Add feature: effective grant management for users

diveshjain-phy · diveshjain-phy · commit 212515e555c2 · 2025-06-06T17:20:14.000+01:00
diff --git a/soauth/database/user.py b/soauth/database/user.py
@@ -87,13 +87,33 @@ def remove_grant(self, grant: str):
 
         self.grants = " ".join([x for x in self.grants.split(" ") if x != grant])
 
+    def get_effective_grants(self) -> set[str]:
+        """Get all grants from user + all groups they're members of."""
+        all_grants = set()
+        
+        # Add user's individual grants
+        if self.grants:
+            all_grants.update(self.grants.split())
+        
+        # Add grants from all groups
+        for group in self.groups:
+            if group.grants:
+                all_grants.update(group.grants.split())
+        
+        return set(all_grants)
+
+    def has_effective_grant(self, grant: str) -> bool:
+        """Check if user has grant either individually or through groups."""
+        return grant in self.get_effective_grants()
+
     def to_core(self, include_groups=True) -> UserData:
+        effective_grants = self.get_effective_grants()
         return UserData(
             user_id=self.user_id,
             user_name=self.user_name,
             full_name=self.full_name,
             email=self.email,
-            grants=set(self.grants.split(" ")),
+            grants=effective_grants,
             group_names=[x.group_name for x in self.groups] if include_groups else None,
             group_ids=[str(x.group_id) for x in self.groups]
             if include_groups
diff --git a/tests/test_service/test_user.py b/tests/test_service/test_user.py
@@ -35,7 +35,7 @@ async def test_create_user(server_settings, session_manager, logger):
             user = await user_service.read_by_id(user_id=USER_ID, conn=conn)
 
             assert len(user.groups) > 0
-            assert user.has_grant("test_grant")
+            assert user.has_effective_grant("test_grant")
 
     async with session_manager.session() as conn:
         async with conn.begin():
@@ -47,7 +47,7 @@ async def test_create_user(server_settings, session_manager, logger):
         async with conn.begin():
             user = await user_service.read_by_id(user_id=USER_ID, conn=conn)
 
-            assert not user.has_grant("test_grant")
+            assert not user.has_effective_grant("test_grant")
 
     async with session_manager.session() as conn:
         async with conn.begin():
@@ -64,6 +64,52 @@ async def test_create_user(server_settings, session_manager, logger):
                 user = await user_service.read_by_name(user_name=USER_NAME, conn=conn)
 
 
+@pytest.mark.asyncio(loop_scope="session")
+async def test_user_effective_grants_with_group(server_settings, session_manager, logger):
+    async with session_manager.session() as conn:
+        async with conn.begin():
+            # Create a new user
+            user = await user_service.create(
+                user_name="test_user",
+                email="test_user@email.com",
+                full_name="Test User Group Grants",
+                grants="user_grant",
+                conn=conn,
+                log=logger,
+            )
+            USER_ID = user.user_id
+
+            # Create a new group with grants and add the user
+            group = await group_service.create(
+                group_name="test_group_with_grants",
+                created_by_user_id=USER_ID,
+                member_ids=[USER_ID],
+                grants="group_grant another_group_grant",
+                conn=conn,
+                log=logger,
+            )
+            GROUP_ID = group.group_id
+
+    async with session_manager.session() as conn:
+        async with conn.begin():
+            # Read the user and check effective grants
+            user = await user_service.read_by_id(user_id=USER_ID, conn=conn)
+            effective_grants = user.get_effective_grants()
+
+            assert "user_grant" in effective_grants
+            assert "group_grant" in effective_grants
+            assert "another_group_grant" in effective_grants
+            assert user.has_effective_grant("user_grant")
+            assert user.has_effective_grant("group_grant")
+            assert user.has_effective_grant("another_group_grant")
+            assert not user.has_effective_grant("non_existent_grant")
+
+    async with session_manager.session() as conn:
+        async with conn.begin():
+            # Delete the group
+            await group_service.delete_group(group_id=GROUP_ID, conn=conn, log=logger)
+
+
 @pytest.mark.asyncio(loop_scope="session")
 async def test_user_with_no_groups(server_settings, session_manager, logger):
     async with session_manager.session() as conn:
