From 437cec38e09269cbc862e28f97a3bb980c0989cb Mon Sep 17 00:00:00 2001
From: Tobias Kurze <kurze.tobias@googlemail.com>
Date: Thu, 6 Aug 2020 15:23:14 +0200
Subject: [PATCH] added permission checks to user and recorder API

---
 backend/__init__.py          |   4 +++-
 backend/api/recorder_api.py  |  12 +++++++++++-
 backend/api/user_api.py      |  22 +++++++++++++++++++---
 backend/auth/utils.py        |  30 ++++++++++++------------------
 backend/config.py            | Bin 5644 -> 6514 bytes
 backend/models/user_model.py |  15 ++++++++++++++-
 6 files changed, 59 insertions(+), 24 deletions(-)

diff --git a/backend/__init__.py b/backend/__init__.py
index bb500ff..b7453ce 100644
--- a/backend/__init__.py
+++ b/backend/__init__.py
@@ -4,6 +4,7 @@ Backend base module
 """
 import logging
 import os
+from functools import wraps
 from io import StringIO
 from logging.config import dictConfig
 from logging.handlers import MemoryHandler
@@ -14,7 +15,7 @@ import jwt
 import requests
 from flask import Flask, jsonify, abort
 from flask_httpauth import HTTPTokenAuth, HTTPBasicAuth, MultiAuth
-from flask_jwt_extended import JWTManager, decode_token
+from flask_jwt_extended import JWTManager, decode_token, get_jwt_identity
 from flask_login import LoginManager
 from flask_sqlalchemy import SQLAlchemy
 from flask_cors import CORS
@@ -179,6 +180,7 @@ CORS(auth_api_bp)
 
 logging.getLogger('flask_cors').level = logging.DEBUG
 
+
 # Fix jwt_extended by 'duck typing' error handlers
 # jwt_extended._set_error_handler_callbacks(api_v1)  # removed for the moment, might raise new (old) problems
 
diff --git a/backend/api/recorder_api.py b/backend/api/recorder_api.py
index 3a8609b..3434d7a 100644
--- a/backend/api/recorder_api.py
+++ b/backend/api/recorder_api.py
@@ -9,9 +9,10 @@ from pprint import pprint
 from flask_jwt_extended import jwt_required
 from flask_restx import fields, Resource, inputs
 
-from backend import db, app, LrcException
+from backend import db, app, LrcException, Config
 from backend.api import api_recorder
 from backend.api.models import recorder_model, recorder_model_model, recorder_command_model
+from backend.auth.utils import requires_permission_level
 from backend.models.recorder_model import Recorder, RecorderModel, RecorderCommand
 from backend.models.room_model import Room
 import backend.recorder_adapters as r_a
@@ -25,6 +26,7 @@ logger = logging.getLogger("lrc.api.recorder")
 @api_recorder.param('id', 'The recorder identifier')
 class RecorderResource(Resource):
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECODER_SHOW)
     @api_recorder.doc('get_recorder')
     @api_recorder.marshal_with(recorder_model, skip_none=False)
     def get(self, id):
@@ -35,6 +37,7 @@ class RecorderResource(Resource):
         api_recorder.abort(404)
 
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECORDER_DELETE)
     @api_recorder.doc('delete_todo')
     @api_recorder.response(204, 'Todo deleted')
     def delete(self, id):
@@ -65,6 +68,7 @@ class RecorderResource(Resource):
                                         required=False, store_missing=False)
 
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECORDER_EDIT)
     @api_recorder.doc('update_recorder')
     @api_recorder.expect(recorder_model)
     def put(self, id):
@@ -85,6 +89,7 @@ class RecorderResource(Resource):
 @api_recorder.route('')
 class RecorderList(Resource):
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECORDERS_LIST)
     @api_recorder.doc('recorders')
     @api_recorder.marshal_list_with(recorder_model, skip_none=False)
     def get(self):
@@ -95,6 +100,7 @@ class RecorderList(Resource):
         return Recorder.get_all()
 
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECODER_NEW)
     @api_recorder.doc('create_recorder')
     @api_recorder.expect(recorder_model)
     @api_recorder.marshal_with(recorder_model, skip_none=False, code=201)
@@ -161,6 +167,7 @@ class RecorderModelResource(Resource):
 @api_recorder.route('/model')
 class RecorderModelList(Resource):
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECODER_MODELS_LIST)
     @api_recorder.doc('recorders')
     @api_recorder.marshal_list_with(recorder_model_model)
     def get(self):
@@ -172,6 +179,7 @@ class RecorderModelList(Resource):
 @api_recorder.param('id', 'The recorder command identifier')
 class RecorderCommandResource(Resource):
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECORDER_COMMAND_SHOW)
     @api_recorder.doc('get_recorder_command')
     @api_recorder.marshal_with(recorder_command_model)
     def get(self, id):
@@ -186,6 +194,7 @@ class RecorderCommandResource(Resource):
     recorder_command_model_parser.add_argument('alternative_name', type=str, required=False)
 
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECORDER_COMMAND_EDIT)
     @api_recorder.doc('update_recorder_command')
     @api_recorder.expect(recorder_command_model_parser)
     @api_recorder.marshal_with(recorder_command_model)
@@ -201,6 +210,7 @@ class RecorderCommandResource(Resource):
 @api_recorder.route('/command')
 class RecorderCommandList(Resource):
     @jwt_required
+    @requires_permission_level(Config.Permissions.RECORDER_COMMANDS_LIST)
     @api_recorder.doc('recorder_commands')
     @api_recorder.marshal_list_with(recorder_command_model)
     def get(self):
diff --git a/backend/api/user_api.py b/backend/api/user_api.py
index dbd70ca..c489b26 100644
--- a/backend/api/user_api.py
+++ b/backend/api/user_api.py
@@ -14,7 +14,8 @@ from flask_restx import Resource, fields, inputs, abort
 from backend import db, app, jwt_auth
 from backend.api import api_user
 from backend.api.models import user_model, recorder_model, generic_id_parser
-from backend.models import Recorder
+from backend.auth.utils import requires_permission_level
+from backend.models import Recorder, Config
 from backend.models.user_model import User, Group
 
 
@@ -90,18 +91,20 @@ class UserList(Resource):
 
