Describe the bug
Following the permissions convention (Read, Write, Delete and Update) the scopes in routes/incidents.py are wrong used. For instance, the call to delete incident:
@router.delete(
"/{incident_id}",
description="Delete incident by incident id",
)
def delete_incident(
incident_id: UUID,
authenticated_entity: AuthenticatedEntity = Depends(
IdentityManagerFactory.get_auth_verifier(["write:incident"])
),
pusher_client: Pusher | None = Depends(get_pusher_client),
session: Session = Depends(get_session),
):
tenant_id = authenticated_entity.tenant_id
incident_bl = IncidentBl(tenant_id, session, pusher_client)
incident_bl.delete_incident(incident_id)
return Response(status_code=202)
has the scope write:incident, this should be delete:incident, it's obvious. Moreover, if we want to have a rol who can modify the status but no delete the incident itself we couldn't do it.
On the other hand, it seems there is a typo having 2 different scopes (incident and incidentS). I understand this should be unified in a unique scope.
Describe the bug
Following the permissions convention (Read, Write, Delete and Update) the scopes in routes/incidents.py are wrong used. For instance, the call to delete incident:
has the scope write:incident, this should be delete:incident, it's obvious. Moreover, if we want to have a rol who can modify the status but no delete the incident itself we couldn't do it.
On the other hand, it seems there is a typo having 2 different scopes (incident and incidentS). I understand this should be unified in a unique scope.