fractal-server 2.3.11__py3-none-any.whl → 2.4.0a1__py3-none-any.whl

fractal_server/app/routes/api/v2/task.py

@@ -18,10 +18,10 @@ from ....models.v2 import WorkflowV2
 from ....schemas.v2 import TaskCreateV2
 from ....schemas.v2 import TaskReadV2
 from ....schemas.v2 import TaskUpdateV2
-from ....security import current_active_user
-from ....security import current_active_verified_user
-from ....security import User
 from ._aux_functions import _get_task_check_owner
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth import current_active_user
+from fractal_server.app.routes.auth import current_active_verified_user
 
 router = APIRouter()
 
@@ -32,7 +32,7 @@ logger = set_logger(__name__)
 async def get_list_task(
     args_schema_parallel: bool = True,
     args_schema_non_parallel: bool = True,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> list[TaskReadV2]:
     """
@@ -55,7 +55,7 @@ async def get_list_task(
 @router.get("/{task_id}/", response_model=TaskReadV2)
 async def get_task(
     task_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> TaskReadV2:
     """
@@ -74,7 +74,7 @@ async def get_task(
 async def patch_task(
     task_id: int,
     task_update: TaskUpdateV2,
-    user: User = Depends(current_active_verified_user),
+    user: UserOAuth = Depends(current_active_verified_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[TaskReadV2]:
     """
@@ -111,7 +111,7 @@ async def patch_task(
 )
 async def create_task(
     task: TaskCreateV2,
-    user: User = Depends(current_active_verified_user),
+    user: UserOAuth = Depends(current_active_verified_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[TaskReadV2]:
     """
@@ -193,7 +193,7 @@ async def create_task(
 @router.delete("/{task_id}/", status_code=204)
 async def delete_task(
     task_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Response:
     """

fractal_server/app/routes/api/v2/task_collection.py

@@ -25,9 +25,9 @@ from ....schemas.v2 import CollectionStateReadV2
 from ....schemas.v2 import CollectionStatusV2
 from ....schemas.v2 import TaskCollectPipV2
 from ....schemas.v2 import TaskReadV2
-from ....security import current_active_user
-from ....security import current_active_verified_user
-from ....security import User
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth import current_active_user
+from fractal_server.app.routes.auth import current_active_verified_user
 from fractal_server.string_tools import slugify_task_name_for_source
 from fractal_server.tasks.utils import get_absolute_venv_path
 from fractal_server.tasks.utils import get_collection_log
@@ -69,7 +69,7 @@ async def collect_tasks_pip(
     background_tasks: BackgroundTasks,
     response: Response,
     request: Request,
-    user: User = Depends(current_active_verified_user),
+    user: UserOAuth = Depends(current_active_verified_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> CollectionStateReadV2:
     """
@@ -289,7 +289,7 @@ async def collect_tasks_pip(
 @router.get("/collect/{state_id}/", response_model=CollectionStateReadV2)
 async def check_collection_status(
     state_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     verbose: bool = False,
     db: AsyncSession = Depends(get_async_db),
 ) -> CollectionStateReadV2:  # State[TaskCollectStatus]

fractal_server/app/routes/api/v2/task_collection_custom.py

@@ -18,8 +18,8 @@ from ....models.v2 import TaskV2
 from ....schemas.v2 import TaskCollectCustomV2
 from ....schemas.v2 import TaskCreateV2
 from ....schemas.v2 import TaskReadV2
-from ....security import current_active_verified_user
-from ....security import User
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth import current_active_verified_user
 from fractal_server.tasks.v2.background_operations import _insert_tasks
 from fractal_server.tasks.v2.background_operations import (
     _prepare_tasks_metadata,
@@ -36,7 +36,7 @@ logger = set_logger(__name__)
 )
 async def collect_task_custom(
     task_collect: TaskCollectCustomV2,
-    user: User = Depends(current_active_verified_user),
+    user: UserOAuth = Depends(current_active_verified_user),
     db: DBSyncSession = Depends(get_sync_db),
 ) -> list[TaskReadV2]:
 

fractal_server/app/routes/api/v2/task_legacy.py

@@ -4,13 +4,13 @@ from fastapi import HTTPException
 from fastapi import status
 from sqlmodel import select
 
