[Issue #6537] pre load roles when checking access (#6977)

## Summary

<!-- Use "Fixes" to automatically close issue upon PR merge. Use "Work
for" when UAT is required. -->
Fixes / Work for #6537 

## Changes proposed

Wrapper function around can_access method to reduce database calls to
fetch roles.
Update code to use wrapper function
Tests updated

Author: babebe

api/src/auth/endpoint_access_util.py

@@ -1,12 +1,14 @@
 import logging
 from typing import Any
 
+from src.adapters import db
 from src.api.route_utils import raise_flask_error
 from src.constants.lookup_constants import Privilege
 from src.db.models.agency_models import Agency
 from src.db.models.competition_models import Application
 from src.db.models.entity_models import Organization
 from src.db.models.user_models import Role, User
+from src.services.users.get_roles_and_privileges import get_roles_and_privileges
 
 logger = logging.getLogger(__name__)
 
@@ -113,3 +115,16 @@ def get_log_info_for_resource(resource: Organization | Application | Agency | No
         log_info["agency_code"] = resource.agency_code
 
     return log_info
+
+
+def check_user_access(
+    db_session: db.Session,
+    user: User,
+    allowed_privileges: set[Privilege],
+    resource: Organization | Application | Agency | None,
+) -> None:
+    """Wrapper function to preload all roles and privileges for the given user
+    then checks access using the in-memory data."""
+    user_with_role = get_roles_and_privileges(db_session, user.user_id)
+    if not user_with_role or not can_access(user_with_role, allowed_privileges, resource):
+        raise_flask_error(403, "Forbidden")

api/src/services/applications/add_organization_to_application.py

@@ -6,7 +6,7 @@
 
 import src.adapters.db as db
 from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import (
     ApplicationAuditEvent,
     CompetitionOpenToApplicant,
@@ -52,28 +52,20 @@ def add_organization_to_application(
 
     # Get the organization (raises 404 if not found)
     organization = get_organization(db_session, organization_id)
-
     # Check user has MODIFY_APPLICATION privilege for the application
-    if not can_access(user, {Privilege.MODIFY_APPLICATION}, application):
-        logger.info(
-            "User does not have MODIFY_APPLICATION privilege",
-            extra={
-                "user_id": user.user_id,
-                "application_id": application_id,
-            },
-        )
-        raise_flask_error(403, "Forbidden")
-
+    check_user_access(
+        db_session,
+        user,
+        {Privilege.MODIFY_APPLICATION},
+        application,
+    )
     # Check user has START_APPLICATION privilege for the organization
-    if not can_access(user, {Privilege.START_APPLICATION}, organization):
-        logger.info(
-            "User does not have START_APPLICATION privilege for organization",
-            extra={
-                "user_id": user.user_id,
-                "organization_id": organization_id,
-            },
-        )
-        raise_flask_error(403, "Forbidden")
+    check_user_access(
+        db_session,
+        user,
+        {Privilege.START_APPLICATION},
+        organization,
+    )
 
     # Validate application is in progress
     validate_application_in_progress(application, ApplicationAction.MODIFY)

api/src/services/applications/create_application.py

@@ -7,7 +7,7 @@
 
 import src.adapters.db as db
 from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import (
     ApplicationAuditEvent,
     ApplicationStatus,
@@ -130,8 +130,12 @@ def create_application(
             raise_flask_error(404, "Organization not found")
 
         # Check privileges
-        if not can_access(user, {Privilege.START_APPLICATION}, organization):
-            raise_flask_error(403, "Forbidden")
+        check_user_access(
+            db_session,
+            user,
+            {Privilege.START_APPLICATION},
+            organization,
+        )
 
     # Verify the competition is open
     validate_competition_open(competition, ApplicationAction.START)

api/src/services/applications/create_application_attachment.py

@@ -8,7 +8,7 @@
 import src.util.file_util as file_util
 from src.adapters.aws import S3Config
 from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import ApplicationAuditEvent, Privilege, SubmissionIssue
 from src.db.models.competition_models import Application, ApplicationAttachment
 from src.db.models.user_models import User
@@ -25,8 +25,7 @@ def create_application_attachment(
     application = get_application(db_session, application_id, user)
 
     # Check privileges
-    if not can_access(user, {Privilege.MODIFY_APPLICATION}, application):
-        raise_flask_error(403, "Forbidden")
+    check_user_access(db_session, user, {Privilege.MODIFY_APPLICATION}, application)
 
     application_attachment = upsert_application_attachment(
         db_session=db_session,

api/src/services/applications/delete_application_attachment.py

@@ -2,8 +2,7 @@
 import uuid
 
 import src.adapters.db as db
-from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import ApplicationAuditEvent, Privilege
 from src.db.models.user_models import User
 from src.services.applications.application_audit import add_audit_event
@@ -26,9 +25,9 @@ def delete_application_attachment(
         db_session, application_id, application_attachment_id, user
     )
     # Check privileges
-    if not can_access(user, {Privilege.MODIFY_APPLICATION}, application_attachment.application):
-        raise_flask_error(403, "Forbidden")
-
+    check_user_access(
+        db_session, user, {Privilege.MODIFY_APPLICATION}, application_attachment.application
+    )
     # Delete the file from s3
     logger.info("Deleting application attachment from s3")
     file_util.delete_file(application_attachment.file_location)