     # @jwt_auth.login_required
     @jwt_required
+    @requires_permission_level(Config.Permissions.USERS_LIST)
     @api_user.doc('users')
     @api_user.marshal_list_with(user_model)
     def get(self):
         """
-        just a test!
-        :return: Hello: World
+        returns all users
+        :return: all users
         """
         current_user = get_jwt_identity()
         app.logger.info(current_user)
         return User.get_all()
 
     @jwt_required
+    @requires_permission_level(Config.Permissions.USER_CREATE)
     @api_user.doc('create_group')
     @api_user.expect(user_model)
     @api_user.marshal_with(user_model, code=201)
@@ -117,6 +120,7 @@ class UserList(Resource):
 @api_user.response(404, 'User not found')
 class UserResource(Resource):
     @jwt_auth.login_required
+    @requires_permission_level(Config.Permissions.USER_SHOW)
     @api_user.doc('get_user')
     @api_user.marshal_with(user_model)
     def get(self, id):
@@ -126,4 +130,16 @@ class UserResource(Resource):
             return user
         api_user.abort(404)
 
+    @jwt_auth.login_required
+    @requires_permission_level(Config.Permissions.USER_DELETE)
+    @api_user.doc('delete_user')
+    def delete(self, id):
+        """Fetch a user given its identifier"""
+        user = User.get_by_id(id)
+        if user is not None:
+            db.session.delete(user)
+            db.session.commit()
+            return "ok"
+        api_user.abort(404)
+
 # api_user.add_resource(UserResource, '/')
diff --git a/backend/auth/utils.py b/backend/auth/utils.py
index 8a12ca4..0652dd1 100644
--- a/backend/auth/utils.py
+++ b/backend/auth/utils.py
@@ -2,6 +2,8 @@ import flask_jwt_extended
 from flask_jwt_extended import jwt_optional, get_jwt_identity
 from functools import wraps
 
+from flask_restx import abort
+
 from backend import jwt_auth
 from backend.models.user_model import User
 
@@ -10,26 +12,16 @@ def requires_permission_level(permission_level):
     def decorator(f):
         @wraps(f)
         def decorated_function(*args, **kwargs):
-            if flask_jwt_extended.verify_jwt_in_request():
-                current_user_id = get_jwt_identity()
-                user = User.get_by_identifier(current_user_id)
-                if user is not None:
-                    if user.has_permission(permission_level):
-                    #for g in user.groups:
-                    #    if g.permissions
-                        #TODO
-                        pass
-                    else:
-                        pass
-                        # return FALSE
-            #if not session.get('email'):
-            #    return redirect(url_for('users.login'))
-
-            #user = User.find_by_email(session['email'])
-            #elif not user.allowed(access_level):
-            #    return redirect(url_for('users.profile', message="You do not have access to that page. Sorry!"))
+            # if flask_jwt_extended.verify_jwt_in_request():
+            current_user_id = get_jwt_identity()
+            user = User.get_by_identifier(current_user_id)
+            if user is not None:
+                if not user.has_permission(permission_level):
+                    abort(401, f"You are missing the permission: {permission_level}")
             return f(*args, **kwargs)
+
         return decorated_function
+
     return decorator
 