-from .....logger import set_logger
-from ....db import AsyncSession
-from ....db import get_async_db
-from ....models.v1 import Task as TaskV1
-from ....schemas.v2 import TaskLegacyReadV2
-from ....security import current_active_user
-from ....security import User
+from fractal_server.app.db import AsyncSession
+from fractal_server.app.db import get_async_db
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.models.v1 import Task as TaskV1
+from fractal_server.app.routes.auth import current_active_user
+from fractal_server.app.schemas.v2 import TaskLegacyReadV2
+from fractal_server.logger import set_logger
 
 router = APIRouter()
 
@@ -21,7 +21,7 @@ logger = set_logger(__name__)
 async def get_list_task_legacy(
     args_schema: bool = True,
     only_v2_compatible: bool = False,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> list[TaskLegacyReadV2]:
     """
@@ -43,7 +43,7 @@ async def get_list_task_legacy(
 @router.get("/{task_id}/", response_model=TaskLegacyReadV2)
 async def get_task_legacy(
     task_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> TaskLegacyReadV2:
     """

fractal_server/app/routes/api/v2/workflow.py

@@ -22,13 +22,13 @@ from ....schemas.v2 import WorkflowImportV2
 from ....schemas.v2 import WorkflowReadV2
 from ....schemas.v2 import WorkflowTaskCreateV2
 from ....schemas.v2 import WorkflowUpdateV2
-from ....security import current_active_user
-from ....security import User
 from ._aux_functions import _check_workflow_exists
 from ._aux_functions import _get_project_check_owner
 from ._aux_functions import _get_submitted_jobs_statement
 from ._aux_functions import _get_workflow_check_owner
 from ._aux_functions import _workflow_insert_task
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth import current_active_user
 
 
 router = APIRouter()
@@ -40,7 +40,7 @@ router = APIRouter()
 )
 async def get_workflow_list(
     project_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[list[WorkflowReadV2]]:
     """
@@ -67,7 +67,7 @@ async def get_workflow_list(
 async def create_workflow(
     project_id: int,
     workflow: WorkflowCreateV2,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[WorkflowReadV2]:
     """
@@ -95,7 +95,7 @@ async def create_workflow(
 async def read_workflow(
     project_id: int,
     workflow_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[WorkflowReadV2]:
     """
@@ -120,7 +120,7 @@ async def update_workflow(
     project_id: int,
     workflow_id: int,
     patch: WorkflowUpdateV2,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[WorkflowReadV2]:
     """
@@ -174,7 +174,7 @@ async def update_workflow(
 async def delete_workflow(
     project_id: int,
     workflow_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Response:
     """
@@ -227,7 +227,7 @@ async def delete_workflow(
 async def export_worfklow(
     project_id: int,
     workflow_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[WorkflowExportV2]:
     """
@@ -273,7 +273,7 @@ async def export_worfklow(
 async def import_workflow(
     project_id: int,
     workflow: WorkflowImportV2,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[WorkflowReadV2]:
     """
@@ -365,7 +365,7 @@ async def import_workflow(
 
 @router.get("/workflow/", response_model=list[WorkflowReadV2])
 async def get_user_workflows(
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> list[WorkflowReadV2]:
     """
@@ -373,7 +373,7 @@ async def get_user_workflows(
     """
     stm = select(WorkflowV2)
     stm = stm.join(ProjectV2).where(
-        ProjectV2.user_list.any(User.id == user.id)
+        ProjectV2.user_list.any(UserOAuth.id == user.id)
     )
     res = await db.execute(stm)
     workflow_list = res.scalars().all()

fractal_server/app/routes/api/v2/workflowtask.py

@@ -14,11 +14,11 @@ from ....models.v2 import TaskV2
 from ....schemas.v2 import WorkflowTaskCreateV2
 from ....schemas.v2 import WorkflowTaskReadV2
 from ....schemas.v2 import WorkflowTaskUpdateV2
-from ....security import current_active_user
-from ....security import User
 from ._aux_functions import _get_workflow_check_owner
 from ._aux_functions import _get_workflow_task_check_owner
 from ._aux_functions import _workflow_insert_task
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.routes.auth import current_active_user
 
 router = APIRouter()
 
