aiondemand
diff --git a/‎.env
-1 b/‎.env
-1
diff --git a/‎data/keycloak/data/import/aiod-realm.json
+3-11 b/‎data/keycloak/data/import/aiod-realm.json
+3-11
diff --git a/‎data/keycloak/data/import/aiod-users-0.json
+1-1 b/‎data/keycloak/data/import/aiod-users-0.json
+1-1
diff --git a/‎docs/developer/authentication.md
+3-3 b/‎docs/developer/authentication.md
+3-3
diff --git a/‎docs/developer/users.md
+2 b/‎docs/developer/users.md
+2
diff --git a/‎docs/hosting/authentication.md
+10-1 b/‎docs/hosting/authentication.md
+10-1
diff --git a/‎src/authentication.py
+10-3 b/‎src/authentication.py
+10-3
diff --git a/‎src/config.default.toml
-1 b/‎src/config.default.toml
-1
diff --git a/‎src/main.py
+2-1 b/‎src/main.py
+2-1
diff --git a/‎src/routers/resource_router.py
+18-28 b/‎src/routers/resource_router.py
+18-28
diff --git a/‎src/routers/resource_routers/platform_router.py
+3-16 b/‎src/routers/resource_routers/platform_router.py
+3-16
@@ -28,7 +28,6 @@ AIBUILDER_API_TOKEN=""
 ES_USER=elastic
 ES_PASSWORD=changeme
 ES_DISCOVERY_TYPE=single-node
-ES_ROLE="edit_aiod_resources"
 ES_JAVA_OPTS="-Xmx256m -Xms256m"
 AIOD_ES_HTTP_PORT=9200
 AIOD_ES_TRANSPORT_PORT=9300
 
@@ -75,17 +75,9 @@
       "clientRole" : false,
       "containerId" : "3df7e07d-ebbd-41c4-bc0c-1ba0e1a40ac5",
       "attributes" : { }
-    }, {
-      "id" : "18c2dc78-1119-4432-970b-3187f49bfa58",
-      "name" : "edit_aiod_resources",
-      "description" : "",
-      "composite" : false,
-      "clientRole" : false,
-      "containerId" : "3df7e07d-ebbd-41c4-bc0c-1ba0e1a40ac5",
-      "attributes" : { }
     }, {
       "id" : "2acb73ad-574d-4b77-b5dc-0fa9fd2ec8d7",
-      "name" : "${REVIEWER_ROLE_NAME}",
+      "name" : "review_aiod_resources",
       "description" : "Can review submitted AIoD resources",
       "composite" : false,
       "clientRole" : false,
@@ -1232,7 +1224,7 @@
       "subType" : "authenticated",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "saml-role-list-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-full-name-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-full-name-mapper", "saml-user-attribute-mapper", "oidc-sha256-pairwise-sub-mapper", "oidc-address-mapper", "oidc-usermodel-property-mapper", "oidc-usermodel-attribute-mapper", "saml-role-list-mapper", "saml-user-property-mapper" ]
       }
     }, {
       "id" : "10f8b9b2-1038-4c98-b7a5-a9ac88fed69e",
@@ -1274,7 +1266,7 @@
       "subType" : "anonymous",
       "subComponents" : { },
       "config" : {
-        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-address-mapper", "oidc-usermodel-attribute-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper", "saml-role-list-mapper" ]
+        "allowed-protocol-mapper-types" : [ "oidc-usermodel-property-mapper", "saml-user-property-mapper", "saml-user-attribute-mapper", "oidc-usermodel-attribute-mapper", "oidc-address-mapper", "saml-role-list-mapper", "oidc-full-name-mapper", "oidc-sha256-pairwise-sub-mapper" ]
       }
     }, {
       "id" : "1d21f027-e0ae-4b80-b95e-f21d9426f115",
 
@@ -56,7 +56,7 @@
     } ],
     "disableableCredentialTypes" : [ ],
     "requiredActions" : [ ],
-    "realmRoles" : [ "default-roles-aiod", "edit_aiod_resources" ],
+    "realmRoles" : [ "default-roles-aiod"],
     "notBefore" : 0,
     "groups" : [ ]
   } ]
 
@@ -4,9 +4,9 @@ For authentication, we use a [keycloak](https://www.keycloak.org) service.
 For development, make sure to use the `USE_LOCAL_DEV=true` environment variable so that the local
 keycloak server is configured with default users:
 
-| User | Password | Role(s)                                                                    | Comment |
-|------|----------|----------------------------------------------------------------------------|---------|
-| user | password | edit_aiod_resources, default-roles-aiod, offline_access, uma_authorization |         |
+| User | Password | Role(s)                                               | Comment |
+|------|----------|-------------------------------------------------------|---------|
+| user | password | default-roles-aiod, offline_access, uma_authorization |         |
 
 For a description of the roles, see ["AIoD Keycloak Roles"](../hosting/authentication.md#roles).
 With the local development configuration, you will only be able to authenticate with keycloak users (OAuth2, password) not by other means.
 