 
@@ -38,5 +30,7 @@ def require_jwt():
         @wraps(f)
         def decorated_function(*args, **kwargs):
             return jwt_auth.login_required(jwt_optional(f(*args, **kwargs)))
+
         return decorated_function
+
     return decorator
diff --git a/backend/config.py b/backend/config.py
index d2a63a96adbbe3bf02134803834bb33f5be12c47..50500f7b847615a6ff1290dcbbaf766c6cf1472d 100644
GIT binary patch
literal 6514
zcmV-&8I9%uM@dveQdv+`0DVpT$*Mwb&|u5s7hsJ_nF_&dsB;=mwR_{be=yn}c$C;5
zT;fvSpsV}_5?rvwdYrP=Sb=)K1GYq)*OTR$HWX9NXzp9D^dj9vp&a}u9(6LE*19M#
zf1|UivL8#tY-Xl%rK!caW7M@}FSM*S$k2{eaMVSkt!+Z)j9uxy^68JL7+}<R17_gE
z2N|DW4cSQ7yL=1JQ;~iZ+}M1F8O^AJ_=8S#S6E1fq+2_d@s(n#7sfDHThibB99%m?
ze5S1Pq#Kt~p|m6C$pu1tBpLH}6=8E#&bA&OS3kg7tGSV5F^2PT=rozw`**PYl_<f1
zD#AO0)(Z|A79>J^-!l<$ZJcKx;#;4`LFuAVZI#5S0LgeSVQXgl=$#l3NLP^tSAh5h
z^^g`bV65&tu?~tUqXJc0Uo}d~m@rmDoeFy|9J*RL(<KVrWJJkyg@R4h-C7i4Su?*<
z3zaCHGybjctcx!_^0vI07r(Z(FTlJ~eU9`(aHiAI3k7wk0sXac?yL2enBpQ}H_9$m
zn1ZIh{5sj4$B=wYb*0Hm#f))+jSH@u?2VVaE_!<L0ZuTH&5@?g-USvdzM|)b)%@Q*
zK7@*_3tLIYx>aa|Bk?z~63AbGp?d0NwQF{G2k<iuoGo_YCz*;}fHb=VLQlA%pF6aM
z#zkR?O?ygK+G{xa6R7kB>8$QtR;(|q3-MR-?;(&etU_6{I@dIUbKpEN2yx~(1#wO@
z-|b&z-7i<hDARfQA>U$YzWIn6-uS#hL%bcEVQ`3|*INn<`ZCppn8U>Cz~s1S0rXT!
zl7Q#Uk%1j8mul{;{o82~gO#tXithfx#k;=wVlS8m-DA8TA1_lnid2n*MXS_EDcMjr
zNg4uDS)#>-6+{LE9_<rD??*@CYR|3=c#!Db9cTz@3eUHLk-@#&^Si=vX=pF>nd>-~
zEe&kj_NDoPvj6P2Ufi+t-CrtKB&Y18AV%u>Aq(BTu=D8%NlhP&+hNV6FsR-qCb7-E
z?D>itN2w4-NpOyu;;*?M2c6R}*hwXiw9~X!@fEuNwN|Lxd$p6(>wRB&iaH^XI+7#_
z_-m)}8f?#$iZ|u<4w55E5I%@1V=MI>(xUgYU%%iJ0VW;5=id-KZBcL+i`D$G5P4XJ
z@;rQDTSEi$6fv3Jpx|hb(BzAo*$I=T##X`>>-M5L==^jA(m7@x^Ns%I8m`{GP9Ym~
zL;-tN$Uh$;u`3_m2$BXgrrU*Kp6;H$?oTM3{yu+&@}UB^=(f_J(}&*4!co^74$%}T
z57ywZVT|=Nkm9M7n<<Op{PDV7WNt3pc)O;Jk3VCZNW8IqSi6D{$TLxAmwwE`@DVit
z#7h{0hC2TbiMf*3ufXVW`E;|zsj1pK^}eVAjMAWBi%d|R{DC-S^>cX}efEJ^cg`OL
zhi%EBp->l%q@{4`6>Uz8F>B*Ml5Z0KvzuUNcfE$Oeykqyp54O<Q19<~@))}XQ=~l>
z)*9PSj~b8zZNEn|VgyazG{imFA)vSbok|TF4Q1z{Im_WRBX0H7Ijtw#;|^WW0C5~1
z+Fp>@^VSkNN@QhsCP%=6zOACo#kwE<0S0zObVkxc`n;GWqjqwDvvpq;77LEn0mldI
zoPH6R$hU_g^d+H^gf^`$13@(|&i0$$llBTipSYr2FCdi`q{p&tG?X)|wpyB)-iw$>
zNxdUSFG-uyfh1eJ5k&+`N+wnRT+nPB)svX;*OI>3eLPVV6)6YLH;#c5GK}ybw%Jg&
zLUpNqOVwe%_Y<>(Xslb)l@sR2qJK6T<W2;s?HWv>uRd5TUbGoWYR~+t4a~bQuC@x$
zgO|;~zlVPU!FPx?aVZgJ9~Spkk|che^MY1dMx*;P2kZ+uAUuum9-ICHDS^Y;ag3LV
zv>un+=0C#y74f`(4hDrhcQbGg@zgV8#WKZnKx81&4e~*f7GXB!#N;8eI4!7C1i#c)
z*%u{2EhN#Az3t`-*AA|2VMa>$4keuVYKq|`3#ih2qW3jS1KN;Uz+cg;@e<>)mts|g
zzmD|O?{vv6;*1<XKWuc<JJWL_MU{`-(1;AMmw`4IplTO@y6jq~Z@{*9tNolx4;U0h
zR%Ov+U{&o5j#6KIw;9>$S~VNK$?rJR$M%@kaCtQglbDPNf*ELAv7Eb3GSy+0yz(|v
zJOrgNY8?sO6k^~r5Z**(fVo$|T_iMw<>*an$37jVt1D1hC@uw@yGAbx55Z-4`4Hmd
zs!F#L_qr!nD<qWq=;FydT|p>Uw6ZzPUOtXg>`y>KUY+(a-&NF@SZ4AR0KM@h{@TH?
zaZM;4#rfDeF*&3}3n)}mh42C>)~KM^XYFrDi#cqXnVsN{&6F7@Q9|k41oiia9HIHn
zETKHWSP*tn;xUwvS(m-YA3hQ6i=St+R28fZ4F=otA0VqU6ddd!X1DQ~c%#Hxz>{zT
zt=PXz&y%9o>D=1Uu?V*(Y*{0QT=rsMWNDF)&2uZLb<u)JOxo{uwjXjJ9ul{y@$N|G
zraUm`e|#t%;J90@jL*?|xkEeBHo@V;_Cr<9gae?)fxD{{1SpJAc8J-$X9r!RoShE$
zL5>rYOkjC?pmYpf4r?S=9=!04^Z6;ptFcqFJHOvM)-8}}ERrhI#riQa`t0ZI5|!cB
zeDfj~DrRE<8y&(&o~*Y%VURk3pK>DA%AY-fO{IAvX>O@~LkoM~^|14IA>n7Mg;*e}
zgL3Qw0MV`gGrh5e_9|(QX1X1SR-vbpIru^$k`{>66Hy=t;>+SshOca1sBS{uzdG&y
z=%X}9ciNVZdkVkAelfTCifg1cz~-y!0+$b5&oyOvCmYdjNEO*346&+=V>_&jwTCR%
z8THy6b-WGKwRNF?=xLF1sAN1Ad+IE|mX+yk4=mQ<_it#~l(SW9q}z{R3p(c>QX<yY
zhLP1a62*$UH>cP}&Onch+Ci^&B|gQQ`LKB^zu3W={d5$8aL)mRmxijCn#$UBS?v6_
zf~wzUTn<1322;nU#~t-gL*s{QXle3p3L65E)di;;bKF|daM4>MAe2nABUW0BS5Dv9
zIe@lGP_fZYks;=zdYFUKF@Uy6ZdBn4ttb)*^uKJpQm(g=RwYU|J9J3}j@%qSI=RFP
zxSDtxnpQQ$(|8X#U%lKqUrZFHiXAsGB=pdpCsE{3CCShQ$$@GTk8cKz$}KwF0e_7S
zr{R8-Y%Gr#Rk#*eGkb&K?`&kmG>QVx(cmQ&$w!kl!)-G!6^+8`qQ|f0$g_Z7C1mM{
z0Ace0Pa$tKNOUuHsY}ll%R4wvjgmmkHuj$1>}ICTYGdkUFn2F}8PfIUgsRJsj1#CZ
zr=SR#uS2M-!zJd9oc6j?4*G@C&~al(np0P*D*fbeZ&L!DuymWJ2|s%tWPtn<S8j-X
z=XM%-Uu>C!NqI_4TvN`gOGDNQ?95oxzn@YWTBf{-J52EQh@SbnY3Ygt+hb1H(cEuv
zXnjrd4~DZ`I=lR2L1WR<_K@OSbO8C_e3T_zId#x!_qpO%o3T`*9>~<aSlX>EbhGc@
zD`X^*^R2Z~;7lLR<*A88w?9c*o1%<}<vZGpV4>_MVo(wnr;=tyOF*s#b=zxmHxn{j
zqYnX8NKG=stZ;*3va!$?GJ<U%I`}2G6(OLZ?5C;5cAynGKHDpF1X3U9qH1rfO26YO
z?whCHmYryTt5TWf^Tgg_WXvWo$J{0FKHL?=onga>a`<yKCDr2omKlMCVT>??ILm$s
zr5gx%RosyIgCmcG;COmA7Q{O`iFAx*OWt!_&z^q`L%vb!;+<{;l6xYmwRPLsDBc`t
zrEkVgI0&=54C7%rKhXQ<$s2U5z6@`uU6p6H|6h&cQ;$NNM~)bY;Q0KQi!yiXDLa?3
zizSDPCtB<n_dw_n5z^bs-C|{%^2_N4ccYAy68-2`^Jzn!iML4n>jrq)GSrA1V(~VH
z)vay`<&{UTHlE3R6&(-U%PRs)ZSh=dvfGElXRXjFIrvP@fYaukwIr!;RsS}cOBT$X
zAkh&#P{3UcY}I}X@tM7`Ian36GuPK$o;v>(7`iksF2{l}U}s*vk?BX`E$zeHfV=`E
z`Rn#qct5IhUTPUSmnW>qfJnFml>tR<X&CAvfgqwIR@~JB)z{75)p7epZDVNn$k}Sp
zW5!(NH5WAg8mr7hMEGtWZn4{b07Ah(k@9Ct?e^BZq{c{TB3VF5<FakL94Rx)T|D!|
z7+MT6$PDPrMB3R4`7tqI-ZvM586OD6No!g&1C51-M^hNG3#7aH9+KLLS>qAZc5_wD
zdZ0K9Kj|iJ6qC1<eqIgxAG^2oZC4Q8)I7i5)<9t*CqOoJJkX7Yls8_|5kx!=EX@(!
zkCwbQHz;@Yk-}I%B!N3R4+ARHyAs!Mt=ir^)O>P{T7BPDbJAc}f~>&pcdt#0ApiIR
zGJOFU@H?{)ZVGxB1Rqt*Lb#B414)HbeYzbSp3lx(Y!?Rw>ab-Ugf9Xl?wl>PKPOa*
z8W^%>WDHd;IWu{=T{-WwjMo)C$3Znp$I8Rlx&mjBuiXy|P%Xr7uxS-kQ|?nWV?m38
zd$___#9EQj06h?1h=CNo{y9Vn^8nmp1<D=fvzlgd83S4D__berO=_J{2<#)E_|v$%
zd&Phho<b?!-H&)phLf5<&VFi)L6ISUI#XQcEHhB<cK}ko6Q}osAf3R0Y#bR_grX2$
z1R;xeV+OTfJ4!GkZhFaYArXTw6Yu~x@u09_fV%)X{)VmmsZQ~QcdyrQvJ)ZeBG10#
zwJ|^$>fFd-K(U`RM5<$~<d!Fhe0qV~RA7~?*Jd|EDaT&hwO741tEgUvABMsE&Z33=
zY=Qf;xXQ>oFcpiMO>>#KirQc-_CY%tT?hVLvm8204B@w-8b^phuC@w6YYrdHPd{8A
zAoC7MnpFt9)gDtf(9h~R=YJ?mdNg=Q^?{fPY(jrRQ}6se5dTknT^c&55l!YPPQrWv
z8^_FmiGyB=u$mlO{)(b=$Ijl=oo!=#br%)$$U#|^dI|T_PG9X+uyGMix`3#5R{c0i
zccXV959%y1DhRxc9vEm;KmNwmIz5CsnuRJ8*`0ZAeY3*$>m}Dl^kPr&Y6s$^Sy1Om
zfd5kd8QyrC5$`{bvs$E>RT(`0K%0uY5NU%^o-Enkz>F8vugS7d8&pY|rGp_%f=|{0
z;{}B1L4DSO!MUJoGQ)8_C5mpHU{z8VLT>TEo_lP4znw>P0N<=~KDYErZck;>e_79N
zJRl<m488R!zh0C6O%RoKC;>*$e%V50c)&M)4>zl6mmHSfd=9(T4GsmpdU*ZbUzX+*
z?y^_}X)ldi9jMh#vLI63Ebchl8ud?s=4!qevIyT7D`LQ0+S-Y1o0xNIP5la@5U4!c
z6UKHnrk{K1u8E1RF0s#yQEl+*T(w6MaxZX?T4T*uT$f7`Qb6y!p1~#l)?HVq3L2a#
zeiX6=&=XjL*WLYV@bgf1)kE`#q32p}xXQDeSu+O2yg<eA{icb6{Dx~$Os0I0-pDyj
zHhIXNmCLdMWOWZI{K_3T%8J$R1^=LdizBbDU@}c6dhUxYB4GzCtt^;z%_`?HeErqK
