be changes/group ownership for tags

Author: ciur

papermerge/core/features/tags/db/api.py

@@ -102,10 +102,10 @@ def get_tag(
 
 
 def create_tag(
-    db_session, attrs: schema.CreateTag, user_id: uuid.UUID
+    db_session, attrs: schema.CreateTag
 ) -> Tuple[schema.Tag | None, schema.Error | None]:
 
-    db_tag = orm.Tag(user_id=user_id, **attrs.model_dump())
+    db_tag = orm.Tag(**attrs.model_dump())
     db_session.add(db_tag)
 
     try:

papermerge/core/features/tags/router.py

@@ -2,21 +2,22 @@
 from typing import Annotated
 from uuid import UUID
 
-from fastapi import APIRouter, Depends, HTTPException, Security
+from fastapi import APIRouter, Depends, HTTPException, Security, status
 
 from papermerge.core.db.engine import Session
 from papermerge.core import utils
 from papermerge.core.features.users import schema as usr_schema
 from papermerge.core.features.auth import get_current_user
 from papermerge.core.features.auth import scopes
 
-from papermerge.core.routers.params import CommonQueryParams
-
+from papermerge.core.features.users.db import api as users_dbapi
 from papermerge.core.features.tags.db import api as tags_dbapi
 from papermerge.core.features.tags import schema as tags_schema
 from papermerge.core.exceptions import EntityNotFound
+from papermerge.core.routers.common import OPEN_API_GENERIC_JSON_DETAIL
 from .types import PaginatedQueryParams
 
+
 router = APIRouter(
     prefix="/tags",
     tags=["tags"],
@@ -88,20 +89,48 @@ def get_tag_details(
     return tag
 
 
-@router.post("/", status_code=201)
+@router.post(
+    "/",
+    status_code=201,
+    responses={
+        status.HTTP_403_FORBIDDEN: {
+            "description": """User does not belong to group""",
+            "content": OPEN_API_GENERIC_JSON_DETAIL,
+        }
+    },
+)
 @utils.docstring_parameter(scope=scopes.TAG_CREATE)
 def create_tag(
     attrs: tags_schema.CreateTag,
     user: Annotated[
         usr_schema.User, Security(get_current_user, scopes=[scopes.TAG_CREATE])
     ],
 ) -> tags_schema.Tag:
-    """Creates user tag
+    """Creates tag
+
+    If attribute `group_id` is present, tag will be owned
+    by respective group, otherwise ownership is set to current user.
+    If attribute `group_id` is present then current user should
+    belong to that group, otherwise http status 403 (Forbidden) will
+    be raised.
 
     Required scope: `{scope}`
     """
+    if not attrs.group_id:
+        attrs.user_id = user.id
+
     with Session() as db_session:
-        tag, error = tags_dbapi.create_tag(db_session, attrs=attrs, user_id=user.id)
+        if attrs.group_id:
+            group_id = attrs.group_id
+            ok = users_dbapi.user_belongs_to(
+                db_session, user_id=user.id, group_id=group_id
+            )
+            if not ok:
+                detail = f"User {user.id=} does not belong to group {group_id=}"
+                raise HTTPException(
+                    status_code=status.HTTP_403_FORBIDDEN, detail=detail
+                )
+        tag, error = tags_dbapi.create_tag(db_session, attrs=attrs)
 
     if error:
         raise HTTPException(status_code=400, detail=error.model_dump())

papermerge/core/features/tags/schema.py

@@ -24,6 +24,8 @@ class CreateTag(BaseModel):
     fg_color: str = DEFAULT_TAG_FG_COLOR
     description: str | None = None
     pinned: bool = False
+    group_id: UUID | None = None
+    user_id: UUID | None = None
 
     # Config
     model_config = ConfigDict(from_attributes=True)
@@ -35,6 +37,8 @@ class UpdateTag(BaseModel):
     fg_color: Optional[str] = None
     description: Optional[str] = None
     pinned: Optional[bool] = False
+    group_id: UUID | None = None
+    user_id: UUID | None = None
 
     # Config
     model_config = ConfigDict(from_attributes=True)