@@ -4,6 +4,8 @@ The user model in AIoD allows users to maintain and share ownership over assets,
 and to allow a review process for new assets.
 The components of this user model are defined in [src/database/authorization.py](https://github.com/aiondemand/AIOD-rest-api/blob/develop/src/database/authorization.py)
 and [src/database/review.py](https://github.com/aiondemand/AIOD-rest-api/blob/develop/src/database/review.py).
+Note that for special users (e.g., administrators), this user model may be circumvented through
+special Keycloak roles (for more information, see ["Roles"](../hosting/authentication.md)).
 
 [//]: # (Add a diagram overview once the model is more final, e.g., groups are added)
 
 
@@ -38,7 +38,16 @@ Create both a private and a public client in the external provider (this step is
 ## Roles
 
 Roles identify a type or category of user and determine their access and permissions within applications.
-Currently, only the ` edit_aiod_resources` role is defined, granting users the ability to upload and edit resources.
+Roles are generally only necessary for special cases.
+The normal flow for granting individual users permissions for individual assets is detailed in the ["user model"](../developer/users.md) documentation.
+These are the roles the metadata catalogue uses (`*` in a role indicates its defined for each asset type individually):
+
+ * `review_aiod_resources`: identifies the user as having permission to view asset submissions and review them.
+ * `read_*`: allows the user read access to all assets on the platform, regardless of the asset-specific permissions.
+ * `update_*`: allows the user update permission for all assets on the platform, regardless of the asset-specific permissions.
+ * `delete_*`: allows the user delete permission for all assets on the platform, regardless of the asset-specific permissions.
+ * `create_platforms`: allows the user to define new platforms.
+
 Note that roles may be used for services other than the metadata catalogue.
 New roles can be created from the admin console, see ["Creating a realm role"](https://www.keycloak.org/docs/latest/server_admin/index.html#proc-creating-realm-roles_server_administration_guide).
 
 
@@ -35,15 +35,23 @@
 oidc = OpenIdConnect(openIdConnectUrl=KEYCLOAK_CONFIG.get("openid_connect_url"), auto_error=False)
 
 
+REVIEWER_ROLE = os.getenv("REVIEWER_ROLE_NAME")
 client_secret = os.getenv("KEYCLOAK_CLIENT_SECRET")
+
 keycloak_openid = KeycloakOpenID(
     server_url=KEYCLOAK_CONFIG.get("server_url"),
     client_id=KEYCLOAK_CONFIG.get("client_id"),
     client_secret_key=client_secret,
     realm_name=KEYCLOAK_CONFIG.get("realm"),
     verify=True,
 )
-_REVIEWER_ROLE = os.getenv("REVIEWER_ROLE_NAME")
+
+
+def assert_required_settings_configured() -> None:
+    # These variables are required for the API to function, so we provide context beyond KeyError.
+    # Should be managed together with other settings in the future (#67)
+    assert REVIEWER_ROLE, "Environment variable 'REVIEWER_ROLE_NAME' not set."  # noqa: S101
+    assert client_secret, "Environment variable 'KEYCLOAK_CLIENT_SECRET' not set."  # noqa: S101
 
 
 @dataclasses.dataclass
@@ -60,8 +68,7 @@ def has_any_role(self, *roles: str) -> bool:
 
     @property
     def is_reviewer(self):
-        assert _REVIEWER_ROLE is not None, "Must configure role `reviewer` in config.toml file."  # noqa: S101
-        return _REVIEWER_ROLE in self.roles
+        return REVIEWER_ROLE in self.roles
 
 
 async def _get_user(token) -> KeycloakUser:
 
@@ -23,4 +23,3 @@ client_id = "aiod-api"  # a private client, used by the backend
 client_id_swagger = "aiod-api-swagger"  # a public client, used by the Swagger Frontend
 openid_connect_url = "http://localhost/aiod-auth/realms/aiod/.well-known/openid-configuration"
 scopes = "openid profile roles"
-role = "edit_aiod_resources"
@@ -14,7 +14,7 @@
 from fastapi.responses import HTMLResponse
 from sqlmodel import select, SQLModel
 
-from authentication import get_user_or_raise, KeycloakUser
+from authentication import get_user_or_raise, KeycloakUser, assert_required_settings_configured
 from config import KEYCLOAK_CONFIG
 from database.deletion.triggers import create_delete_triggers
 import database.authorization  # noqa  # Trigger registration of User, Permission -> likely obsolete when couple with aiod_entry is done
@@ -110,6 +110,7 @@ def create_app() -> FastAPI:
     """Create the FastAPI application, complete with routes."""
     setup_logger()
     args = _parse_args()
+    assert_required_settings_configured()
     if args.build_db == "never":
         if not database_exists():
             logging.warning(
 
