Proposal(s), Session(s), and related entities#
Authorization is applied to all user facing resources in py-ISPyB and different permissions are available to grant users and staff access to entities related to the core of ISPyB. These include but not limited to:
- Proposal
- Protein, Crystal, BLSample, Shipping, LabContact
- BLSession, DataCollectionGroup, DataCollection
etc ...
The authorization rules are applied in four ways:
Users#
- A user can access entities related to a Proposal and the DataCollection(s) in which they are a member of one or more Session(s) [linked via SessionHasPerson]. This is an intrinsic permission and is the default behaviour if the user has no other permissions.
- A user can access entities related to all Session(s) in a Proposal [linked via ProposalHasPerson]
Administrators#
- An administrator can view all Sessions on a Proposal for specific beamline(s) via a
BeamLineGroup
permission - An administrator can access all Sessions and Proposals via
all_proposals
BeamLineGroups#
Beamline groups provide a way to grant access to all Proposals, Sessions and related entities to a set of staff members for a particular group of beamlines.
For example:
"beamLineGroups": [
{
"groupName": "BL0x",
"uiGroup": "mx",
"permission": "bl0_admin",
"beamlines": [
{"beamLineName": "BL01"},
{"beamLineName": "BL02"},
],
},
]
A staff member with the bl0_admin
permission will be able to access Proposal(s) and Session(s) allocated on beamlines BL01
and BL02
, but not other beamlines. uiGroup
specifies how this group should be rendered in the UI.
Permissions#
Routes can require a specific permission by using the permission
dependency.
from pyispyb.dependencies import permission
@router.get(
"/path",
)
def get_something(depends: bool = Depends(permission("my_permission"))):
...
Deprecated Authorization Mechanisms#
These functions are deprecated and currently only used in the legacy API resources. They should not be used for new developments.
Authorization dependencies#
The following decorators can be used to manage authentication and authorization rules.
permission_required(operator, [permissions])
#
Makes the route only accessible to users with the specified permissions.
operator
is either"any"
User should have any of the specified permissions"all"
User should have all of the specified permissions
proposal_authorisation
#
Verifies that the user is associated to the requested proposal. To do so, it uses the proposal_id
parameter.
User must verify any of the following conditions :
Person.personId = Proposal.personId
Person.personId = ProposalHasPerson.personId and ProposalHasPerson.proposalId = Proposal.proposalId
- has permission
all_proposals
session_authorisation
#
Verifies that the user is associated to the requested session. To do so, it uses the session_id
parameter.
User must verify any of the following conditions :
Person.personId = Session_has_Person.personId and Session_has_Person.sessionId = BLSession.sessionId
BLSession.proposalId = Proposal.proposalId and Person.personId = Proposal.personId
- has permission
all_sessions