fractal-server 2.17.2__py3-none-any.whl → 2.18.0__py3-none-any.whl

fractal_server/app/routes/api/v2/workflow_import.py

@@ -19,15 +19,16 @@ from fractal_server.app.routes.auth import current_user_act_ver_prof
 from fractal_server.app.routes.auth._aux_auth import (
     _get_default_usergroup_id_or_none,
 )
-from fractal_server.app.schemas.v2 import TaskImportV2
-from fractal_server.app.schemas.v2 import TaskImportV2Legacy
-from fractal_server.app.schemas.v2 import WorkflowImportV2
-from fractal_server.app.schemas.v2 import WorkflowReadV2WithWarnings
-from fractal_server.app.schemas.v2 import WorkflowTaskCreateV2
+from fractal_server.app.schemas.v2 import TaskImport
+from fractal_server.app.schemas.v2 import TaskImportLegacy
+from fractal_server.app.schemas.v2 import WorkflowImport
+from fractal_server.app.schemas.v2 import WorkflowReadWithWarnings
+from fractal_server.app.schemas.v2 import WorkflowTaskCreate
+from fractal_server.app.schemas.v2.sharing import ProjectPermissions
 from fractal_server.logger import set_logger
 
 from ._aux_functions import _check_workflow_exists
-from ._aux_functions import _get_project_check_owner
+from ._aux_functions import _get_project_check_access
 from ._aux_functions import _get_user_resource_id
 from ._aux_functions import _workflow_insert_task
 from ._aux_functions_tasks import _add_warnings_to_workflow_tasks
@@ -65,7 +66,7 @@ async def _get_user_accessible_taskgroups(
     )
     res = await db.execute(stm)
     accessible_task_groups = res.scalars().all()
-    logger.info(
+    logger.debug(
         f"Found {len(accessible_task_groups)} accessible "
         f"task groups for {user_id=}."
     )
@@ -100,7 +101,7 @@ async def _get_task_by_source(
 
 async def _get_task_by_taskimport(
     *,
-    task_import: TaskImportV2,
+    task_import: TaskImport,
     task_groups_list: list[TaskGroupV2],
     user_id: int,
     default_group_id: int | None,
@@ -120,7 +121,7 @@ async def _get_task_by_taskimport(
         `id` of the matching task, or `None`.
     """
 
-    logger.info(f"[_get_task_by_taskimport] START, {task_import=}")
+    logger.debug(f"[_get_task_by_taskimport] START, {task_import=}")
 
     # Filter by `pkg_name` and by presence of a task with given `name`.
     matching_task_groups = [
@@ -132,7 +133,7 @@ async def _get_task_by_taskimport(
         )
     ]
     if len(matching_task_groups) < 1:
-        logger.info(
+        logger.debug(
             "[_get_task_by_taskimport] "
             f"No task group with {task_import.pkg_name=} "
             f"and a task with {task_import.name=}."
@@ -142,13 +143,13 @@ async def _get_task_by_taskimport(
     # Determine target `version`
     # Note that task_import.version cannot be "", due to a validator
     if task_import.version is None:
-        logger.info(
+        logger.debug(
             "[_get_task_by_taskimport] "
             "No version requested, looking for latest."
         )
         latest_task = max(matching_task_groups, key=lambda tg: tg.version or "")
         version = latest_task.version
-        logger.info(
+        logger.debug(
             f"[_get_task_by_taskimport] Latest version set to {version}."
         )
     else:
@@ -160,19 +161,19 @@ async def _get_task_by_taskimport(
     )
 
     if len(final_matching_task_groups) < 1:
-        logger.info(
+        logger.debug(
             "[_get_task_by_taskimport] "
             "No task group left after filtering by version."
         )
         return None
     elif len(final_matching_task_groups) == 1:
         final_task_group = final_matching_task_groups[0]
-        logger.info(
+        logger.debug(
             "[_get_task_by_taskimport] "
             "Found a single task group, after filtering by version."
         )
     else:
-        logger.info(
+        logger.debug(
             "[_get_task_by_taskimport] "
             f"Found {len(final_matching_task_groups)} task groups, "
             "after filtering by version."
@@ -184,7 +185,7 @@ async def _get_task_by_taskimport(
             default_group_id=default_group_id,
         )
         if final_task_group is None:
-            logger.info(
+            logger.debug(
                 "[_get_task_by_taskimport] Disambiguation returned None."
             )
             return None
@@ -199,22 +200,22 @@ async def _get_task_by_taskimport(
         None,
     )
 
-    logger.info(f"[_get_task_by_taskimport] END, {task_import=}, {task_id=}.")
+    logger.debug(f"[_get_task_by_taskimport] END, {task_import=}, {task_id=}.")
 
     return task_id
 
 
 @router.post(
     "/project/{project_id}/workflow/import/",
-    response_model=WorkflowReadV2WithWarnings,
+    response_model=WorkflowReadWithWarnings,
     status_code=status.HTTP_201_CREATED,
 )
 async def import_workflow(
     project_id: int,
-    workflow_import: WorkflowImportV2,
+    workflow_import: WorkflowImport,
     user: UserOAuth = Depends(current_user_act_ver_prof),
     db: AsyncSession = Depends(get_async_db),
-) -> WorkflowReadV2WithWarnings:
+) -> WorkflowReadWithWarnings:
     """
     Import an existing workflow into a project and create required objects.
     """
@@ -222,9 +223,10 @@ async def import_workflow(
     user_resource_id = await _get_user_resource_id(user_id=user.id, db=db)
 
     # Preliminary checks
-    await _get_project_check_owner(
+    await _get_project_check_access(
         project_id=project_id,
         user_id=user.id,
+        required_permissions=ProjectPermissions.WRITE,
         db=db,
     )
     await _check_workflow_exists(
@@ -244,7 +246,7 @@ async def import_workflow(
     list_task_ids = []
     for wf_task in workflow_import.task_list:
         task_import = wf_task.task
-        if isinstance(task_import, TaskImportV2Legacy):
+        if isinstance(task_import, TaskImportLegacy):
             task_id = await _get_task_by_source(
                 source=task_import.source,
                 task_groups_list=task_group_list,
@@ -262,7 +264,7 @@ async def import_workflow(
                 status_code=status.HTTP_422_UNPROCESSABLE_CONTENT,
                 detail=f"Could not find a task matching with {wf_task.task}.",
             )
-        new_wf_task = WorkflowTaskCreateV2(
+        new_wf_task = WorkflowTaskCreate(
             **wf_task.model_dump(exclude_none=True, exclude={"task"})
         )
         list_wf_tasks.append(new_wf_task)

fractal_server/app/routes/api/v2/workflowtask.py

@@ -11,12 +11,13 @@ from fractal_server.app.db import get_async_db
 from fractal_server.app.models import UserOAuth
 from fractal_server.app.routes.auth import current_user_act_ver_prof
 from fractal_server.app.schemas.v2 import TaskType
-from fractal_server.app.schemas.v2 import WorkflowTaskCreateV2
-from fractal_server.app.schemas.v2 import WorkflowTaskReadV2
-from fractal_server.app.schemas.v2 import WorkflowTaskUpdateV2
+from fractal_server.app.schemas.v2 import WorkflowTaskCreate
+from fractal_server.app.schemas.v2 import WorkflowTaskRead
+from fractal_server.app.schemas.v2 import WorkflowTaskUpdate
+from fractal_server.app.schemas.v2.sharing import ProjectPermissions
 
-from ._aux_functions import _get_workflow_check_owner
-from ._aux_functions import _get_workflow_task_check_owner
+from ._aux_functions import _get_workflow_check_access
+from ._aux_functions import _get_workflow_task_check_access
 from ._aux_functions import _workflow_has_submitted_job
 from ._aux_functions import _workflow_insert_task
 from ._aux_functions_tasks import _check_type_filters_compatibility
@@ -27,23 +28,27 @@ router = APIRouter()
 
