Allow restricting profile_options based on team / group membership

yuvipanda · May 7, 2024 · 6e498d9 · 6e498d9
1 parent 661133d
commit 6e498d9
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 2 deletions.
diff --git a/config/clusters/earthscope/common.values.yaml b/config/clusters/earthscope/common.values.yaml
@@ -127,8 +127,21 @@ basehub:
 
               # Filter out profiles with allowed_groups set if the user isn't part of any.
               allowed_profiles = []
-              for profile in original_profile_list:
+              for orig_profile in original_profile_list:
+                  profile = deepcopy(orig_profile)
+                  if 'profile_options' in profile:
+                    for k, po in profile['profile_options'].items():
+                      if 'choices' in po:
+                        new_choices = {}
+                        for k, c in po['choices'].items():
+                          if 'allowed_teams' not in c:
+                            new_choices[k] = c
+                          elif set(c['allowed_teams']) & groups:
+                            new_choices[k] = c
+                        po['choices'] = new_choices
+
                   allowed_groups = set(profile.get("allowed_groups"))
+
                   if allowed_groups is None:
                       # If no allowed_groups are set, allow access to everything
                       allowed_profiles.append(profile)

diff --git a/helm-charts/basehub/values.yaml b/helm-charts/basehub/values.yaml
@@ -1039,7 +1039,36 @@ jupyterhub:
             # Filter out profiles with allowed_teams set if the user isn't part
             # of any.
             allowed_profiles = []
-            for profile in original_profile_list:
+            for original_profile in original_profile_list:
+                # Make a copy, as we'll be modifying this profile
+                profile = deepcopy(original_profile)
+
+                # Handle `allowed_teams` specified in profile_options
+                if 'profile_options' in profile:
+                  for k, po in profile['profile_options'].items():
+
+                    # If `unlisted_choice` has an `allowed_teams` and the current
+                    # user is not present in any of those teams, we delete the
+                    # `unlisted_choice` config entirely for this option. The user
+                    # will then not be allowed to 'write in' a value.
+                    if 'unlisted_choice' in po:
+                      if 'allowed_teams' in po['unlisted_choice']:
+                        if (set(po['unlisted_choice']['allowed_teams']) and teams):
+                          del po['unlisted_choice']
+
+                    if 'choices' in po:
+                      new_choices = {}
+                      for k, c in po['choices'].items():
+                        # If `allowed_teams` is not set for a profile option, it is automatically
+                        # allowed for everyone
+                        if 'allowed_teams' not in c:
+                          new_choices[k] = c
+                        # If `allowed_teams` *is* set for a profile option, it is allowed only for
+                        # members of that team.
+                        elif set(c['allowed_teams']) & teams:
+                          new_choices[k] = c
+                      po['choices'] = new_choices
+
                 allowed_teams = profile.get("allowed_teams")
                 if allowed_teams is None:
                     allowed_profiles.append(profile)