z^ZHbcsRx)LHuXgNfI5!U)BdPo={+^8^4D}rN-VJtC+t#F7G#Xi$4EJD?CTqv(0jWa
zLAo=dL1+~;wn4#orbgdPJFrRi#N!X1a6Sp&y@8ejGnJ%Rzi9oy??~wG9G@ASfj>d>
z<k9H2+k#v`KqFogcwXM!yN|X;H-{-AJCA`&d#TydU9b0X-T}J4sN<|Q1^9GeNl}_}
zkpc|54cT+W_ehcl*9$SuiqxuCRCn5pkC1_##)ocr1E);y)Xo8SEmi$x=bPHFdSaWX
z0;a~cC0v1TN;*2e<izUjNTpdjD0Q3f=RZWRK0D0_q4t&sb?S)U%s#f7gelgKPrxwA
zFqC`{u}Q=heC5+WV`M2Fi>AHHgGxetEx%5P5voWh8ndmT+=<6e89{eG*Lh<Xa{~M?
zmB54PP%2IG>-k#!1`zS&MY~|rLTo<Seqw|`G+#i*#u9>~u(bMhv_>0U6H4+bzgO+>
zfVP0cRtYt$05lSt2@t|*nfv1|VFZZ?ix-9;%-p27yrJ@~DLR9AC?jW*TPg2O``BG~
z7)6o?qK5v$P<VO`FiR)IEgRZzbop#chjG_%U%UcqN%m4>BXQQ{ggg*L4#<lWFu~x)
zWR$2wt&8x&NjW<_ErWwv=Co$yRR&Y_ix|L{M^J+<vw^$8VhkuXp-u8_5>??FDw3kH
zzsns<^OE>cxp<lGrKSRLm0?=T4|40K9mRXcIszS^096wM=ru(6id}Lv{+@~R$H+uW
z6wzG^;MKE-CZd$O_tmS=SbG#~6!T;{l4zhewh^09zG?KZ6l1dw1n9Z2&v|w3aXd~)
zxjjjrCs;bC-(v%Co3&;)?a-SzsD@fFbJ@~m5ls(NGBzJ$we&VH3iiG@e)WO`qg02)
z2tMVV@m9u7K2F5~fZgL`di-28EOsT+`W4#opn6lqq});1KH8p{T_g?OS_{@OCZ`18
z!&_G3PwXGL1-gq?2FcB?xd>(+1?GjyOOXE|pOJ3|>GZ<DP|PNwd9{G!8?D}r0=9}p
zL;emYa!s||sye<Fb2R;@SUs}{JvcHy4Xkz<+1ZiIGirK)UHS_MGT_)D<>){&I*+O;
zT|>KUL;XYK0ftNtJWj^;+?9O+pquDup17qVM0g1H`xmUwl|;ZU4e79{t4upB9-YOY
zQSp^lu(^y@)r_E$-?sDD^z#li;+kK*K~=UEM|gH&cA*=sYka~S<!m!SFFK?=->zOQ
zwQsLk5g$yvox7X}|188Q&h=+3q(?k-oG+V9^B8n9&5R733&jWP-s?ZiV#^#qsuw$L
zf@9JENtc*UD#Ui^kqo)yxcF~&I=6laRF+9UXFxf%C~YI73AX~+g-$d=b-{TTT3kkx
z{}8xa0Ey5*ws5`*p+zRIPG<_DAF)$*w*q_F=0>$m<EJLwwEwje8&iL5nJv-^_lMr1
zf4b+kO$OZ1rr0smPE>uqDL2hGSWL^L7&xd|vJO0%7e1>~V?<uc!_N2ailP2L^)JO1
z8}q1<ule#Ljr67_IM%%)Hi|!!R}svid?cKyTAOB?bq^LSXV=j0s{ARJ9pb^21^ET>
zDqaj~e`avq)kjzos6@eA89y_vr#D1NVwJuIqsVrqNyeZ+O7pk;82(>Wa}%QM>mMFI
zxUVuR1F(2Da_o&z&1yady#Fe=K_dV<IZi-Kx;kCT-i}fz;<w6!Z&HW`k&Dv9Ck<U6
zsGFTVmY}et<M5C+?~F4z=OknE;Zi^(Z~Rxq%antT@|SSKec22Aa#=PW*G{(^cWG>@
zcLAhQ5Y6iq$2?G5@S`lPpjOW0!A7t0BN^GgZMcfy_4)L_#}!NOx2?>gt<DPHdz`<H
z6XiKq75(}$(zx*|*1_2KzMyDgWdySh@CHg65Em2t$qCY45BFS#g{=DDdMfF{MhXX%
zA`waS>UzGkzMXHvC`4(>G?rL%NsN2<juNG0M0j?v$W(vL!C!ZqU}@b7qG;9yppk<3
z?SF|Z`=PVVjOQK`a*J=H3M`QTk3(RjUAkv0Jp%hG5JD)i7<F3E7?1>HM<5!()L#^o
z71Tblv-20qvEjl=Zeu6*f5}UBHZ9ZreKfo$4oRjgbOIWhGqTX4P)6T__B$y?e6-L%
z){W}75rB>$uT({~cMeOto8B?y=tR<{0{Fuv2g@a4lg6kG$eIMeN6T{V{B#l)N^6g{
z)}s2{)~Fe@c<A_^%HSFsbd(0iY!IHm*>C7y`k{OQ`&z+Co9L0atx5&i&t8-aoKn>B
zavzmDvm=9DHsu}Qq%GW1NcE-7X|Tqnug&H(>~%YezCBY>uh5KVFk<S^7ypixZmR1|
zCuOvu5+}((q5LRYd~(nKl5;+Ry90fXBjjJRa9YciRN));dpbM0aiaZ+0#Pnyr0pj%
zey2tKmTX6i?l#E_j==c2u?v;q!P<YTTqQ?<c=%&Fc$P7#1HczI%EJbU2!Tas+RwyW
z@zr<PMKuV#*L9$Vab))b1(JQA%qq7eV9<9CUm=SSrPZXBQ0$Q^iIKy6CXYWG>0k=o
zMPDQQIXWF-?wcdUMYBo3Sga)jJGy;pE<r_T{xVYr(CFDyHk<~nKW^<4D#OCK!FL7!
zMI!H@Gn@dD7^KWh+XQC_?o!rGJ7zAN9z~bS3l{YALqCw4&PLSwWeZV<%eXajXy}Jk
z(?J8@cmi{TlihRkD0DvXHeq^yJq6uv)D?QB>c8-?d(}5R&~%p(CpQt4oU=Z~=uxN)
zty42S3|<z7G~A!h^&i+lmE{Q6d{2_?HiA*IImdsS>Wl^118%=diwE?6@d$SN0}sV0
zQPIrW?QHRSrAdMSO3)G4VhBWqNv`#be^?LGR?v1X$#MNo!Bmc@6gdGpR#~&v*nus?
z8Dt%1TDr`cNg6PAS6!j3YSl@^!f0LacQM6y3N<awX81T@E;^*jbR{wd)@CBtxUm^R
Y$|HKo5M39ejSAqN5cL91<obtR%(vu>WB>pF

