From 96b582070be444439d470cac2aae508ef113a6b1 Mon Sep 17 00:00:00 2001 From: rkuo-danswer Date: Mon, 29 Jul 2024 12:53:42 -0700 Subject: [PATCH] authorized users and groups only have read access (#1960) * authorized users and groups only have read access * slightly better variable naming --- backend/danswer/db/persona.py | 24 ++++++++++++++---------- 1 file changed, 14 insertions(+), 10 deletions(-) diff --git a/backend/danswer/db/persona.py b/backend/danswer/db/persona.py index a1fb2184f..17ea7db62 100644 --- a/backend/danswer/db/persona.py +++ b/backend/danswer/db/persona.py @@ -581,25 +581,29 @@ def get_persona_by_id( or_conditions = [] # if user is an admin, they should have access to all Personas + # and will skip the following clause if user is not None and user.role != UserRole.ADMIN: + # the user is not an admin isPersonaUnowned = Persona.user_id.is_( None ) # allow access if persona user id is None isUserCreator = ( Persona.user_id == user.id ) # allow access if user created the persona - isUserAllowed = Persona.users.any( - id=user.id - ) # allow access if user is in allowed users - isGroupAllowed = Persona.groups.any( - UserGroup.users.any(id=user.id) - ) # allow access if user is in any allowed group - or_conditions.extend( - [isPersonaUnowned, isUserCreator, isUserAllowed, isGroupAllowed] - ) + or_conditions.extend([isPersonaUnowned, isUserCreator]) - # if we aren't editing, also give access to all public personas + # if we aren't editing, also give access if: + # 1. the user is authorized for this persona + # 2. the user is in an authorized group for this persona + # 3. if the persona is public if not is_for_edit: + isSharedWithUser = Persona.users.any( + id=user.id + ) # allow access if user is in allowed users + isSharedWithGroup = Persona.groups.any( + UserGroup.users.any(id=user.id) + ) # allow access if user is in any allowed group + or_conditions.extend([isSharedWithUser, isSharedWithGroup]) or_conditions.append(Persona.is_public.is_(True)) if or_conditions: