From 0d5c9b405b8bdd888b4898b5a7cb24af1ffe68d7 Mon Sep 17 00:00:00 2001
From: Jeremy Fee <jmfee@usgs.gov>
Date: Mon, 20 Apr 2020 19:27:15 -0600
Subject: [PATCH] Add group checks for metadata update/delete, comments

---
 geomagio/api/secure/metadata.py | 23 +++++++++++++++++++++--
 1 file changed, 21 insertions(+), 2 deletions(-)

diff --git a/geomagio/api/secure/metadata.py b/geomagio/api/secure/metadata.py
index bdd998af..41681799 100644
--- a/geomagio/api/secure/metadata.py
+++ b/geomagio/api/secure/metadata.py
@@ -1,3 +1,18 @@
+"""Module for metadata service.
+
+Uses login.py for user management.
+
+Anyone can access metadata.
+Logged in users can create new metadata.
+Update and delete are restricted based on group membership.
+
+
+Configuration:
+    uses environment variables:
+
+    ADMIN_GROUP           - delete is restricted the admin group.
+    REVIEWER_GROUP        - update is restricted the reviewer group.
+"""
 from typing import List
 
 from fastapi import APIRouter, Body, Depends, Request, Response
@@ -23,7 +38,9 @@ async def create_metadata(
 
 
 @router.delete("/metadata/{id}")
-async def delete_metadata(id: int, user: User = Depends(require_user())):
+async def delete_metadata(
+    id: int, user: User = Depends(require_user(os.getenv("ADMIN_GROUP", "admin")))
+):
     await metadata_table.delete_metadata(id)
 
 
@@ -65,6 +82,8 @@ async def get_metadata_by_id(id: int):
 
 @router.put("/metadata/{id}")
 async def update_metadata(
-    id: int, metadata: Metadata = Body(...), user: User = Depends(require_user()),
+    id: int,
+    metadata: Metadata = Body(...),
+    user: User = Depends(require_user([os.getenv("REVIEWER_GROUP", "reviewer")])),
 ):
     await metadata_table.update_metadata(metadata)
-- 
GitLab