@@ -33,7 +33,7 @@ async def create_workflowtask(
     workflow_id: int,
     task_id: int,
     new_task: WorkflowTaskCreateV2,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[WorkflowTaskReadV2]:
     """
@@ -117,7 +117,7 @@ async def read_workflowtask(
     project_id: int,
     workflow_id: int,
     workflow_task_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ):
     workflow_task, _ = await _get_workflow_task_check_owner(
@@ -139,7 +139,7 @@ async def update_workflowtask(
     workflow_id: int,
     workflow_task_id: int,
     workflow_task_update: WorkflowTaskUpdateV2,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Optional[WorkflowTaskReadV2]:
     """
@@ -223,7 +223,7 @@ async def delete_workflowtask(
     project_id: int,
     workflow_id: int,
     workflow_task_id: int,
-    user: User = Depends(current_active_user),
+    user: UserOAuth = Depends(current_active_user),
     db: AsyncSession = Depends(get_async_db),
 ) -> Response:
     """

fractal_server/app/routes/auth/__init__.py

@@ -0,0 +1,55 @@
+from fastapi_users import FastAPIUsers
+from fastapi_users.authentication import AuthenticationBackend
+from fastapi_users.authentication import BearerTransport
+from fastapi_users.authentication import CookieTransport
+from fastapi_users.authentication import JWTStrategy
+
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.security import get_user_manager
+from fractal_server.config import get_settings
+from fractal_server.syringe import Inject
+
+
+bearer_transport = BearerTransport(tokenUrl="/auth/token/login")
+cookie_transport = CookieTransport(cookie_samesite="none")
+
+
+def get_jwt_strategy() -> JWTStrategy:
+    settings = Inject(get_settings)
+    return JWTStrategy(
+        secret=settings.JWT_SECRET_KEY,  # type: ignore
+        lifetime_seconds=settings.JWT_EXPIRE_SECONDS,
+    )
+
+
+def get_jwt_cookie_strategy() -> JWTStrategy:
+    settings = Inject(get_settings)
+    return JWTStrategy(
+        secret=settings.JWT_SECRET_KEY,  # type: ignore
+        lifetime_seconds=settings.COOKIE_EXPIRE_SECONDS,
+    )
+
+
+token_backend = AuthenticationBackend(
+    name="bearer-jwt",
+    transport=bearer_transport,
+    get_strategy=get_jwt_strategy,
+)
+cookie_backend = AuthenticationBackend(
+    name="cookie-jwt",
+    transport=cookie_transport,
+    get_strategy=get_jwt_cookie_strategy,
+)
+
+
+fastapi_users = FastAPIUsers[UserOAuth, int](
+    get_user_manager,
+    [token_backend, cookie_backend],
+)
+current_active_user = fastapi_users.current_user(active=True)
+current_active_verified_user = fastapi_users.current_user(
+    active=True, verified=True
+)
+current_active_superuser = fastapi_users.current_user(
+    active=True, superuser=True
+)

