From d433e6213632e4d970d8818306288174d1724202 Mon Sep 17 00:00:00 2001
From: Dan Coates <dan.coates@populationgenomics.org.au>
Date: Thu, 10 Oct 2024 10:54:02 +1100
Subject: [PATCH] Fix permissions error (#974)

* fix error in translating old permissions to new

this would have allowed read access permissions to upsert samples

* fix other permission inconsistencies
---
 api/routes/cohort.py       | 9 +++++++--
 db/python/layers/family.py | 4 ++--
 db/python/layers/sample.py | 4 ++--
 3 files changed, 11 insertions(+), 6 deletions(-)

diff --git a/api/routes/cohort.py b/api/routes/cohort.py
index 4a5568926..9a5074f10 100644
--- a/api/routes/cohort.py
+++ b/api/routes/cohort.py
@@ -3,7 +3,12 @@
 from api.utils.db import Connection, get_project_db_connection
 from db.python.layers.cohort import CohortLayer
 from models.models.cohort import CohortBody, CohortCriteria, CohortTemplate, NewCohort
-from models.models.project import ProjectId, ProjectMemberRole, ReadAccessRoles
+from models.models.project import (
+    FullWriteAccessRoles,
+    ProjectId,
+    ProjectMemberRole,
+    ReadAccessRoles,
+)
 from models.utils.cohort_template_id_format import (
     cohort_template_id_format,
     cohort_template_id_transform_to_raw,
@@ -85,7 +90,7 @@ async def create_cohort_template(
     if template.criteria.projects:
         projects_for_criteria = connection.get_and_check_access_to_projects_for_names(
             project_names=template.criteria.projects,
-            allowed_roles=ReadAccessRoles,
+            allowed_roles=FullWriteAccessRoles,
         )
         criteria_project_ids = [p.id for p in projects_for_criteria if p.id]
 
diff --git a/db/python/layers/family.py b/db/python/layers/family.py
index 1d296ff4f..4438d11f8 100644
--- a/db/python/layers/family.py
+++ b/db/python/layers/family.py
@@ -16,7 +16,7 @@
 from models.models import PRIMARY_EXTERNAL_ORG
 from models.models.family import FamilyInternal, PedRow, PedRowInternal
 from models.models.participant import ParticipantUpsertInternal
-from models.models.project import ProjectId, ReadAccessRoles
+from models.models.project import FullWriteAccessRoles, ProjectId, ReadAccessRoles
 
 
 class FamilyLayer(BaseLayer):
@@ -138,7 +138,7 @@ async def update_family(
         project_ids = await self.ftable.get_projects_by_family_ids([id_])
 
         self.connection.check_access_to_projects_for_ids(
-            project_ids, allowed_roles=ReadAccessRoles
+            project_ids, allowed_roles=FullWriteAccessRoles
         )
 
         return await self.ftable.update_family(
diff --git a/db/python/layers/sample.py b/db/python/layers/sample.py
index f01cab7c0..87392e1af 100644
--- a/db/python/layers/sample.py
+++ b/db/python/layers/sample.py
@@ -287,7 +287,7 @@ async def upsert_samples(
         if sids:
             pjcts = await self.st.get_project_ids_for_sample_ids(sids)
             self.connection.check_access_to_projects_for_ids(
-                pjcts, allowed_roles=ReadAccessRoles
+                pjcts, allowed_roles=FullWriteAccessRoles
             )
 
         async with with_function():
@@ -438,7 +438,7 @@ async def get_history_of_sample(self, id_: int) -> list[SampleInternal]:
 
         projects = set(r.project for r in rows)
         self.connection.check_access_to_projects_for_ids(
-            projects, allowed_roles=FullWriteAccessRoles
+            projects, allowed_roles=ReadAccessRoles
         )
 
         return rows