literal 5644
zcmV+n7W3%<M@dveQdv+`0BREZ?n8~ZpjXwIkDvUI5U~1+Ay~<cxxf#1eM+d>!!Vk`
z9y7GNkgK9GPz#mwLoiVyHJco&yUz|GB4<^4t=ozsPBiTNLK9{%yePfj*J!H3LTVB=
zeQn4-auLM0yb5@-KO8+n|JwW}!?15bp<q29ZN;H+M%oDD!o%g8YQ104ELC{j=QvX2
z!uL0fE^a~*Kt^nIKA1IbD!tGUskev!$n;jQni}pWqQJM**lF(E4ZtXPC!_1;4)k{N
zsJKlP<e&a814d5C(tnf(9<1Ce=ko??zjQZ7id$t8A8yJ6lTJp0#1x`f7WkRTF8pDt
zoE*Npc`?b@|CN7dwG2WAxG<`^Gn1%x;O-{%Hua5zm*P4*npY4uT38|**U-e&<6V1m
zq7th8i9BAFWNG+1ZUlemP#JkUaZ5`(;JwaGS1XgMooma8Ekq0>Y;ca4H;<NyGtckr
zabbWuGS@sPo!m{9&+&6PIFO(=8Z=A>!cF;g?q_bZNrxJ_u`Ug7W}Lon@2GZ_uQkSk
zzmpq|DzAULX{hIu)HY<1O!D9lyuEg*LD6@{`guN?M$?wiqK-dO|B?H6?$42gQE0W@
z<-L4lY9NkX+&r3T2@B939EQ)sY_lrA(Y6d6jekyFglo;QdHdReNw|G6NjVf!fKY^;
z*b98J#vfvW^+yIBUA|jJ)9{`ywO`k`&9reGaU9RhOGF^fLKETNX!Xb=1Fs<b1a24U
z`SJc(X-S}4!Nd%)_<vprJu4(rzR8qa2Mj-EP>YYENMup3x@#MuzoJrhZLwYix#r23
zk&5qv7xvakYo{^~$)W^L9@t>V;}Q4Pn9)^{RG_MYtczJw3nVc;3F86j?oY9ew%uls
zBN@|izj7%&TlVhRzGQpfneFTF)ja|3ru640Ah(DkFm~fo$p4y#E!aPz<hKOLLJF+a
zNWQ^ooK+zsbJm*yK;NS%j53IwJYljJMC)ymXJVk%c9_b<Vv3!IET2(8NMZmX+{)3k
z1_7z>7YuKl0k}C<tR+bDXhu!LJREN$as^AKAb$4&BF^SMxq$61Ifl0ZGLS5q%~e56
z$Van7^E5`r3vU1*1V(HS_Ctl4%_j|()f_Ks*PLDR3ZW!T!8Iz){4oP3Se$2(7%m!l
zj;9+skq@bK)rtN^vf&xxY^?U1s8?*L7e%m@fN2~TV`}m`iuMfzSuZRP7o9kg^HE@y
ze!H#RlkE2TN>z&>i9)ojv`Fy<tUtWNlTib(@ZBeTH1bD9PVkXisGpP&_88@{<umZ2
zKefKl4(@o<%u9}GdC5?(oLM%RvTIKid|Z$f+01tDmZ7b;<VEWy_4!NEi!<ZZCiJMU
zDos>}@&vlWAbZ}52mg6sZeuU8?)E3#0xuM?*~ZmBG1R`>*?~mSEP@yA<vbP9fL&-y
zNs9Hcd5)w!J5rKSkswI%+qfvv&(f9Mj!sK>BC#x}k(^)_w4?Mu)dXx3pkXIvcQ-Ay
zIN;_^90_7Ry=iWDlqyd>pK~fypV)KWkd~~FSXj3ZSUqGZB7n`3`%{P)2M1+bihd3+
z=;r>o23P#``ci7V&T>UD6d49N3A%dXW`xS`8aeDWCIno0^#nD#pD69XJ`I0=2o2We
z=|T|S5&y~<w($&FR2GhQQ9jaPXRQVQVZY$a<+(~b%WR3DG?)_6ldQ-2io9hlaxCmf
zuXfwwqU}RA7|_FFh=V#87%|Bj)G8m4HA>>He!hlI1e66qZav4Fw&ecuGNN4tDlGLm
z*=f91+~WO!%^^w^<H(hep^to=Xv57n^1o1E3CDf3(R3OL^5VhT?*#kX_b(@8+xze!
z;yAx7GGAU;c6>r`O$&i#fg=W-js1@VE0AoPiJHUuaOZv_3x4WlzkReBK((5<^qyY+
zrzVaf)|$oSKTy{gq=m>1)#X`M+-2?_$Du)qtl7up4ogkeVeUr_6y5U7TJx4dp&OZ!
z)rN|!%q>HK{z#is3Zq(b{RPPMZiQ=hm$H=^Gh2|40$sa!>bHZ}U!`0OeQuGAOy&2Z
zH}L{`Z-b>lMeN|IpUcSo1UaK8UY6P|4M2(LobW9RuKBiA4lTU%FUD>uN!c4I?p+Np
z(K2y$bzb{3uCDg9)vt!3p6F7%C5d<1rXn-h7S9I5gLB~4Y@``nB6uv*SpC@sn5VCi
zK68T*4qe5!@)<t}Gdv}2Eup<(cUdb}^M9P8v4U|_@+5p~rT?gSF9uoJF(gfG+mC*>
zqIwH0aMFD#wFK;6j`#je!3{hEfB`&Uv!B9p1IE?1R%frq_4J)7(8$VGj}_ihNp~nb
zv4Y9~1=1uiz4}~1=GkE_JItlXnbWRUm+^3M(rMH*OJ%RkE+WyUy7)lsVs_P`GC|aB
z1+2LIRTO|vEl>@`!+Org>Cxv6G?axJ6A8UrwTNc1E4uEpIz-qJ1<it_mXF=qqCS{a
zvGjcZr0t>$-*cg}jSK%WT!;gx^J{~)i6{b=$=+;|$V1V@?L!DxQV<4Z$|T4R#oUJ9
z{o@JN8flM=koZ*snH3*ZiC98C75S$Pr`kU;F$h4r<>wZhCY6^)oLIn+AdC3B%QgZu
zgNl-Xl_go_;MFSpSYr8RSMn=+h+EYGi$DcKvQ!zh6Z5cyMK~wWckC`Zn9LsCst_LC
zpS)bYs4rqHkOazik+4}Vq0y~<8j*5-f18a{orMo6D_&K4Y$;{LTe)0NJ$bIB%!w}s
zU<l1n8$+o!IJWp2;<XX|(FNG9T4jmi*kk}~m3cHGnDWfYE^PnWIZxSTj_HZlvOIdu
zhXiwqzb*Ub^E!XIM9V{>+h1y^1S|42(EklG5_3@DdhzXSHUI0DjPgcS9w1)jy2^E)
zaO-?tEcF&uOfoF(4m=Z2jrvuZp|4j+L;7m@2%vw<9{Rl;CC3I`8HJFr1zy>PN$~yh
ze%{#?7kjrlpWn!%+6yEXrV6vQik$04u@9IS>QqYB!8#TwzxQP6a}8K=T)zX&tVw{5
z$6-l@BXpAiYab1vD=2_|S>j4&&Kk<atorV`Z0VpV$e02qgoEG{J+wW&%2*gc|K0#D
z_4TLu7-`SKm%hSfjr%$vbyP%7?FxfWZ-YC^##(F<1~^jjlQ4Wh{_y_g6m63gD1}m9
z1I1Z1GuqMcpu7Y+s{F2C%eEaW5O^fLcwrRj*LNZt*XzRKey~|v;DuLeW&Y9WE{^5$
zIRpU>RwP7xHm!Eg7nx}QTqaynGf*0?j#bh#J676t#PO+xgn_`hH=5N}<W6a}rZ?tm
zW6V&?rm<OIAov?PF7JT2TshNI*4zS*%<kCgT!a^wLx$tL(5xR&h|VK+{U-SBhlsAs
z1+)5V0${;(HDVCjnfeaaHbi}cBrMWbTQ?pBkUm&@A5WVquatgHRguR^!i*%HIU-A5
zVp)5yb$FSGd@kt4sf0;5J*hETr|xz6r;FC0AED5$Pn1BWMdg2&9Z7g43dx#FVjEfR
zPTrW*M(t({f8kEx$%9ay5{+E)6Nkc|7Fc;p1zbsW&KNpW^Byv&04Cp^BrU30-#WB^
zQ?{gD<dvS=F5)twI;xhc!eB|X>X6qN^SP)nnIVf?J|zffy0=*1P3^T|%;#RS#*bCl
zm>k3kzzE;9LQ5vBz&iQ5fws2CINiMOIKg2WIdV~&zK4t|+zqjxU}nZ{DvGm{``0Pq