fractal_server/app/routes/auth/_aux_auth.py

@@ -0,0 +1,107 @@
+from fastapi import HTTPException
+from fastapi import status
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import select
+
+from ...models.linkusergroup import LinkUserGroup
+from ...models.security import UserGroup
+from ...models.security import UserOAuth
+from ...schemas.user import UserRead
+from ...schemas.user_group import UserGroupRead
+
+
+async def _get_single_user_with_group_names(
+    user: UserOAuth,
+    db: AsyncSession,
+) -> UserRead:
+    """
+    Enrich a user object by filling its `group_names` attribute.
+
+    Arguments:
+        user: The current `UserOAuth` object
+        db: Async db session
+
+    Returns:
+        A `UserRead` object with `group_names` set
+    """
+    stm_groups = (
+        select(UserGroup)
+        .join(LinkUserGroup)
+        .where(LinkUserGroup.user_id == UserOAuth.id)
+    )
+    res = await db.execute(stm_groups)
+    groups = res.scalars().unique().all()
+    group_names = [group.name for group in groups]
+    return UserRead(**user.model_dump(), group_names=group_names)
+
+
+async def _get_single_user_with_group_ids(
+    user: UserOAuth,
+    db: AsyncSession,
+) -> UserRead:
+    """
+    Enrich a user object by filling its `group_ids` attribute.
+
+    Arguments:
+        user: The current `UserOAuth` object
+        db: Async db session
+
+    Returns:
+        A `UserRead` object with `group_ids` set
+    """
+    stm_links = select(LinkUserGroup).where(LinkUserGroup.user_id == user.id)
+    res = await db.execute(stm_links)
+    links = res.scalars().unique().all()
+    group_ids = [link.group_id for link in links]
+    return UserRead(**user.model_dump(), group_ids=group_ids)
+
+
+async def _get_single_group_with_user_ids(
+    group_id: int, db: AsyncSession
+) -> UserGroupRead:
+    """
+    Get a group, and construct its `user_ids` list.
+
+    Arguments:
+        group_id:
+        db:
+
+    Returns:
+        `UserGroupRead` object, with `user_ids` attribute populated
+        from database.
+    """
+    # Get the UserGroup object from the database
+    stm_group = select(UserGroup).where(UserGroup.id == group_id)
+    res = await db.execute(stm_group)
+    group = res.scalars().one_or_none()
+    if group is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=f"Group {group_id} not found.",
+        )
+
+    # Get all user/group links
+    stm_links = select(LinkUserGroup).where(LinkUserGroup.group_id == group_id)
+    res = await db.execute(stm_links)
+    links = res.scalars().all()
+    user_ids = [link.user_id for link in links]
+
+    return UserGroupRead(**group.model_dump(), user_ids=user_ids)
+
+
+async def _user_or_404(user_id: int, db: AsyncSession) -> UserOAuth:
+    """
+    Get a user from db, or raise a 404 HTTP exception if missing.
+
+    Arguments:
+        user_id: ID of the user
+        db: Async db session
+    """
+    stm = select(UserOAuth).where(UserOAuth.id == user_id)
+    res = await db.execute(stm)
+    user = res.scalars().unique().one_or_none()
+    if user is None:
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND, detail="User not found."
+        )
+    return user

fractal_server/app/routes/auth/current_user.py

@@ -0,0 +1,60 @@
+"""
+Definition of `/auth/current-user/` endpoints
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi_users import schemas
+from sqlalchemy.ext.asyncio import AsyncSession
+
+from . import current_active_user
+from ...db import get_async_db
+from ...schemas.user import UserRead
+from ...schemas.user import UserUpdate
+from ...schemas.user import UserUpdateStrict
+from ._aux_auth import _get_single_user_with_group_names
+from fractal_server.app.models import UserOAuth
+from fractal_server.app.security import get_user_manager
+from fractal_server.app.security import UserManager
+
+router_current_user = APIRouter()
+
+
+@router_current_user.get("/current-user/", response_model=UserRead)
+async def get_current_user(
+    group_names: bool = False,
+    user: UserOAuth = Depends(current_active_user),
+    db: AsyncSession = Depends(get_async_db),
+):
+    """
+    Return current user
+    """
+    if group_names is True:
+        user_with_groups = await _get_single_user_with_group_names(user, db)
+        return user_with_groups
+    else:
+        return user
+
+
+@router_current_user.patch("/current-user/", response_model=UserRead)
+async def patch_current_user(
+    user_update: UserUpdateStrict,
+    current_user: UserOAuth = Depends(current_active_user),
+    user_manager: UserManager = Depends(get_user_manager),
+    db: AsyncSession = Depends(get_async_db),
+):
+    """
+    Note: a user cannot patch their own password (as enforced within the
+    `UserUpdateStrict` schema).
+    """
+    update = UserUpdate(**user_update.dict(exclude_unset=True))
+
+    # NOTE: here it would be relevant to catch an `InvalidPasswordException`
+    # (from `fastapi_users.exceptions`), if we were to allow users change
+    # their own password
+    user = await user_manager.update(update, current_user, safe=True)
+    patched_user = schemas.model_validate(UserOAuth, user)
+
+    patched_user_with_groups = await _get_single_user_with_group_names(
+        patched_user, db
+    )
+    return patched_user_with_groups

