Add delete:revision, delete:node scopes (#1217)

* Add delete:metadata, delete:data scopes

* Add delete scopes to authn db

* Add test for access control on node deletion

* Add delete scopes to example config

Also add missing "register" scope to example config. Finally, define
a datbaase uri in the example config, since `get_database_engine` currently
interprets a missing uri as being in single user mode.

* Update changelog

* Add delete scopes to docs

* Add authn database migration for new delete scopes

* Add test for scopes on metadata revision deletion

* Fix linter error caused by alembic

* Rename deletion scopes for clarity

Author: nmaytan

CHANGELOG.md

@@ -9,6 +9,7 @@ Write the date in place of the "Unreleased" in the case a new version is release
 
 - Optional `persist` query parameter to PUT and PATCH /array/... routes, and
   the corresponding DaskArrayClient methods: `write`, `write_block`, `patch`.
+- Added new delete:node and delete:revision scopes
 
 ### Changed
 
@@ -17,6 +18,13 @@ Write the date in place of the "Unreleased" in the case a new version is release
   manage the deployment and associated certificates.) **The demo remains
   world-public, with no login required.** This change affects some
   documentation and one test.
+- Deletion of nodes or metadata revisions now requires deletion scopes,
+  rather than writing scopes.
+
+## Fixed
+
+- Fixed a couple of bugs in the example config, to restore it to working order
+
 
 ## v0.2.0 (2025-10-29)
 

docs/source/reference/scopes.md

@@ -11,6 +11,8 @@ with restricted scopes.
 * `create` --- Create a new node.
 * `write:metadata` --- Write metadata.
 * `write:data` --- Write (array, table) data.
+* `delete:revision` --- Delete metadata revisions
+* `delete:node` --- Delete a node
 * `apikeys` --- Manage API keys for the currently-authenticated user or service.
 * `metrics` --- Access Prometheus metrics.
 * `admin:apikeys` --- Manage API keys on behalf of any user or service.

example_configs/access_tags/tag_definitions.yml

@@ -2,7 +2,10 @@ roles:
   facility_user:
     scopes: ["read:data", "read:metadata"]
   facility_admin:
-    scopes: ["read:data", "read:metadata", "write:data", "write:metadata", "create", "register"]
+    scopes: ["read:data", "read:metadata",
+             "write:data", "write:metadata",
+             "delete:node", "delete:revision",
+             "create", "register"]
 tags:
   data_A:
     groups:

example_configs/toy_authentication.yml

@@ -12,6 +12,9 @@ authentication:
   tiled_admins:
     - provider: toy
       id: admin
+database:
+  uri: "sqlite:///file:authn_mem?mode=memory&cache=shared&uri=true"
+  init_if_not_exists: true
 access_control:
   access_policy: "tiled.access_control.access_policies:TagBasedAccessPolicy"
   args:
@@ -21,7 +24,10 @@ access_control:
     - "read:data"
     - "write:metadata"
     - "write:data"
+    - "delete:revision"
+    - "delete:node"
     - "create"
+    - "register"
     tags_db:
       uri: "file:example_configs/access_tags/compiled_tags.sqlite"
     access_tags_parser: "tiled.access_control.access_tags:AccessTagsParser"

tiled/_tests/test_access_control.py

@@ -66,6 +66,8 @@
                 "read:metadata",
                 "write:data",
                 "write:metadata",
+                "delete:node",
+                "delete:revision",
                 "create",
                 "register",
             ]
@@ -651,6 +653,23 @@ def test_writing_access_control(access_control_test_context_factory):
         sue_client[top].write_array(arr, key="data_X", access_tags=["chemists_tag"])
 
 
+def test_deletion_access_control(access_control_test_context_factory):
+    """
+    Test that deletion access control is working.
+    Only tests that the deletion request does not fail.
+    Does not test that data is actually deleted.
+    """
+
+    alice_client = access_control_test_context_factory("alice", "alice")
+    chris_client = access_control_test_context_factory("chris", "chris")
+
+    top = "foo"
+    alice_client[top].write_array(arr, key="data_H", access_tags=["alice_tag"])
+    with fail_with_status_code(HTTP_403_FORBIDDEN):
+        chris_client[top]["data_H"].delete(external_only=False)
+    alice_client[top]["data_H"].delete(external_only=False)
+
+
 def test_user_owned_node_access_control(access_control_test_context_factory):
     """
     Test that user-owned nodes (i.e. nodes created without access tags applied)
@@ -756,6 +775,8 @@ def test_update_node_access_control(access_control_test_context_factory):
     This tests the following:
       - Update metadata while having write access
       - Prevent updating metadata without having write access
+      - Prevent deleting a metadata revision without having deletion access
+      - Delete a metadata revision while having deletion access
       - Successfully add an access tag and remove an access tag
       - Prevent adding or removing an access tag without having write access
       - Prevent adding or removing access tags which the user does not own
@@ -783,6 +804,13 @@ def test_update_node_access_control(access_control_test_context_factory):
             )
         assert "Au" not in chris_client[top][data].metadata["materials"]
 
