feat: Introduce McCabe complexity check

DSD-DBS · May 15, 2024 · 7a4d9e8 · 7a4d9e8
1 parent f1bf7a6
commit 7a4d9e8
Show file tree

Hide file tree

Showing 2 changed files with 60 additions and 38 deletions.
diff --git a/backend/capellacollab/core/authentication/injectables.py b/backend/capellacollab/core/authentication/injectables.py
@@ -150,67 +150,89 @@ def __call__(
         username: str = fastapi.Depends(get_username),
         db: orm.Session = fastapi.Depends(database.get_db),
     ) -> bool:
-        if not (user := users_crud.get_user_by_name(db, username)):
-            if self.verify:
-                raise fastapi.HTTPException(
-                    status_code=status.HTTP_404_NOT_FOUND,
-                    detail={"reason": f"User {username} was not found"},
-                )
+        if not (user := self._get_user_and_check(username, db)):
             return False
 
         if user.role == users_models.Role.ADMIN:
             return True
 
-        if not (
-            project := projects_crud.get_project_by_slug(db, project_slug)
-        ):
+        if not (project := self._get_project_and_check(project_slug, db)):
+            return False
+
+        if self._is_internal_project_accessible(project):
+            return True
+
+        project_user = projects_users_crud.get_project_user_association(
+            db, project, user
+        )
+        if not project_user or self.roles.index(
+            project_user.role
+        ) < self.roles.index(self.required_role):
             if self.verify:
                 raise fastapi.HTTPException(
-                    status_code=status.HTTP_404_NOT_FOUND,
+                    status_code=403,
                     detail={
-                        "reason": f"The project {project_slug} was not found"
+                        "reason": f"The role '{self.required_role.value}' in the project '{project_slug}' is required.",
                     },
                 )
             return False
 
-        if (
+        if not self._has_user_required_project_permissions(project_user):
+            return False
+
+        return True
+
+    def _get_user_and_check(
+        self, username: str, db: orm.Session
+    ) -> users_models.DatabaseUser | None:
+        user = users_crud.get_user_by_name(db, username)
+        if not user and self.verify:
+            raise fastapi.HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail={"reason": f"User {username} was not found"},
+            )
+        return user
+
+    def _get_project_and_check(
+        self, project_slug: str, db: orm.Session
+    ) -> projects_models.DatabaseProject | None:
+        project = projects_crud.get_project_by_slug(db, project_slug)
+        if not project and self.verify:
+            raise fastapi.HTTPException(
+                status_code=status.HTTP_404_NOT_FOUND,
+                detail={"reason": f"The project {project_slug} was not found"},
+            )
+        return project
+
+    def _is_internal_project_accessible(
+        self, project: projects_models.DatabaseProject
+    ) -> bool:
+        return (
             project.visibility == projects_models.Visibility.INTERNAL
             and self.required_role
             == projects_users_models.ProjectUserRole.USER
             and self.required_permission
             in (None, projects_users_models.ProjectUserPermission.READ)
-        ):
+        )
+
+    def _has_user_required_project_permissions(
+        self, project_user: projects_users_models.ProjectUserAssociation
+    ) -> bool:
+        if not self.required_permission:
             return True
 
-        project_user = projects_users_crud.get_project_user_association(
-            db, project, user
-        )
-        if not project_user or self.roles.index(
-            project_user.role
-        ) < self.roles.index(self.required_role):
+        if (
+            project_user.permission
+            == projects_users_models.ProjectUserPermission.READ
+            and self.required_permission
+            == projects_users_models.ProjectUserPermission.WRITE
+        ):
             if self.verify:
                 raise fastapi.HTTPException(
                     status_code=403,
                     detail={
-                        "reason": f"The role '{self.required_role.value}' in the project '{project_slug}' is required.",
+                        "reason": f"You need to have '{self.required_permission.value}'-access in the project!",
                     },
                 )
             return False
-
-        if self.required_permission:
-            if (
-                project_user.permission
-                == projects_users_models.ProjectUserPermission.READ
-                and self.required_permission
-                == projects_users_models.ProjectUserPermission.WRITE
-            ):
-                if self.verify:
-                    raise fastapi.HTTPException(
-                        status_code=403,
-                        detail={
-                            "reason": f"You need to have '{self.required_permission.value}'-access in the project!",
-                        },
-                    )
-                return False
-
         return True
diff --git a/backend/pyproject.toml b/backend/pyproject.toml
@@ -224,7 +224,7 @@ extension-pkg-whitelist = "pydantic" # https://github.com/pydantic/pydantic/issu
 
 [tool.pylint.master]
 init-import = "yes"
-load-plugins = "pylint.extensions.bad_builtin"
+load-plugins = ["pylint.extensions.bad_builtin", "pylint.extensions.mccabe"]
 extension-pkg-allow-list = ["lxml.etree"]
 
 [tool.pylint.similarities]