fractal_server/app/routes/auth/group.py

@@ -0,0 +1,159 @@
+"""
+Definition of `/auth/group/` routes
+"""
+from fastapi import APIRouter
+from fastapi import Depends
+from fastapi import HTTPException
+from fastapi import status
+from sqlalchemy.ext.asyncio import AsyncSession
+from sqlmodel import col
+from sqlmodel import func
+from sqlmodel import select
+
+from . import current_active_superuser
+from ...db import get_async_db
+from ...schemas.user_group import UserGroupCreate
+from ...schemas.user_group import UserGroupRead
+from ...schemas.user_group import UserGroupUpdate
+from ._aux_auth import _get_single_group_with_user_ids
+from fractal_server.app.models import LinkUserGroup
+from fractal_server.app.models import UserGroup
+from fractal_server.app.models import UserOAuth
+
+router_group = APIRouter()
+
+
+@router_group.get(
+    "/group/", response_model=list[UserGroupRead], status_code=200
+)
+async def get_list_user_groups(
+    user_ids: bool = False,
+    user: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+) -> list[UserGroupRead]:
+
+    # Get all groups
+    stm_all_groups = select(UserGroup)
+    res = await db.execute(stm_all_groups)
+    groups = res.scalars().all()
+
+    if user_ids is True:
+        # Get all user/group links
+        stm_all_links = select(LinkUserGroup)
+        res = await db.execute(stm_all_links)
+        links = res.scalars().all()
+
+        # TODO: possible optimizations for this construction are listed in
+        # https://github.com/fractal-analytics-platform/fractal-server/issues/1742
+        for ind, group in enumerate(groups):
+            groups[ind] = dict(
+                group.model_dump(),
+                user_ids=[
+                    link.user_id for link in links if link.group_id == group.id
+                ],
+            )
+
+    return groups
+
+
+@router_group.get(
+    "/group/{group_id}/",
+    response_model=UserGroupRead,
+    status_code=status.HTTP_200_OK,
+)
+async def get_single_user_group(
+    group_id: int,
+    user: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+) -> UserGroupRead:
+    group = await _get_single_group_with_user_ids(group_id=group_id, db=db)
+    return group
+
+
+@router_group.post(
+    "/group/",
+    response_model=UserGroupRead,
+    status_code=status.HTTP_201_CREATED,
+)
+async def create_single_group(
+    group_create: UserGroupCreate,
+    user: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+) -> UserGroupRead:
+
+    # Check that name is not already in use
+    existing_name_str = select(UserGroup).where(
+        UserGroup.name == group_create.name
+    )
+    res = await db.execute(existing_name_str)
+    group = res.scalars().one_or_none()
+    if group is not None:
+        raise HTTPException(
+            status_code=422, detail="A group with the same name already exists"
+        )
+
+    # Create and return new group
+    new_group = UserGroup(name=group_create.name)
+    db.add(new_group)
+    await db.commit()
+
+    return dict(new_group.model_dump(), user_ids=[])
+
+
+@router_group.patch(
+    "/group/{group_id}/",
+    response_model=UserGroupRead,
+    status_code=status.HTTP_200_OK,
+)
+async def update_single_group(
+    group_id: int,
+    group_update: UserGroupUpdate,
+    user: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+) -> UserGroupRead:
+
+    # Check that all required users exist
+    # Note: The reason for introducing `col` is as in
+    # https://sqlmodel.tiangolo.com/tutorial/where/#type-annotations-and-errors,
+    stm = select(func.count()).where(
+        col(UserOAuth.id).in_(group_update.new_user_ids)
+    )
+    res = await db.execute(stm)
+    number_matching_users = res.scalar()
+    if number_matching_users != len(group_update.new_user_ids):
+        raise HTTPException(
+            status_code=status.HTTP_404_NOT_FOUND,
+            detail=(
+                f"Not all requested users (IDs {group_update.new_user_ids}) "
+                "exist."
+            ),
+        )
+
+    # Add new users to existing group
+    for user_id in group_update.new_user_ids:
+        link = LinkUserGroup(user_id=user_id, group_id=group_id)
+        db.add(link)
+    await db.commit()
+
+    updated_group = await _get_single_group_with_user_ids(
+        group_id=group_id, db=db
+    )
+
+    return updated_group
+
+
+@router_group.delete(
+    "/group/{group_id}/", status_code=status.HTTP_405_METHOD_NOT_ALLOWED
+)
+async def delete_single_group(
+    group_id: int,
+    user: UserOAuth = Depends(current_active_superuser),
+    db: AsyncSession = Depends(get_async_db),
+) -> UserGroupRead:
+    raise HTTPException(
+        status_code=status.HTTP_405_METHOD_NOT_ALLOWED,
+        detail=(
+            "Deleting a user group is not allowed, as it may restrict "
+            "previously-granted access.",
+        ),
+    )