diff --git a/src/backend/app/auth/roles.py b/src/backend/app/auth/roles.py index a5fccc927f..c881b3214b 100644 --- a/src/backend/app/auth/roles.py +++ b/src/backend/app/auth/roles.py @@ -28,7 +28,7 @@ from app.auth.osm import AuthUser, login_required from app.db.database import get_db -from app.db.db_models import DbProject, DbUser, DbUserRoles +from app.db.db_models import DbProject, DbUser, DbUserRoles, organisation_managers from app.models.enums import HTTPStatus, ProjectRole, UserRole from app.projects.project_deps import get_project_by_id @@ -70,36 +70,32 @@ async def org_admin( user_data: AuthUser = Depends(login_required), ) -> AuthUser: """Organization admin with full permission for projects in an organization.""" + if project and org_id: + log.error("Both org_id and project_id cannot be passed at the same time") + raise HTTPException( + status_code=HTTPStatus.BAD_REQUEST, + detail="Both org_id and project_id cannot be passed at the same time", + ) + user_id = await get_uid(user_data) + if project: + org_id = db.query(DbProject).filter_by(id=project.id).first().organisation_id + org_admin = ( - db.query(DbUserRoles) - .filter_by(user_id=user_id, role=ProjectRole.ORGANIZATION_ADMIN) + db.query(organisation_managers) + .filter_by(organisation_id=org_id, user_id=user_id) .first() ) if not org_admin: - log.error(f"User ID {user_id} is not an admin for any organization") + log.error(f"User ID {user_id} is not an admin for organization {org_id}") raise HTTPException( status_code=HTTPStatus.FORBIDDEN, - detail="User must be an organization admin", + detail="User is not organization admin", ) - matched_project = db.query(DbProject).filter_by(id=org_admin.project_id).first() - matched_org_id = matched_project.organisation_id - - if ( - org_id - and matched_org_id == org_id - or project - and matched_org_id == project.organisation_id - ): - return user_data - - log.error(f"User ID {user_id} is not an organization admin for id {org_id}") - raise HTTPException( - status_code=HTTPStatus.FORBIDDEN, detail="User is not an organization admin" - ) + return user_data async def validator( diff --git a/src/backend/app/models/enums.py b/src/backend/app/models/enums.py index d71e9eb98c..7cd31c3c2a 100644 --- a/src/backend/app/models/enums.py +++ b/src/backend/app/models/enums.py @@ -110,7 +110,6 @@ class ProjectRole(IntEnum, Enum): - FIELD_MANAGER = can invite mappers and organise people - ASSOCIATE_PROJECT_MANAGER = helps the project manager, cannot delete project - PROJECT_MANAGER = has all permissions to manage a project, including delete - - ORGANIZATION_ADMIN = has project manager permissions for all projects in org """ MAPPER = 0 @@ -118,7 +117,6 @@ class ProjectRole(IntEnum, Enum): FIELD_MANAGER = 2 ASSOCIATE_PROJECT_MANAGER = 3 PROJECT_MANAGER = 4 - ORGANIZATION_ADMIN = 5 class MappingLevel(IntEnum, Enum): diff --git a/src/backend/migrations/003-project-roles.sql b/src/backend/migrations/003-project-roles.sql index 99ad80fe27..c4f75e5c5d 100644 --- a/src/backend/migrations/003-project-roles.sql +++ b/src/backend/migrations/003-project-roles.sql @@ -10,8 +10,7 @@ CREATE TYPE public.projectrole as ENUM ( 'VALIDATOR', 'FIELD_MANAGER', 'ASSOCIATE_PROJECT_MANAGER', - 'PROJECT_MANAGER', - 'ORGANIZATION_ADMIN' + 'PROJECT_MANAGER' ); ALTER TABLE public.user_roles ALTER COLUMN "role" TYPE VARCHAR(24); ALTER TABLE public.user_roles ALTER COLUMN "role" TYPE public.projectrole USING role::public.projectrole; diff --git a/src/backend/migrations/init/fmtm_base_schema.sql b/src/backend/migrations/init/fmtm_base_schema.sql index 16f22c0c81..857ef6e430 100644 --- a/src/backend/migrations/init/fmtm_base_schema.sql +++ b/src/backend/migrations/init/fmtm_base_schema.sql @@ -140,8 +140,7 @@ CREATE TYPE public.projectrole as ENUM ( 'VALIDATOR', 'FIELD_MANAGER', 'ASSOCIATE_PROJECT_MANAGER', - 'PROJECT_MANAGER', - 'ORGANIZATION_ADMIN' + 'PROJECT_MANAGER' ); ALTER TYPE public.projectrole OWNER TO fmtm;