Update Members permission to team form + ODP-370 (#642)

steveoni · luccasmmg · mpolidori · commit 9d5bec3a94e7 · 2025-03-03T13:05:06.000-05:00
* members can not

* update role: Editor can create sub-team and admin moving subteam from public to private should not throw error

* disabled Public option if parent is private

* Trigger CI

---------

Co-authored-by: Luccas Mateus &lt;luccasmmg@gmail.com&gt;
diff --git a/ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/create.py b/ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/create.py
@@ -38,6 +38,9 @@
 from ckan.logic.action.create import (
     organization_create as old_organization_create)
 
+from ckan.logic.action.get import ( 
+    organization_show as old_organization_show)
+
 import ckan.authz as authz
 
 NotificationGetUserViewedActivity: TypeAlias = None
@@ -873,27 +876,33 @@ def download_event_create(context: Context, data_dict: DataDict):
     return download_event_list_dictize(events, context)
 
 
+import copy
+
 @logic.side_effect_free
 def organization_create(context, data_dict):
     visibility = data_dict.get('visibility', "public")
+    
+
+    temp_context = {"model": context["model"], "session": context["session"], "user": context["user"]}
+
+    
+    parent_org = data_dict.get("parent")
+    parent_org = parent_org.get("value") if parent_org else None
+    if parent_org:
+        parent_org = old_organization_show(temp_context, {"id": parent_org})
+        users = parent_org.get("users", [])
+        username = context.get("user")
+        if users and not authz.is_sysadmin(context.get("user")):
+            user_capacity = [user.get("capacity") for user in users if user.get("name") == username]
+            if not any(role in user_capacity for role in ["admin", "editor"]):
+                raise ValidationError({"message": _("User does not have admin access to create a sub team")})
+        if parent_org.get("visibility", "public") == "private" and visibility == "public":
+            raise ValidationError({"message": _("Parent Organization has private visibility and cannot create public teams")})
+        
+    else:
+        if not authz.is_sysadmin(context.get("user")):
+            raise ValidationError({"message": _("Only sysadmins can create public teams without a parent")})
 
-    if visibility == "public":
-        parent_org = data_dict.get("parent")
-        parent_org = parent_org.get("value") if parent_org else None
-        if parent_org:
-            parent_org = logic.get_action("organization_show")(context, {"id": parent_org})
-            users = parent_org.get("users", [])
-            username = context.get("user")
-            if users:
-                user_capacity = [user.get("capacity") for user in users if user.get("name") == username]
-                if "admin" not in user_capacity:
-                    raise ValidationError({"message": _("User does not have admin access to create a sub team")})
-            if parent_org.get("visibility", "public") == "private":
-                raise ValidationError({"message": _("Parent Organization has private visibility and cannot create public teams")})
-            
-        else:
-            if not authz.is_sysadmin(context.get("user")):
-                raise ValidationError({"message": _("Only sysadmins can create public teams without a parent")})
     
     result = old_organization_create(context, data_dict)
     return result
diff --git a/ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/get.py b/ckan-backend-dev/src/ckanext-wri/ckanext/wri/logic/action/get.py
@@ -1785,8 +1785,8 @@ def organization_patch(context, data_dict):
     isSysadmin = authz.is_sysadmin(user)
 
     if not isSysadmin:
-        
-        old_org = get_action("organization_show")(context, data_dict)
+        temp_context = {"model": context["model"], "session": context["session"], "user": context["user"]}
+        old_org = get_action("organization_show")(temp_context, data_dict)
         old_parent = old_org.get("groups", [])
         if len(old_parent) == 0 or data_dict.get("parent") is None:
             raise ValidationError({"message": _("You can't edit or create a Parent Team")})
@@ -1798,7 +1798,8 @@ def organization_patch(context, data_dict):
         if visibility == "private":
             users = old_org.get("users", [])
             if users:
-                user_capacity = [user.get("capacity") for user in users if user.get("name") == user]
+                c_user = str(user)
+                user_capacity = [user.get("capacity") for user in users if user.get("name") == c_user]
                 if "admin" not in user_capacity:
                     raise ValidationError({"message": _("You can't update visibility of a team")})
         
@@ -1807,7 +1808,8 @@ def organization_patch(context, data_dict):
         parent_org = data_dict.get("parent")
         parent_org = parent_org.get("value") if parent_org else None
         if parent_org:
-            parent_org = get_action("organization_show")(context, {"id": parent_org})
+            temp_context = {"model": context["model"], "session": context["session"], "user": context["user"]}
+            parent_org = get_action("organization_show")(temp_context, {"id": parent_org})
             if parent_org.get("visibility", "public") == "private":
                 raise ValidationError({"message": _("Parent Team has private visibility and cannot create public teams")})
             
