rejected users

CanDIG · Jan 11, 2025 · 79919a6 · 79919a6
1 parent 2a9a22f
commit 79919a6
Showing 1 changed file with 28 additions and 1 deletion.
diff --git a/auth.py b/auth.py
@@ -160,6 +160,13 @@ def remove_program_from_opa(program_id, token):
 #####
 
 def add_pending_user_to_opa(user_token):
+    # check to see if this user has already been rejected:
+    response, status_code = authx.auth.get_service_store_secret("opa", key=f"rejected_users")
+    if status_code != 200:
+        return response, status_code
+    if user_name in response["rejected_users"]:
+        return {"error": "This user has already been rejected by CanDIG"}, 403
+
     # NB: any user that has been authenticated by the IDP should be able to add themselves to the pending user list
     response, status_code = authx.auth.get_service_store_secret("opa", key=f"pending_users")
     if status_code != 200:
@@ -231,9 +238,20 @@ def reject_pending_user_in_opa(user_name, token):
         return response, status_code
     pending_users = response["pending_users"]
 
+    response, status_code = authx.auth.get_service_store_secret("opa", key=f"rejected_users")
+    if status_code != 200:
+        return response, status_code
+    rejected_users = response["rejected_users"]
+
     if user_name in pending_users:
         pending_users.pop(user_name)
-        response, status_code = authx.auth.set_service_store_secret("opa", key=f"pending_users", value=json.dumps(response))
+        response, status_code = authx.auth.set_service_store_secret("opa", key=f"pending_users", value=json.dumps({"pending_users": pending_users}))
+
+        # add the user to the rejected users, if they're not already there:
+        if user_name not in rejected_users:
+            rejected_users[user_name] = user_dict
+            response, status_code = authx.auth.set_service_store_secret("opa", key=f"pending_users", value=json.dumps({"rejected_users": rejected_users}))
+
     else:
         return {"error": f"no pending user with ID {user_name}"}, 404
     return response, status_code
@@ -246,6 +264,7 @@ def clear_pending_users_in_opa(token):
     response, status_code = authx.auth.set_service_store_secret("opa", key="pending_users", value=json.dumps({"pending_users": {}}))
     return response, status_code
 
+
 #####
 # DAC authorization for users
 #####
@@ -264,7 +283,15 @@ def get_user_in_opa(user_name, token):
         return {"error": f"User not authorized to view users"}, 403
 
     safe_name = urllib.parse.quote_plus(user_name)
+    response, status_code = authx.auth.get_service_store_secret("opa", key=f"users/rejected_users")
+    if status_code == 200:
+        if safe_name in response["rejected_users"]:
+            return {"error": f"User {safe_name} has been rejected from CanDIG"}
+
     response, status_code = authx.auth.get_service_store_secret("opa", key=f"users/{safe_name}")
+    # return 404 if the user is not found
+    if status_code == 404:
+        response = {"error": f"User {safe_name} is not an authorized CanDIG user"}
     return response, status_code