 @router.post(
     "/project/{project_id}/workflow/{workflow_id}/wftask/",
-    response_model=WorkflowTaskReadV2,
+    response_model=WorkflowTaskRead,
     status_code=status.HTTP_201_CREATED,
 )
 async def create_workflowtask(
     project_id: int,
     workflow_id: int,
     task_id: int,
-    wftask: WorkflowTaskCreateV2,
+    wftask: WorkflowTaskCreate,
     user: UserOAuth = Depends(current_user_act_ver_prof),
     db: AsyncSession = Depends(get_async_db),
-) -> WorkflowTaskReadV2 | None:
+) -> WorkflowTaskRead | None:
     """
     Add a WorkflowTask to a Workflow
     """
 
-    workflow = await _get_workflow_check_owner(
-        project_id=project_id, workflow_id=workflow_id, user_id=user.id, db=db
+    workflow = await _get_workflow_check_access(
+        project_id=project_id,
+        workflow_id=workflow_id,
+        user_id=user.id,
+        required_permissions=ProjectPermissions.WRITE,
+        db=db,
     )
 
     task = await _get_task_read_access(
@@ -95,7 +100,7 @@ async def create_workflowtask(
 
 @router.get(
     "/project/{project_id}/workflow/{workflow_id}/wftask/{workflow_task_id}/",
-    response_model=WorkflowTaskReadV2,
+    response_model=WorkflowTaskRead,
 )
 async def read_workflowtask(
     project_id: int,
@@ -104,11 +109,12 @@ async def read_workflowtask(
     user: UserOAuth = Depends(current_user_act_ver_prof),
     db: AsyncSession = Depends(get_async_db),
 ):
-    workflow_task, _ = await _get_workflow_task_check_owner(
+    workflow_task, _ = await _get_workflow_task_check_access(
         project_id=project_id,
         workflow_task_id=workflow_task_id,
         workflow_id=workflow_id,
         user_id=user.id,
+        required_permissions=ProjectPermissions.READ,
         db=db,
     )
     return workflow_task
@@ -116,25 +122,26 @@ async def read_workflowtask(
 
 @router.patch(
     "/project/{project_id}/workflow/{workflow_id}/wftask/{workflow_task_id}/",
-    response_model=WorkflowTaskReadV2,
+    response_model=WorkflowTaskRead,
 )
 async def update_workflowtask(
     project_id: int,
     workflow_id: int,
     workflow_task_id: int,
-    workflow_task_update: WorkflowTaskUpdateV2,
+    workflow_task_update: WorkflowTaskUpdate,
     user: UserOAuth = Depends(current_user_act_ver_prof),
     db: AsyncSession = Depends(get_async_db),
-) -> WorkflowTaskReadV2 | None:
+) -> WorkflowTaskRead | None:
     """
     Edit a WorkflowTask of a Workflow
     """
 
-    db_wf_task, db_workflow = await _get_workflow_task_check_owner(
+    db_wf_task, db_workflow = await _get_workflow_task_check_access(
         project_id=project_id,
         workflow_task_id=workflow_task_id,
         workflow_id=workflow_id,
         user_id=user.id,
+        required_permissions=ProjectPermissions.WRITE,
         db=db,
     )
     if workflow_task_update.type_filters is not None:
@@ -215,11 +222,12 @@ async def delete_workflowtask(
     Delete a WorkflowTask of a Workflow
     """
 
-    db_workflow_task, db_workflow = await _get_workflow_task_check_owner(
+    db_workflow_task, db_workflow = await _get_workflow_task_check_access(
         project_id=project_id,
         workflow_task_id=workflow_task_id,
         workflow_id=workflow_id,
         user_id=user.id,
+        required_permissions=ProjectPermissions.WRITE,
         db=db,
     )
 

fractal_server/app/routes/auth/_aux_auth.py

@@ -1,12 +1,21 @@
+from os.path import normpath
+from pathlib import Path
+
 from fastapi import HTTPException
 from fastapi import status
 from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import and_
 from sqlmodel import asc
+from sqlmodel import not_
+from sqlmodel import or_
 from sqlmodel import select
 