@@ -1817,7 +1819,8 @@ def organization_patch(context, data_dict):
             "fq": f"(organization:({data_dict.get('name')}) AND visibility_type:(public OR internal))", 
             "include_private": False  # Include private datasets in the search
         }
-        public_package = get_action("package_search")(context, rdata_dict)
+        temp_context = {"model": context["model"], "session": context["session"], "user": context["user"]}
+        public_package = get_action("package_search")(temp_context, rdata_dict)
         if public_package.get("count") > 0:
             raise ValidationError({"message": _(f"Team has {public_package.get('count')} public dataset(s) and cannot be made private")})
     return old_organization_patch(context, data_dict)
diff --git a/ckan-backend-dev/src/ckanext-wri/ckanext/wri/plugin.py b/ckan-backend-dev/src/ckanext-wri/ckanext/wri/plugin.py
@@ -33,6 +33,7 @@
     resource_create,
     old_package_create,
     download_event_create,
+    organization_create
 )
 from ckanext.wri.logic.action.update import (
     notification_update,
@@ -71,6 +72,7 @@
     organization_show,
     package_show,
     get_download_events,
+    
 )
 
 from ckanext.wri.logic.action.delete import pending_dataset_delete
@@ -272,6 +274,8 @@ def get_actions(self):
             "package_update": package_update,
             "download_event_create": download_event_create,
             "download_event_list": get_download_events,
+            "organization_create": organization_create,
+            
             "prefect_send_error_callback": send_error_callback,
         }
 
diff --git a/deployment/frontend/src/components/_shared/SimpleSelect.tsx b/deployment/frontend/src/components/_shared/SimpleSelect.tsx
@@ -15,6 +15,7 @@ export interface Option<V> {
     label: string
     value: V
     default?: boolean
+    disbaled?: boolean
 }
 
 interface SimpleSelectProps<T extends FieldValues, V extends Object> {
@@ -109,12 +110,13 @@ export default function SimpleSelect<T extends FieldValues, V extends Object>({
                                         {options.map((option) => (
                                             <Listbox.Option
                                                 key={option.value}
+                                                disabled={option.disabled}
                                                 className={({ active }) =>
                                                     classNames(
                                                         active
                                                             ? 'bg-blue-800 text-white'
                                                             : 'text-gray-900',
-                                                        `relative cursor-default select-none py-2 pl-3 pr-9`
+                                                        `relative cursor-default select-none py-2 pl-3 pr-9 ${option.disabled ? 'opacity-50' : ''}`
                                                     )
                                                 }
                                                 value={option}
@@ -133,7 +135,7 @@ export default function SimpleSelect<T extends FieldValues, V extends Object>({
                                                             {option?.visibility &&
                                                             option.visibility ===
                                                                 'private' ? (
-                                                                    <>{' '}&#128274;</>
+                                                                <> &#128274;</>
                                                             ) : (
                                                                 ''
                                                             )}
diff --git a/deployment/frontend/src/components/dashboard/teams/forms/CreateTeamForm.tsx b/deployment/frontend/src/components/dashboard/teams/forms/CreateTeamForm.tsx
@@ -11,6 +11,8 @@ import { api } from '@/utils/api'
 import notify from '@/utils/notify'
 import { ErrorAlert } from '@/components/_shared/Alerts'
 import { useRouter } from 'next/router'
+import { z } from 'zod'
+import { useSession } from 'next-auth/react'
 
 const links = [
     { label: 'Teams', url: '/dashboard/teams', current: false },
@@ -20,8 +22,45 @@ const links = [
 export default function CreateTeamForm() {
     const [errorMessage, setErrorMessage] = useState<string | null>(null)
     const router = useRouter()
+    const possibleParents = api.teams.getAllTeams.useQuery()
+    const { data: session } = useSession()
+    const sysadmin = session?.user?.sysadmin ?? false
+
+    const TeamSchemaRefine = TeamSchema.superRefine((val, ctx) => {
+        if (val.visibility.value === 'public' && val.parent) {
+            const parent = possibleParents.data?.find(
+                (team) => team.name === val.parent?.value
+            )
+            const visibility = parent?.visibility
+            const isPrivate = parent && visibility === 'private'
+            if (isPrivate) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    path: ['parent'],
+                    message:
+                        'Parent Organization has private visibility and cannot create public teams',
+                })
+            }
+        }
+
+        if (!sysadmin && val.parent) {
+            const parent = possibleParents.data?.find(
+                (team) => team.name === val.parent?.value
+            )
+            const capacity = parent?.capacity
+            const isAdmin = parent && !['admin', 'editor'].includes(capacity)
+            if (isAdmin) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    path: ['parent'],
+                    message:
+                        'User does not have admin access to create a sub team',
+                })
+            }
+        }
+    })
     const formObj = useForm<TeamFormType>({
-        resolver: zodResolver(TeamSchema),
+        resolver: zodResolver(TeamSchemaRefine),
     })
 
