)
         with get_context().db_engine.scoped_session() as session:
             return MetadataFormRepository.create_metadata_form_field(session, uri, data)
 
     @staticmethod
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
-    @MetadataFormAccessService.can_perform('ADD FIELDS')
+    @MetadataFormAccessService.can_perform(UPDATE_METADATA_FORM_FIELD)
     def create_metadata_form_fields(uri, data_arr):
         fields = []
         for data in data_arr:
@@ -198,15 +219,15 @@ def create_metadata_form_fields(uri, data_arr):
 
     @staticmethod
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
-    @MetadataFormAccessService.can_perform('DELETE FIELD')
+    @MetadataFormAccessService.can_perform(DELETE_METADATA_FORM_FIELD)
     def delete_metadata_form_field(uri, fieldUri):
         mf = MetadataFormService.get_metadata_form_field_by_uri(fieldUri)
         with get_context().db_engine.scoped_session() as session:
             return session.delete(mf)
 
     @staticmethod
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
-    @MetadataFormAccessService.can_perform('UPDATE FIELDS')
+    @MetadataFormAccessService.can_perform('UPDATE_METADATA_FORM_FIELD')
     def batch_metadata_form_field_update(uri, data):
         to_delete = []
         to_update = []
@@ -238,8 +259,24 @@ def batch_metadata_form_field_update(uri, data):
 
     @staticmethod
     @TenantPolicyService.has_tenant_permission(MANAGE_METADATA_FORMS)
-    @MetadataFormAccessService.can_perform('UPDATE FIELD')
+    @MetadataFormAccessService.can_perform(UPDATE_METADATA_FORM_FIELD)
     def update_metadata_form_field(uri, fieldUri, data):
         with get_context().db_engine.scoped_session() as session:
             MetadataFormParamValidationService.validate_update_field_params(uri, data)
             return MetadataFormRepository.update_metadata_form_field(session, fieldUri, data)
+
+    @staticmethod
+    def get_mf_permissions(entityUri):
+        context = get_context()
+        result_permissions = []
+        with context.db_engine.scoped_session() as session:
+            for permissions in ALL_METADATA_FORMS_ENTITY_PERMISSIONS:
+                if ResourcePolicyService.check_user_resource_permission(
+                    session=session,
+                    username=context.username,
+                    groups=context.groups,
+                    resource_uri=entityUri,
+                    permission_name=permissions,
+                ):
+                    result_permissions.append(permissions)
+            return result_permissions

backend/dataall/modules/redshift_datasets/services/redshift_dataset_service.py

@@ -6,6 +6,8 @@
 from dataall.core.permissions.services.tenant_policy_service import TenantPolicyService
 from dataall.core.permissions.services.group_policy_service import GroupPolicyService
 from dataall.core.environment.services.environment_service import EnvironmentService
+from dataall.modules.metadata_forms.db.enums import MetadataFormEntityTypes
+from dataall.modules.metadata_forms.db.metadata_form_repository import MetadataFormRepository
 from dataall.modules.vote.db.vote_repositories import VoteRepository
 from dataall.modules.catalog.db.glossary_repositories import GlossaryRepository
 
@@ -184,6 +186,9 @@ def delete_redshift_dataset(uri):
             RedshiftDatasetService._delete_dataset_term_links(session, uri)
             VoteRepository.delete_votes(session, dataset.datasetUri, VOTE_REDSHIFT_DATASET_NAME)
             session.delete(dataset)
+            MetadataFormRepository.delete_attached_entity_metadata_forms(
+                session, dataset.datasetUri, MetadataFormEntityTypes.Datasets.value
+            )
             session.commit()
             return True