 from fractal_server.app.models.linkusergroup import LinkUserGroup
+from fractal_server.app.models.linkuserproject import LinkUserProjectV2
 from fractal_server.app.models.security import UserGroup
 from fractal_server.app.models.security import UserOAuth
+from fractal_server.app.models.v2.dataset import DatasetV2
+from fractal_server.app.models.v2.project import ProjectV2
 from fractal_server.app.schemas.user import UserRead
 from fractal_server.app.schemas.user_group import UserGroupRead
 from fractal_server.config import get_settings
@@ -178,3 +187,94 @@ async def _verify_user_belongs_to_group(
                     f"to UserGroup {user_group_id}"
                 ),
             )
+
+
+async def _check_project_dirs_update(
+    *,
+    old_project_dirs: list[str],
+    new_project_dirs: list[str],
+    user_id: int,
+    db: AsyncSession,
+) -> None:
+    """
+    Raises 422 if by replacing user's `project_dirs` with new ones we are
+    removing the access to a `zarr_dir` used by some dataset.
+
+    Note both `old_project_dirs` and `new_project_dirs` have been
+    normalized through `os.path.normpath`, which notably strips any trailing
+    `/` character. To be safe, we also re-normalize them within this function.
+    """
+    # Create a list of all the old project dirs that will lose privileges.
+    # E.g.:
+    #   old_project_dirs = ["/a", "/b", "/c/d", "/e/f"]
+    #   new_project_dirs = ["/a", "/c", "/e/f/g1", "/e/f/g2"]
+    #   removed_project_dirs == ["/b", "/e/f"]
+    removed_project_dirs = [
+        old_project_dir
+        for old_project_dir in old_project_dirs
+        if not any(
+            Path(old_project_dir).is_relative_to(new_project_dir)
+            for new_project_dir in new_project_dirs
+        )
+    ]
+    if removed_project_dirs:
+        # Query all the `zarr_dir`s linked to the user such that `zarr_dir`
+        # starts with one of the project dirs in `removed_project_dirs`.
+        stmt = (
+            select(DatasetV2.zarr_dir)
+            .join(ProjectV2, ProjectV2.id == DatasetV2.project_id)
+            .join(
+                LinkUserProjectV2,
+                LinkUserProjectV2.project_id == ProjectV2.id,
+            )
+            .where(LinkUserProjectV2.user_id == user_id)
+            .where(LinkUserProjectV2.is_verified.is_(True))
+            .where(
+                or_(
+                    *[
+                        DatasetV2.zarr_dir.startswith(normpath(old_project_dir))
+                        for old_project_dir in removed_project_dirs
+                    ]
+                )
+            )
+        )
+        if new_project_dirs:
+            stmt = stmt.where(
+                and_(
+                    *[
+                        not_(
+                            DatasetV2.zarr_dir.startswith(
+                                normpath(new_project_dir)
+                            )
+                        )
+                        for new_project_dir in new_project_dirs
+                    ]
+                )
+            )
+        res = await db.execute(stmt)
+
+        # Raise 422 if one of the query results is relative to a path in
+        # `removed_project_dirs`, but its not relative to any path in
+        # `new_project_dirs`.
+        if any(
+            (
+                any(
+                    Path(zarr_dir).is_relative_to(old_project_dir)
+                    for old_project_dir in removed_project_dirs
+                )
+                and not any(
+                    Path(zarr_dir).is_relative_to(new_project_dir)
+                    for new_project_dir in new_project_dirs
+                )
+            )
+            for zarr_dir in res.scalars().all()
+        ):
+            raise HTTPException(
+                status_code=status.HTTP_422_UNPROCESSABLE_CONTENT,
+                detail=(
+                    "You tried updating the user project_dirs, removing "
+                    f"{removed_project_dirs}. This operation is not possible, "
+                    "because it would make the user loose access to some of "
+                    "their dataset zarr directories."
+                ),
+            )

fractal_server/app/routes/auth/current_user.py

@@ -2,21 +2,16 @@
 Definition of `/auth/current-user/` endpoints
 """
 