     const createTeam = api.teams.createTeam.useMutation({
diff --git a/deployment/frontend/src/components/dashboard/teams/forms/EditTeamForm.tsx b/deployment/frontend/src/components/dashboard/teams/forms/EditTeamForm.tsx
@@ -22,13 +22,18 @@ import { Tab } from '@headlessui/react'
 import { Fragment } from 'react'
 import classNames from '@/utils/classnames'
 import { Members } from '../metadata/Members'
+import { z } from 'zod'
+import { useSession } from 'next-auth/react'
 
 type TeamOutput = RouterOutput['teams']['getTeam']
 
 export default function EditTeamForm({ team }: { team: TeamOutput }) {
     const [errorMessage, setErrorMessage] = useState<string | null>(null)
     const [deleteOpen, setDeleteOpen] = useState(false)
     const router = useRouter()
+    const possibleParents = api.teams.getAllTeams.useQuery()
+    const { data: session } = useSession()
+    const sysadmin = session?.user?.sysadmin ?? false
     const links = [
         { label: 'Teams', url: '/dashboard/teams', current: false },
         {
@@ -38,6 +43,40 @@ export default function EditTeamForm({ team }: { team: TeamOutput }) {
         },
     ]
 
+    const TeamSchemaRefine = TeamSchema.superRefine((val, ctx) => {
+        if (val.visibility.value === 'public' && val.parent) {
+            const parent = possibleParents.data?.find(
+                (team) => team.name === val.parent?.value
+            )
+            const visibility = parent?.visibility
+            const isPrivate = parent && visibility === 'private'
+            if (isPrivate) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    path: ['parent'],
+                    message:
+                        'Parent Organization has private visibility and cannot create public teams',
+                })
+            }
+        }
+
+        if (!sysadmin && val.parent) {
+            const org = possibleParents.data?.find((team) => team.id === val.id)
+
+            const capacity = org?.capacity
+            const isAdmin = org && capacity !== 'admin'
+
+            if (isAdmin) {
+                ctx.addIssue({
+                    code: z.ZodIssueCode.custom,
+                    path: ['parent'],
+                    message:
+                        'User does not have admin access to edit a sub team',
+                })
+            }
+        }
+    })
+
     const formObj = useForm<TeamFormType>({
         defaultValues: {
             ...team,
@@ -61,7 +100,7 @@ export default function EditTeamForm({ team }: { team: TeamOutput }) {
                 },
             })),
         },
-        resolver: zodResolver(TeamSchema),
+        resolver: zodResolver(TeamSchemaRefine),
     })
 
     const utils = api.useContext()
diff --git a/deployment/frontend/src/components/dashboard/teams/forms/TeamForm.tsx b/deployment/frontend/src/components/dashboard/teams/forms/TeamForm.tsx
@@ -13,6 +13,8 @@ import { UploadResult } from '@uppy/core'
 import { api } from '@/utils/api'
 import { P, match } from 'ts-pattern'
 import Spinner from '@/components/_shared/Spinner'
+import { useSession } from 'next-auth/react'
+import { useEffect } from 'react'
 
 function ToolTipOnEdit() {
     return (
@@ -67,7 +69,11 @@ export default function TeamForm({
         watch,
         formState: { errors, isSubmitting },
     } = formObj
-    const possibleParents = api.teams.getAllTeams.useQuery()
+
+    const possibleParents = api.teams.getAllTeams.useQuery(undefined, {
+        refetchOnMount: false,
+    })
+
     return (
         <div className="grid grid-cols-1 items-start gap-x-12 gap-y-4 py-5 lg:grid-cols-2 xxl:gap-x-24">
             <div className="flex flex-col justify-start gap-y-4">
@@ -182,13 +188,13 @@ export default function TeamForm({
                         editing
                             ? ToolTipOnEdit()
                             : watch('parent')?.value !== '' &&
-                              possibleParents.data?.find(
-                                  (a) =>
-                                      a.name === watch('parent')?.value &&
-                                      a.visibility === 'private'
-                              )
-                            ? ToolTipForSubTeam()
-                            : TooltipForParent()
+                                possibleParents.data?.find(
+                                    (a) =>
+                                        a.name === watch('parent')?.value &&
+                                        a.visibility === 'private'
+                                )
+                              ? ToolTipForSubTeam()
+                              : TooltipForParent()
                     }
                     required
                 >
@@ -210,6 +216,11 @@ export default function TeamForm({
                                           value: 'private',
                                           default: true,
                                       },
+                                      {
+                                          label: 'Public',
+                                          value: 'public',
+                                          disabled: true,
+                                      },
                                   ]
                                 : [
                                       { label: 'Public', value: 'public' },
@@ -218,7 +229,7 @@ export default function TeamForm({
                         }
                         placeholder="Select visibility"
                     />
-                    <ErrorDisplay name="parent" errors={errors} />
+                    <ErrorDisplay name="visibility" errors={errors} />
                 </InputGroupCustom>
             </div>
         </div>
