DIG-1887, DIG-1890, DIG-1892, DIG-1897: refactoring authz, adding preapproved list #151
Conversation
There was a problem hiding this comment.
Unsure if this is because of this PR but when I try to POST to /ingest/user/pending, it leads to a 307 redirect to the internal URL of ingest.
(candig) 16:04 fnguyen@fnguyen-worktop:~/Documents/CanDIGv2$ curl -v candig.docker.internal:5080/ingest/user/pending/ -H "Authorization: Bearer $TOKEN"
* Host candig.docker.internal:5080 was resolved.
* IPv6: ::1
* IPv4: (none)
* Trying [::1]:5080...
* Connected to candig.docker.internal (::1) port 5080
> GET /ingest/user/pending/ HTTP/1.1
> Host: candig.docker.internal:5080
> User-Agent: curl/8.5.0
> Accept: */*
> Authorization: Bearer ...
>
< HTTP/1.1 307 Temporary Redirect
< Content-Length: 0
< Date: Fri, 24 Jan 2025 21:04:12 GMT
< Location: http://candig-ingest:1235/user/pending
< Server: uvicorn
< X-Ratelimit-Limit: 10000
< X-Ratelimit-Remaining: 9999
< X-Ratelimit-Reset: 1737756253
<
* Connection #0 to host candig.docker.internal left intact
ingest_operations.py
Outdated
| response = list(response["programs"].values()) | ||
| print(response) | ||
| return {"results": response}, status_code | ||
| user_id = authx.auth.get_user_id(request) |
There was a problem hiding this comment.
NameError: name 'request' is not defined
| user_result["site_roles"].append(role_type) | ||
|
|
||
| user_result["program_authorizations"] = {} | ||
| opa_permissions, status_code = authx.auth.get_opa_permissions(bearer_token=token, user_token=user_result["userinfo"]["sample_jwt"]) |
There was a problem hiding this comment.
I'm a bit confused now; the return value of ingest/user/me is 200 if the user exists, 404 if the user doesn't exist, and then... how do I tell if I'm a pending user?
There was a problem hiding this comment.
You would try to request pending access again, /ingest/pending/request...if you get a 200, you're already pending.
There was a problem hiding this comment.
Can we get a non-destructive way of checking pending status? When the user enters the site we want to show them a different screen depending on whether or not they're already pending.
There was a problem hiding this comment.
I don't understand how it's destructive: if you repeatedly hit the pending/request endpoint, you just get repeated 200 OKs...nothing changes.
There was a problem hiding this comment.
When the user first visits the page, they should be given the screen on the left. When they click the button to POST to /ingest/pending/request, they should be given the screen on the right. From then onwards, whenever they check the page, they should immediately be given the screen on the right.
The problem I'd run into is that it's impossible to determine which screen the user should be given when they load up the page without inadvertently signing them up to be on the pending list, or via using some sort of cookie/local storage check (which would fail if they checked it in a different browser or on a different computer).
There was a problem hiding this comment.
When we last discussed this I had thought there was some GET endpoint with a different status code depending on the user's authorization state -- was it only the POST endpoint that was planned?
There was a problem hiding this comment.
Oh I see. I'll try to add another endpoint then.
There was a problem hiding this comment.
I added GET to /user/pending/{user_id}. "me" works to get the status of yourself. (had to add a bit in Opa; please pull the opa commit in CanDIG/CanDIGv2#938 and recompose opa.
Co-authored-by: OrdiNeu <[email protected]>
…IG/candigv2-ingest into daisieh/ingest-user-changes
In this situation, are you trying to request pending access? what are you POSTing? |
Tested in CanDIG/CanDIGv2#938