+        # fails to delete a metadata revision
+        with fail_with_status_code(HTTP_403_FORBIDDEN):
+            chris_client[top][data].metadata_revisions.delete_revision(1)
+
+        # succeeds to delete a metadata revision
+        alice_client[top][data].metadata_revisions.delete_revision(1)
+
         # succeeds to add a new access tag and remove the old access tag
         alice_client[top][data].replace_metadata(access_tags=["biologists_tag"])
         access_tags = alice_client[top][data].access_blob["tags"]

tiled/access_control/scopes.py

@@ -3,6 +3,8 @@
     "read:data": {"description": "Read data."},
     "write:metadata": {"description": "Write metadata."},
     "write:data": {"description": "Write data."},
+    "delete:revision": {"description": "Delete metadata revisions."},
+    "delete:node": {"description": "Delete a node."},
     "create": {"description": "Add a node."},
     "register": {"description": "Register externally-managed assets."},
     "metrics": {"description": "Access (Prometheus) metrics."},
@@ -28,6 +30,8 @@
         "read:data",
         "write:metadata",
         "write:data",
+        "delete:revision",
+        "delete:node",
         "create",
         "register",
         "metrics",

tiled/authn_database/core.py

@@ -13,6 +13,7 @@
 
 # This is list of all valid alembic revisions (from current to oldest).
 ALL_REVISIONS = [
+    "27e069ba3bf5",
     "a806cc635ab2",
     "0c705a02954c",
     "d88e91ea03f9",
@@ -38,6 +39,8 @@ async def create_default_roles(db):
                 "create",
                 "write:metadata",
                 "write:data",
+                "delete:revision",
+                "delete:node",
                 "apikeys",
             ],
         ),
@@ -51,6 +54,8 @@ async def create_default_roles(db):
                 "register",
                 "write:metadata",
                 "write:data",
+                "delete:revision",
+                "delete:node",
                 "admin:apikeys",
                 "read:principals",
                 "write:principals",

tiled/authn_database/migrations/versions/27e069ba3bf5_add_deletion_scopes_to_default_roles.py

@@ -0,0 +1,51 @@
+"""Add deletion scopes to default Roles
+
+Revision ID: 27e069ba3bf5
+Revises: a806cc635ab2
+Create Date: 2025-11-06 19:53:44.355094
+
+"""
+from alembic import op
+from sqlalchemy.orm.session import Session
+
+from tiled.authn_database.orm import Role
+
+# revision identifiers, used by Alembic.
+revision = "27e069ba3bf5"
+down_revision = "a806cc635ab2"
+branch_labels = None
+depends_on = None
+
+
+ROLES = ["admin", "user"]
+NEW_SCOPES = ["delete:revision", "delete:node"]
+
+
+def upgrade():
+    """
+    Add new scopes to Roles.
+    """
+    connection = op.get_bind()
+    with Session(bind=connection) as db:
+        for role_name in ROLES:
+            role = db.query(Role).filter(Role.name == role_name).first()
+            scopes = role.scopes.copy()
+            scopes.extend(NEW_SCOPES)
+            role.scopes = scopes
+            db.commit()
+
+
+def downgrade():
+    """
+    Remove new scopes from Roles, if present.
+    """
+    connection = op.get_bind()
+    with Session(bind=connection) as db:
+        for role_name in ROLES:
+            role = db.query(Role).filter(Role.name == role_name).first()
+            scopes = role.scopes.copy()
+            for scope in NEW_SCOPES:
+                if scope in scopes:
+                    scopes.remove(scope)
+            role.scopes = scopes
+            db.commit()

tiled/server/router.py

@@ -1692,11 +1692,11 @@ async def delete(
         session_state: dict = Depends(get_session_state),
         authn_access_tags: Optional[AccessTags] = Depends(get_current_access_tags),
         authn_scopes: Scopes = Depends(get_current_scopes),
-        _=Security(check_scopes, scopes=["write:data", "write:metadata"]),
+        _=Security(check_scopes, scopes=["delete:node", "delete:revision"]),
     ):
         entry = await get_entry(
             path,
-            ["write:data", "write:metadata"],
+            ["delete:node", "delete:revision"],
             principal,
             authn_access_tags,
             authn_scopes,
@@ -2252,11 +2252,11 @@ async def delete_revision(
         session_state: dict = Depends(get_session_state),
         authn_access_tags: Optional[AccessTags] = Depends(get_current_access_tags),
         authn_scopes: Scopes = Depends(get_current_scopes),
-        _=Security(check_scopes, scopes=["write:metadata"]),
+        _=Security(check_scopes, scopes=["delete:revision"]),
     ):
         entry = await get_entry(
             path,
-            ["write:metadata"],
+            ["delete:revision"],
             principal,
             authn_access_tags,
             authn_scopes,