-import os
-
 from fastapi import APIRouter
 from fastapi import Depends
 from sqlalchemy.ext.asyncio import AsyncSession
 from sqlmodel import select
 
 from fractal_server.app.db import get_async_db
-from fractal_server.app.models import LinkUserGroup
 from fractal_server.app.models import Profile
 from fractal_server.app.models import Resource
-from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
 from fractal_server.app.routes.auth import current_user_act
-from fractal_server.app.routes.auth import current_user_act_ver
 from fractal_server.app.routes.auth._aux_auth import (
     _get_single_user_with_groups,
 )
@@ -26,9 +21,6 @@ from fractal_server.app.schemas.user import UserUpdate
 from fractal_server.app.schemas.user import UserUpdateStrict
 from fractal_server.app.security import UserManager
 from fractal_server.app.security import get_user_manager
-from fractal_server.config import DataAuthScheme
-from fractal_server.config import get_data_settings
-from fractal_server.syringe import Inject
 
 router_current_user = APIRouter()
 
@@ -106,58 +98,3 @@ async def get_current_user_profile_info(
         )
 
     return response_data
-
-
-@router_current_user.get(
-    "/current-user/allowed-viewer-paths/", response_model=list[str]
-)
-async def get_current_user_allowed_viewer_paths(
-    current_user: UserOAuth = Depends(current_user_act_ver),
-    db: AsyncSession = Depends(get_async_db),
-) -> list[str]:
-    """
-    Returns the allowed viewer paths for current user, according to the
-    selected FRACTAL_DATA_AUTH_SCHEME
-    """
-
-    data_settings = Inject(get_data_settings)
-
-    authorized_paths = []
-
-    if data_settings.FRACTAL_DATA_AUTH_SCHEME == DataAuthScheme.NONE:
-        return authorized_paths
-
-    # Append `project_dir` to the list of authorized paths
-    authorized_paths.append(current_user.project_dir)
-
-    # If auth scheme is "users-folders" and `slurm_user` is set,
-    # build and append the user folder
-    if (
-        data_settings.FRACTAL_DATA_AUTH_SCHEME == DataAuthScheme.USERS_FOLDERS
-        and current_user.profile_id is not None
-    ):
-        profile = await db.get(Profile, current_user.profile_id)
-        if profile is not None and profile.username is not None:
-            base_folder = data_settings.FRACTAL_DATA_BASE_FOLDER
-            user_folder = os.path.join(base_folder, profile.username)
-            authorized_paths.append(user_folder)
-
-    if data_settings.FRACTAL_DATA_AUTH_SCHEME == DataAuthScheme.VIEWER_PATHS:
-        # Returns the union of `viewer_paths` for all user's groups
-        cmd = (
-            select(UserGroup.viewer_paths)
-            .join(LinkUserGroup, LinkUserGroup.group_id == UserGroup.id)
-            .where(LinkUserGroup.user_id == current_user.id)
-        )
-        res = await db.execute(cmd)
-        viewer_paths_nested = res.scalars().all()
-
-        # Flatten a nested object and make its elements unique
-        all_viewer_paths_set = {
-            path
-            for _viewer_paths in viewer_paths_nested
-            for path in _viewer_paths
-        }
-        authorized_paths.extend(all_viewer_paths_set)
-
-    return authorized_paths

fractal_server/app/routes/auth/group.py

@@ -16,7 +16,6 @@ from fractal_server.app.models import UserGroup
 from fractal_server.app.models import UserOAuth
 from fractal_server.app.schemas.user_group import UserGroupCreate
 from fractal_server.app.schemas.user_group import UserGroupRead
-from fractal_server.app.schemas.user_group import UserGroupUpdate
 from fractal_server.config import get_settings
 from fractal_server.logger import set_logger
 from fractal_server.syringe import Inject
@@ -101,41 +100,13 @@ async def create_single_group(
         )
 
     # Create and return new group
-    new_group = UserGroup(
-        name=group_create.name, viewer_paths=group_create.viewer_paths
-    )
+    new_group = UserGroup(name=group_create.name)
     db.add(new_group)
     await db.commit()
 
     return dict(new_group.model_dump(), user_ids=[])
 