api/src/services/applications/get_application.py

@@ -7,8 +7,8 @@
 import src.adapters.db as db
 from src.api.response import ValidationErrorDetail
 from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
-from src.constants.lookup_constants import Privilege, SubmissionIssue
+from src.auth.endpoint_access_util import check_user_access
+from src.constants.lookup_constants import Privilege
 from src.db.models.competition_models import (
     Application,
     ApplicationForm,
@@ -132,15 +132,12 @@ def get_application_with_auth(
     if not user and not is_internal_user:
         raise Exception("No user found, but not marked as internal auth")
     # Check privileges
-    if user and not can_access(user, {Privilege.VIEW_APPLICATION}, application):
-        logger.info(
-            "User attempted to access an application they are not associated with",
-            extra={
-                "user_id": user.user_id,
-                "application_id": application.application_id,
-                "submission_issue": SubmissionIssue.UNAUTHORIZED_APPLICATION_ACCESS,
-            },
+    if user:
+        check_user_access(
+            db_session,
+            user,
+            {Privilege.VIEW_APPLICATION},
+            application,
         )
-        raise_flask_error(403, "Forbidden")
 
     return application

api/src/services/applications/submit_application.py

@@ -2,8 +2,7 @@
 from uuid import UUID
 
 import src.adapters.db as db
-from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import ApplicationAuditEvent, ApplicationStatus, Privilege
 from src.db.models.competition_models import Application
 from src.db.models.user_models import User
@@ -31,8 +30,12 @@ def submit_application(db_session: db.Session, application_id: UUID, user: User)
     application = get_application(db_session, application_id, user)
 
     # Check privileges
-    if not can_access(user, {Privilege.SUBMIT_APPLICATION}, application):
-        raise_flask_error(403, "Forbidden")
+    check_user_access(
+        db_session,
+        user,
+        {Privilege.SUBMIT_APPLICATION},
+        application,
+    )
 
     # Run validations
     validate_application_in_progress(application, ApplicationAction.SUBMIT)

api/src/services/applications/update_application.py

@@ -3,8 +3,7 @@
 from uuid import UUID
 
 import src.adapters.db as db
-from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import ApplicationAuditEvent, Privilege
 from src.db.models.competition_models import Application
 from src.db.models.user_models import User
@@ -39,8 +38,12 @@ def update_application(
     # Get application (this will check if it exists and if user has access)
     application = get_application(db_session, application_id, user)
     # Check privileges
-    if not can_access(user, {Privilege.MODIFY_APPLICATION}, application):
-        raise_flask_error(403, "Forbidden")
+    check_user_access(
+        db_session,
+        user,
+        {Privilege.MODIFY_APPLICATION},
+        application,
+    )
 
     # Don't let a user update an existing application
     validate_application_in_progress(application, ApplicationAction.MODIFY)

api/src/services/applications/update_application_attachment.py

@@ -3,8 +3,7 @@
 
 import src.adapters.db as db
 import src.util.file_util as file_util
-from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import ApplicationAuditEvent, Privilege
 from src.db.models.competition_models import ApplicationAttachment
 from src.db.models.user_models import User
@@ -28,8 +27,12 @@ def update_application_attachment(
         db_session, application_id, application_attachment_id, user
     )
     # Check privileges
-    if not can_access(user, {Privilege.MODIFY_APPLICATION}, application_attachment.application):
-        raise_flask_error(403, "Forbidden")
+    check_user_access(
+        db_session,
+        user,
+        {Privilege.MODIFY_APPLICATION},
+        application_attachment.application,
+    )
 
     # Store the old file location before updating
     old_s3_file_location = application_attachment.file_location

api/src/services/applications/update_application_form.py

@@ -6,7 +6,7 @@
 import src.adapters.db as db
 from src.api.response import ValidationErrorDetail
 from src.api.route_utils import raise_flask_error
-from src.auth.endpoint_access_util import can_access
+from src.auth.endpoint_access_util import check_user_access
 from src.constants.lookup_constants import ApplicationAuditEvent, Privilege, SubmissionIssue
 from src.db.models.competition_models import ApplicationForm, CompetitionForm
 from src.db.models.user_models import User
@@ -63,8 +63,12 @@ def update_application_form(
     application = get_application(db_session, application_id, user)
 
     # Check privileges
-    if not can_access(user, {Privilege.MODIFY_APPLICATION}, application):
-        raise_flask_error(403, "Forbidden")
+    check_user_access(
+        db_session,
+        user,
+        {Privilege.MODIFY_APPLICATION},
+        application,
+    )
 
     # Validate the application is in progress and can be modified
     validate_application_in_progress(application, ApplicationAction.MODIFY)