@@ -20,6 +20,7 @@
     set_permission,
     register_user,
     PermissionType,
+    user_can_write,
 )
 from database.model.ai_resource.resource import AIResource
 from database.model.concept.aiod_entry import AIoDEntryORM, EntryStatus
@@ -404,15 +405,6 @@ def register_resource(
             resource_create: clz_create,  # type: ignore
             user: KeycloakUser = Depends(get_user_or_raise),
         ):
-            if not user.has_any_role(
-                KEYCLOAK_CONFIG.get("role"),
-                f"create_{self.resource_name_plural}",
-                f"crud_{self.resource_name_plural}",
-            ):
-                raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail=f"You do not have permission to create {self.resource_name_plural}.",
-                )
             try:
                 with DbSession() as session:
                     try:
@@ -453,19 +445,18 @@ def put_resource(
             resource_create_instance: clz_create,  # type: ignore
             user: KeycloakUser = Depends(get_user_or_raise),
         ):
-            if not user.has_any_role(
-                KEYCLOAK_CONFIG.get("role"),
-                f"update_{self.resource_name_plural}",
-                f"crud_{self.resource_name_plural}",
-            ):
-                raise HTTPException(
-                    status_code=status.HTTP_403_FORBIDDEN,
-                    detail=f"You do not have permission to edit {self.resource_name_plural}.",
-                )
-
             with DbSession() as session:
                 try:
                     resource: Any = self._retrieve_resource(session, identifier)
+                    if not (
+                        user_can_write(user, resource.aiod_entry)
+                        or user.has_role(f"update_{self.resource_name_plural}")
+                    ):
+                        raise HTTPException(
+                            status_code=status.HTTP_403_FORBIDDEN,
+                            detail=f"You do not have permission to edit {self.resource_name_plural}.",
+                        )
+
                     if resource.aiod_entry.status == EntryStatus.SUBMITTED:
                         raise HTTPException(
                             status_code=status.HTTP_403_FORBIDDEN,
@@ -503,18 +494,17 @@ def delete_resource(
             user: KeycloakUser = Depends(get_user_or_raise),
         ):
             with DbSession() as session:
-                if not user.has_any_role(
-                    KEYCLOAK_CONFIG.get("role"),
-                    f"delete_{self.resource_name_plural}",
-                    f"crud_{self.resource_name_plural}",
-                ):
-                    raise HTTPException(
-                        status_code=status.HTTP_403_FORBIDDEN,
-                        detail=f"You do not have permission to delete {self.resource_name_plural}.",
-                    )
                 try:
                     # Raise error if it does not exist
                     resource: Any = self._retrieve_resource(session, identifier)
+                    if not (
+                        user_can_administer(user, resource.aiod_entry)
+                        or user.has_role(f"delete_{self.resource_name_plural}")
+                    ):
+                        raise HTTPException(
+                            status_code=status.HTTP_403_FORBIDDEN,
+                            detail=f"You do not have permission to delete {self.resource_name_plural}.",
+                        )
                     if (
                         hasattr(self.resource_class, "__deletion_config__")
                         and not self.resource_class.__deletion_config__["soft_delete"]
 
@@ -5,7 +5,6 @@
 from sqlmodel import SQLModel, Session, select
 
 from authentication import KeycloakUser, get_user_or_raise
-from config import KEYCLOAK_CONFIG
 from database.model.platform.platform import Platform
 from database.model.resource_read_and_create import resource_create, resource_read
 from database.model.serializers import deserialize_resource_relationships
@@ -178,11 +177,7 @@ def register_resource(
             resource_create: clz_create,  # type: ignore
             user: KeycloakUser = Depends(get_user_or_raise),
         ):
-            if not user.has_any_role(
-                KEYCLOAK_CONFIG.get("role"),
-                f"create_{self.resource_name_plural}",
-                f"crud_{self.resource_name_plural}",
-            ):
+            if not user.has_role("create_platforms"):
                 raise HTTPException(
                     status_code=status.HTTP_403_FORBIDDEN,
                     detail=f"You do not have permission to create {self.resource_name_plural}.",
@@ -222,11 +217,7 @@ def put_resource(
             resource_create_instance: clz_create,  # type: ignore
             user: KeycloakUser = Depends(get_user_or_raise),
         ):
-            if not user.has_any_role(
-                KEYCLOAK_CONFIG.get("role"),
-                f"update_{self.resource_name_plural}",
-                f"crud_{self.resource_name_plural}",
-            ):
+            if not user.has_role("update_platforms"):
                 raise HTTPException(
                     status_code=status.HTTP_403_FORBIDDEN,
                     detail=f"You do not have permission to edit {self.resource_name_plural}.",
@@ -265,11 +256,7 @@ def delete_resource(
             user: KeycloakUser = Depends(get_user_or_raise),
         ):
             with DbSession() as session:
-                if not user.has_any_role(
-                    KEYCLOAK_CONFIG.get("role"),
-                    f"delete_{self.resource_name_plural}",
-                    f"crud_{self.resource_name_plural}",
-                ):
+                if not user.has_role("delete_platforms"):
                     raise HTTPException(
                         status_code=status.HTTP_403_FORBIDDEN,
                         detail=f"You do not have permission to delete {self.resource_name_plural}.",