 
-@router_group.patch(
-    "/group/{group_id}/",
-    response_model=UserGroupRead,
-    status_code=status.HTTP_200_OK,
-)
-async def update_single_group(
-    group_id: int,
-    group_update: UserGroupUpdate,
-    user: UserOAuth = Depends(current_superuser_act),
-    db: AsyncSession = Depends(get_async_db),
-) -> UserGroupRead:
-    group = await _usergroup_or_404(group_id, db)
-
-    # Patch `viewer_paths`
-    if group_update.viewer_paths is not None:
-        group.viewer_paths = group_update.viewer_paths
-        db.add(group)
-        await db.commit()
-
-    updated_group = await _get_single_usergroup_with_user_ids(
-        group_id=group_id, db=db
-    )
-
-    return updated_group
-
-
 @router_group.delete("/group/{group_id}/", status_code=204)
 async def delete_single_group(
     group_id: int,

fractal_server/app/routes/auth/router.py

@@ -6,6 +6,7 @@ from .login import router_login
 from .oauth import get_oauth_router
 from .register import router_register
 from .users import router_users
+from .viewer_paths import router_viewer_paths
 
 router_auth = APIRouter()
 
@@ -14,6 +15,7 @@ router_auth.include_router(router_current_user)
 router_auth.include_router(router_login)
 router_auth.include_router(router_users)
 router_auth.include_router(router_group)
+router_auth.include_router(router_viewer_paths)
 router_oauth = get_oauth_router()
 if router_oauth is not None:
     router_auth.include_router(router_oauth)

fractal_server/app/routes/auth/users.py

@@ -28,6 +28,7 @@ from fractal_server.logger import set_logger
 from fractal_server.syringe import Inject
 
 from . import current_superuser_act
+from ._aux_auth import _check_project_dirs_update
 from ._aux_auth import _get_default_usergroup_id_or_none
 from ._aux_auth import _get_single_user_with_groups
 
@@ -74,6 +75,14 @@ async def patch_user(
                 detail=f"Profile {user_update.profile_id} not found.",
             )
 
+    if user_update.project_dirs is not None:
+        await _check_project_dirs_update(
+            old_project_dirs=user_to_patch.project_dirs,
+            new_project_dirs=user_update.project_dirs,
+            user_id=user_id,
+            db=db,
+        )
+
     # Modify user attributes
     try:
         user = await user_manager.update(

fractal_server/app/routes/auth/viewer_paths.py

@@ -0,0 +1,43 @@
+from fastapi import APIRouter
+from fastapi import Depends
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import select
+
+from fractal_server.app.db import get_async_db
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.models.linkuserproject import LinkUserProjectV2
+from fractal_server.app.models.v2.dataset import DatasetV2
+from fractal_server.app.models.v2.project import ProjectV2
+from fractal_server.app.routes.auth import current_user_act_ver
+
+router_viewer_paths = APIRouter()
+
+
+@router_viewer_paths.get(
+    "/current-user/allowed-viewer-paths/", response_model=list[str]
+)
+async def get_current_user_allowed_viewer_paths(
+    include_shared_projects: bool = True,
+    current_user: UserOAuth = Depends(current_user_act_ver),
+    db: AsyncSession = Depends(get_async_db),
+) -> list[str]:
+    """
+    Returns the allowed viewer paths for current user.
+    """
+    authorized_paths = current_user.project_dirs.copy()
+
+    if include_shared_projects:
+        res = await db.execute(
+            select(DatasetV2.zarr_dir)
+            .join(ProjectV2, ProjectV2.id == DatasetV2.project_id)
+            .join(
+                LinkUserProjectV2, LinkUserProjectV2.project_id == ProjectV2.id
+            )
+            .where(LinkUserProjectV2.user_id == current_user.id)
+            .where(LinkUserProjectV2.is_verified.is_(True))
+        )
+        authorized_paths.extend(res.unique().scalars().all())
+        # Note that `project_dirs` and the `db.execute` result may have some
+        # common elements, and then this list may have non-unique items.
+
+    return authorized_paths