fix(backend): update check_access logic to allow checking for org_man…

…ager to a project (#1892)
hotosm · Nov 18, 2024 · ef91d88 · ef91d88
1 parent 81556cb
commit ef91d88
Showing 1 changed file with 20 additions and 8 deletions.
diff --git a/src/backend/app/auth/roles.py b/src/backend/app/auth/roles.py
@@ -69,9 +69,11 @@ async def check_access(
     - For other roles, access is granted if the user is an organisation manager
       for the specified organisation (org_id) or has the specified role
       in the specified project (project_id).
+    - If only project_id is provided, the user's organization manager status
+      for the organization linked to the project is also checked.
 
     Args:
-        user (AuthUser, int): AuthUser object, or user ID.
+        user (AuthUser): AuthUser object, or user ID.
         db (Connection): The database connection.
         org_id (Optional[int]): Org ID for organisation-specific access.
         project_id (Optional[int]): Project ID for project-specific access.
@@ -96,14 +98,27 @@ async def check_access(
                             SELECT 1
                             FROM organisation_managers
                             WHERE organisation_managers.user_id = %(user_id)s
-                            AND organisation_managers.organisation_id = %(org_id)s
+                              AND
+                              organisation_managers.organisation_id = %(org_id)s
                         )
                         OR EXISTS (
                             SELECT 1
                             FROM user_roles
                             WHERE user_roles.user_id = %(user_id)s
-                            AND user_roles.project_id = %(project_id)s
-                            AND user_roles.role >= %(role)s
+                              AND user_roles.project_id = %(project_id)s
+                              AND user_roles.role >= %(role)s
+                        )
+                        OR (
+                            %(org_id)s IS NULL
+                            AND EXISTS (
+                                SELECT 1
+                                FROM organisation_managers
+                                JOIN projects ON
+                                  projects.organisation_id
+                                    = organisation_managers.organisation_id
+                                WHERE organisation_managers.user_id = %(user_id)s
+                                  AND projects.id = %(project_id)s
+                            )
                         )
                 END
             );
@@ -121,10 +136,7 @@ async def check_access(
         )
         db_user = await cur.fetchone()
 
-    if db_user:
-        return db_user
-
-    return None
+    return db_user if db_user else None
 
 
 async def super_admin(