z%1Grb9xCwvN@Cl6(7;xwuMsfFZ)2cglbGT?@S#(w%aRQDxWNXxgB*W?)sbYxOC(KN
z1NpCs8lP&)B`%*#6!4z`8DZMIRbQPm!$g;~Gy-b7L_sS2G-^g&ecUbro`dg^bk6#)
zs|WT8_dyA~yYP$)q2RA1IIS{`=L@fX{mG{NTgVLMnCWKBMcP%>wo5(oZ^l-~RckYb
zGqZ=MiOqt)_Pi4d%BjJ6A;~d`x0k0(D0!}SO`)fKne-$~wz8vXOYQgP$4O*m+f#Pb
zpF76>#`4^_9bCj~C?rX<en>>Nrj3dn=sJBj7$Q?cxvoG!w#k)|U88!+|FieXv*_<3
zo;Rfm2ynVyN9aD8`)B*2GLPP@u{i6N&9Gx5X{WM>YhG@*3&btA%H9S6nf|5+cN*D^
zIUf>(&bfjAo4d8lez@nP7U_gdZ^ghU0S5qQMIzrCE&ukeP9fz5v+1-~qqsTlhMC>#
zU`WsAGm@=AQ38{IIlWO}X}m@tXz~GW(TGWx1zy}qbC@914rL>8_4>*Sg9)^MXQxu-
z2^Ld4fxwx0Zr=33zk)ub?X`3w&DLhOJ5}(i#p{$T3CDU(_}c+LnxcGjBOlZG!Hbj-
zu=?eg5_%v_>^|;ACg<8|Tpf1PvO|FWvKP&<;)nA@>xjxn17|ysl`&TkNq6kq^ur29
zb3Ryfpxu<8!6PG*>p5srgd-<<_e9Jy9RT(;q6KdvyL8YZ1=@(Tx|nq4yL}np=ri(8
z@ss%)!YCzZILO1P5I884?Gz5l#|f*tM(RJr_Z1dy^iz_b6%^JN(@Ki=2c@0!eBV&k
zOz(jGfLp7A4n@e$yOMQ#;ZQlri;xe~MBgSCV`SGE3Iyd7(5&|raKO{Cmckxl&BZu}
z9#r>9!!cjKe@HG@gZW&E0^yR3yd)G{Umvk!=V}nRMWENPC5xSE#-VC9M}}Bul4!5Z
zt-Jg+52%QpkaR<V>@QRcDJkA8;w>aV)V;tsq9zK9pSj2wZr?NkZLBKPcpVq0IDAD_
z78BH8;_@W5YW-2&RMGG=2qmEl6cDi!g3Crq@I08lDvLvN<0nC!67p-}VWP1i52MPh
z>d7-LXqOVWNLBEIvQrfOa(L3uST+e=ejp`MjcpDk!GaT_=?c7kUxuT0P&IloMF(nO
zr|0K!g<%;6ldub~bbu3R5FhsdFWn5(I{@}e&f2spI_DX3f6E3~4RMW3$GDrLk<6z|
zhV1fD<tRo?A$pIr!<>nSNsBR6<%`VS$U~?{`b9I@D#(LZ<Hq_FzCj9Z(2pA)z`EO2
zxO;H8=g}&;!O?HrqLRD|Do!S-SiPT=`PZw9<D*;ckz&rV#F{ORt%iN@_N#*5eJ^iW
z=&S)y5m14`xRk`wrR+W6i&yV0Y<n)61m&RGh?3i+o58V8fpdGuPrjyWIu&mOdMpgk
zF6C+fYNL$G;Wt-Ngrzhu&XCoE^XypNkOW`Nx;&ne_^niQkG)jO0L%S-X&~wT;>-cE
zo;z?+l94%}8)j+Q*JsmAuk)8TP<CRHL)6+}rk#3FwpX_dn4n{tm{lDU3lMt$J=;zB
zz_pm8Lv)vl-8B>S(R)G8Z$MYT@^epUD(eT;_HDruz5FlMn9tLKcht*k4xG%$9aB37
z0e;e{DvUDNHLXD#Wq9d4ml_%4`F|=|uX+W|(TLs-<Vvs;v;+=|c?@sdW;d3A3fUHx
z|Gac=?*F#ijeCNG*-nVY4e(H-%_x9=M01Ri$jh19=)6<_cKoKLX>9z#6FUwM>9RR<
z8~i27mD1^kvxE09Y3dAYEE)gDlH3Okh&SKN``q#&y7u%B;r#bNMqnClXdv%65ZBau
ziT84gUL{!16V^plsMqBjX*r5AqVO7~HWVQeFlgH}ZKoT@is`F#0dmZBF0CUe&2L?~
z#Y}&LjbFP0dA`=$WRQN7F>>Cqgn(b_AIG+JwjUUl`aBVbZrwwl-(*mUu%^moJ2vnd
z!6Rl-)T9EGF++bs#clJ+YuWgTx2?aV9UOJyJ9;Mcl(f$(rKY;z_wa;(uC!m$$B~0>
zwg795$nyrH2*2%K*z|^7m@624iqxY?P^7J}(AgI`U>EUsV70B@CeYtAQh^SG*v3QF
zrt7<Qn5{Ty3}C*U+2s&$WG^xPPm-T1(b+*O)3%276X%}UCczyrOq1*Mcqrb;1K~Xm
zI6wBwbu>j#HIzHS3r9_{b0(Ngf>w%fyv&d*`Ml8U&`FO%5r1ha`T1Ws;WxAGSMyD<
zo8XUWK2C(WWRcSCoR&S`02bt=x?N)p{gO84Er@nK1~3T)T>-iTIkyT16S*{OP5B3q
zu|-NKwZtU1*jh<T9<+sD7w2@o!zO(CDa6uAf(F3CH<e~2`ud-C*IHVcbDplxAY5pt
zMz1y$sz`erBZd6xlis8W*j8%($qs4JG1d5JKs>9iM*Hhq##D(rk*#PM*V>(4brpgQ
zJ_0KrI=rDh?wpuIwHC;)eCuYf=~!WS{ygJ}WBXwEtC{_peOV&CJKbE1oyi~nSW7g|
zqlN4xb!fO%A--p0MS~)FNO=54&~$+UP6tkmrSD+u{~XCVXx$+iGTX4YkTY=Z7EL8=
z)QOOdde+{dC98%SrBtejR?0en88z)WgLH>Eya~Mg4DdD??XvevOJ!G4AYGC$2$M<p
zN9h@IRzNF=?C!*iQDg<tI&8SQK{Vq}M!liVZpzl1xAHo$%TpoVQkMp@JI=$Pq;}y0
zr451-N=E<}s7#L;cbDIu<NqBYij=N32!#~0k!Dfb7E=bCV1EU!|BJ=nQPOg19<(yn
zbc?5uLI4iSd9}X3M!0S@_}4Jk49RHI$1~xMP1vKlc<dvA1<d6Wsrc2nekzT_Ye<q5
zJ-B^LAC9Jt3=I6b_km2uFB^g$i~KyxW!+dZ3{AH^i8LwheV4T6TH0$p4#1e2Ng?Rv
zs`PCu#>hO*0BUC7@E<L;!%@}^JW=TL+^M8Ds>&8ULJWdMR1Fs5aY0km53OUfU@e~W
zLGM|i*|Tz#f;`8==@d+;kX+xpY26GKy6a1fZvna{ihLy4Y0I4fVsVK>5shU%+9LEg
z5XF`~2|Z2g>aNi7{-MmMlwkdE-lK3ZS`5y+hXJrJ!CjGGnkvQnBH(RzHDK5OG9kc*
z`g`|BY6N(Cinl)aY=ZGspAPrDm6T<(d1gC2h$EuAAH`8RS<OkOgi#}30oW>5#?W7J
zQR+9%Y4PMb?-KkbpV>9GUV}?;QJAn3mR_#=z`R(4L0ePMzv-Ggg8spu@))j>ru^bS
zwF7bGK(jcJ>IyU=3n&)qqeUS9S}Xc><Xi_BBr&t)#O1XsZvw=+b^$%>rW^?rCaemX
z^qk<~S)7$+M>RK>AI@a*c&AHteHGf1kB9*Tn>v?edmQqA;=VehMGl<_51s+_l|>@L
z2PQy;#9QI<R>T^BWk0{ve7ku3b9CB3n7xc-kRXz4KB-#ZH>h+sUDb+kf}BNtB5*fp
zPr}DhJW?*--4Yt{ZZ5`ttGHcJZDC6FWyH@j(33GnQlT;8nm(iz_-wN`)`xq+&%Ee}
zJ4z9QnHX$^Q#~?)YdB6Q8(6Y}XjvrGXSw;>h1Sb3x$Vo4!2^8*pzIZ%{nA)RxMz;{
z7iR@1b%c@+T2c;do4$|HtcjzC=eb-DQ9qr<zt3s^#~hoT863m8^7dgWklmht{4TUL
m-(ve_Xja(nfC9B2K-9iznhD~>dt@|7gK~SzU<NgFakAFB&Im04

