Merge branch 'main' into fix-database-settings

Author: dan-fernandes

CHANGELOG.md

@@ -9,6 +9,7 @@ Write the date in place of the "Unreleased" in the case a new version is release
 
 - Optional `persist` query parameter to PUT and PATCH /array/... routes, and
   the corresponding DaskArrayClient methods: `write`, `write_block`, `patch`.
+- Added new delete:node and delete:revision scopes
 
 ### Changed
 
@@ -17,6 +18,13 @@ Write the date in place of the "Unreleased" in the case a new version is release
   manage the deployment and associated certificates.) **The demo remains
   world-public, with no login required.** This change affects some
   documentation and one test.
+- Deletion of nodes or metadata revisions now requires deletion scopes,
+  rather than writing scopes.
+
+## Fixed
+
+- Fixed a couple of bugs in the example config, to restore it to working order
+
 
 ## v0.2.0 (2025-10-29)
 

docs/source/reference/scopes.md

@@ -11,6 +11,8 @@ with restricted scopes.
 * `create` --- Create a new node.
 * `write:metadata` --- Write metadata.
 * `write:data` --- Write (array, table) data.
+* `delete:revision` --- Delete metadata revisions
+* `delete:node` --- Delete a node
 * `apikeys` --- Manage API keys for the currently-authenticated user or service.
 * `metrics` --- Access Prometheus metrics.
 * `admin:apikeys` --- Manage API keys on behalf of any user or service.

example_configs/access_tags/tag_definitions.yml

@@ -2,7 +2,10 @@ roles:
   facility_user:
     scopes: ["read:data", "read:metadata"]
   facility_admin:
-    scopes: ["read:data", "read:metadata", "write:data", "write:metadata", "create", "register"]
+    scopes: ["read:data", "read:metadata",
+             "write:data", "write:metadata",
+             "delete:node", "delete:revision",
+             "create", "register"]
 tags:
   data_A:
     groups:

example_configs/toy_authentication.yml

@@ -12,6 +12,9 @@ authentication:
   tiled_admins:
     - provider: toy
       id: admin
+database:
+  uri: "sqlite:///file:authn_mem?mode=memory&cache=shared&uri=true"
+  init_if_not_exists: true
 access_control:
   access_policy: "tiled.access_control.access_policies:TagBasedAccessPolicy"
   args:
@@ -21,7 +24,10 @@ access_control:
     - "read:data"
     - "write:metadata"
     - "write:data"
+    - "delete:revision"
+    - "delete:node"
     - "create"
+    - "register"
     tags_db:
       uri: "file:example_configs/access_tags/compiled_tags.sqlite"
     access_tags_parser: "tiled.access_control.access_tags:AccessTagsParser"

pixi.toml

@@ -16,7 +16,7 @@ msgpack-python = ">=1.0.0"
 orjson = "*"
 platformdirs = "*"
 pydantic = ">=2,<3"
-pydantic-settings = ">=2,<3"
+pydantic-settings = ">=2, <2.12.0",
 pyyaml = "*"
 typer = "*"
 

pyproject.toml

@@ -27,7 +27,7 @@ dependencies = [
     "orjson",
     "platformdirs",
     "pydantic >=2, <3",
-    "pydantic-settings >=2, <3",
+    "pydantic-settings >=2, <2.12.0",
     "pyyaml",
     "typer",
 ]

tiled/_tests/test_access_control.py

@@ -66,6 +66,8 @@
                 "read:metadata",
                 "write:data",
                 "write:metadata",
+                "delete:node",
+                "delete:revision",
                 "create",
                 "register",
             ]
@@ -651,6 +653,23 @@ def test_writing_access_control(access_control_test_context_factory):
         sue_client[top].write_array(arr, key="data_X", access_tags=["chemists_tag"])
 
 
+def test_deletion_access_control(access_control_test_context_factory):
+    """
+    Test that deletion access control is working.
+    Only tests that the deletion request does not fail.
+    Does not test that data is actually deleted.
+    """
+
+    alice_client = access_control_test_context_factory("alice", "alice")
+    chris_client = access_control_test_context_factory("chris", "chris")
+
+    top = "foo"
+    alice_client[top].write_array(arr, key="data_H", access_tags=["alice_tag"])
+    with fail_with_status_code(HTTP_403_FORBIDDEN):
+        chris_client[top]["data_H"].delete(external_only=False)
+    alice_client[top]["data_H"].delete(external_only=False)
+
+
 def test_user_owned_node_access_control(access_control_test_context_factory):
     """
     Test that user-owned nodes (i.e. nodes created without access tags applied)
@@ -756,6 +775,8 @@ def test_update_node_access_control(access_control_test_context_factory):
     This tests the following:
       - Update metadata while having write access
       - Prevent updating metadata without having write access
+      - Prevent deleting a metadata revision without having deletion access
+      - Delete a metadata revision while having deletion access
       - Successfully add an access tag and remove an access tag
       - Prevent adding or removing an access tag without having write access
       - Prevent adding or removing access tags which the user does not own
@@ -783,6 +804,13 @@ def test_update_node_access_control(access_control_test_context_factory):
             )
         assert "Au" not in chris_client[top][data].metadata["materials"]
 
+        # fails to delete a metadata revision
+        with fail_with_status_code(HTTP_403_FORBIDDEN):
+            chris_client[top][data].metadata_revisions.delete_revision(1)
+
+        # succeeds to delete a metadata revision
+        alice_client[top][data].metadata_revisions.delete_revision(1)
+
         # succeeds to add a new access tag and remove the old access tag
         alice_client[top][data].replace_metadata(access_tags=["biologists_tag"])
         access_tags = alice_client[top][data].access_blob["tags"]

tiled/access_control/scopes.py

@@ -3,6 +3,8 @@
     "read:data": {"description": "Read data."},
     "write:metadata": {"description": "Write metadata."},
     "write:data": {"description": "Write data."},
+    "delete:revision": {"description": "Delete metadata revisions."},
+    "delete:node": {"description": "Delete a node."},
     "create": {"description": "Add a node."},
     "register": {"description": "Register externally-managed assets."},
     "metrics": {"description": "Access (Prometheus) metrics."},
@@ -28,6 +30,8 @@
         "read:data",
         "write:metadata",
         "write:data",
+        "delete:revision",
+        "delete:node",
         "create",
         "register",
         "metrics",

tiled/adapters/zarr.py

@@ -145,7 +145,7 @@ def write(
             raise NotImplementedError
         self._array[self._stencil()] = data
 
-    async def write_block(
+    def write_block(
         self,
         data: NDArray[Any],
         block: Tuple[int, ...],
@@ -155,7 +155,7 @@ async def write_block(
         )
         self._array[block_slice] = data
 
-    async def patch(
+    def patch(
         self,
         data: NDArray[Any],
         offset: Tuple[int, ...],

tiled/authn_database/core.py

@@ -13,6 +13,7 @@
 
 # This is list of all valid alembic revisions (from current to oldest).
 ALL_REVISIONS = [
+    "27e069ba3bf5",
     "a806cc635ab2",
     "0c705a02954c",
     "d88e91ea03f9",
@@ -38,6 +39,8 @@ async def create_default_roles(db):
                 "create",
                 "write:metadata",
                 "write:data",
+                "delete:revision",
+                "delete:node",
                 "apikeys",
             ],
         ),
@@ -51,6 +54,8 @@ async def create_default_roles(db):
                 "register",
                 "write:metadata",
                 "write:data",
+                "delete:revision",
+                "delete:node",
                 "admin:apikeys",
                 "read:principals",
                 "write:principals",