diff --git a/backend/models/user_model.py b/backend/models/user_model.py
index 5f02ebe..b7e0afe 100644
--- a/backend/models/user_model.py
+++ b/backend/models/user_model.py
@@ -3,6 +3,7 @@
 Example user model and related models
 """
 import json
+from enum import Enum
 
 import sqlalchemy
 from sqlalchemy.orm import relation, validates
@@ -253,12 +254,24 @@ class User(UserMixin, db.Model):
 
     @property
     def effective_permissions(self):
-        permissions = Config.ROLE_PERMISSION_MAPPINGS.get(self.role, set())
+        role_permissions = Config.ROLE_PERMISSION_MAPPINGS.get(self.role, set())
+        permissions = set(Permission.query.filter(Permission.name.in_(role_permissions)).all())
+
         for g in self.groups:
             for p in g.permissions:
                 permissions.add(p)
         return permissions
 
+    def has_permission(self, permission):
+        user_permissions = self.effective_permissions
+        if isinstance(permission, str):
+            return any([user_permission.name == permission for user_permission in user_permissions])
+        if isinstance(permission, Permission):
+            return any([user_permission.id == permission.id for user_permission in user_permissions])
+        if isinstance(permission, Enum):
+            return any([user_permission.name == str(permission.value) for user_permission in user_permissions])
+        return False
+
     @staticmethod
     def decode_auth_token(auth_token):
         """