NRL-2099 Remove pointer type permissions

anjalitrace2-nhs · anjalitrace2-nhs · commit ebcfe02a86b0 · 2026-04-08T11:28:19.000+01:00
diff --git a/scripts/manage_permissions.py b/scripts/manage_permissions.py
@@ -273,11 +273,11 @@ def add_pointer_type_perms(
     supplier_type: SupplierType, app_id: str, org_ods=None, *pointer_types_to_add: str
 ) -> None:
     """
+    Add permissions for a given list of pointer types to an app or org.
+
+    Specify pointer_types = all to add a list of all (current) pointer types.
+
     TODO:
-    confirm before proceeding mode
-    formatting help for pointer types ?
-    validate not adding a duplicate type
-    add list of all pointer types vs adding access control
     highlight new additions in proposed pointer types list e.g. [NEW]
     don't create at app level if ODS level present & backwards too? - hmm maybe too fancy
     """
@@ -324,7 +324,9 @@ def add_pointer_type_perms(
         if new_pointer_type in current_pointer_types
     )
     if len(already_added_types):
-        print(f"Error: These pointer types are already assigned to {lookup_path}:")
+        print(
+            f"Error: Unable to add pointer types. These pointer types are already assigned to {lookup_path}:"
+        )
         _print_perm_with_lookup("", already_added_types, TYPE_ATTRIBUTES)
         print()
         return
@@ -363,6 +365,99 @@ def add_pointer_type_perms(
     show_perms(supplier_type, app_id, org_ods)
 
 
+def remove_pointer_type_perms(
+    supplier_type: SupplierType,
+    app_id: str,
+    org_ods=None,
+    *pointer_types_to_remove: str,
+) -> None:
+    """
+    Remove a list of pointer type permissions for a given app or org.
+    """
+    if supplier_type.lower() not in SupplierType.list() or not app_id:
+        print("Usage: remove pointer type permissions for a given organisation or app")
+        print("  remove_pointer_type_perms consumer <app_id> <org_ods> <pointer_types>")
+        print("  remove_pointer_type_perms producer <app_id> <org_ods> <pointer_types>")
+        print("  remove_pointer_type_perms consumer <app_id> <pointer_types>")
+        print("  remove_pointer_type_perms producer <app_id> <pointer_types>")
+        return
+
+    if not pointer_types_to_remove:
+        print(
+            "No pointer types provided. Please specify at least one pointer type or use clear_perms command."
+        )
+        return
+
+    if org_ods:
+        lookup_path = f"{supplier_type}/{app_id}/{org_ods}.json"
+    else:
+        lookup_path = f"{supplier_type}/{app_id}.json"
+
+    unknown_types = [pt for pt in pointer_types_to_remove if pt not in TYPE_ATTRIBUTES]
+    if unknown_types:
+        print(f"Error: Unknown pointer types provided: {', '.join(unknown_types)}")
+        print()
+        return
+
+    perms_ugly = _get_perms_from_s3(lookup_path)
+    if not perms_ugly:
+        return
+
+    current_perms = json.loads(perms_ugly)
+    current_pointer_types: list = current_perms.get("types", [])
+
+    # Cannot remove pointer types not already assigned
+    types_not_assigned = list(
+        type_to_remove
+        for type_to_remove in pointer_types_to_remove
+        if type_to_remove not in current_pointer_types
+    )
+    if len(types_not_assigned):
+        print(
+            f"Error: Unable to remove pointer types. These pointer types aren't assigned to {lookup_path}:"
+        )
+        _print_perm_with_lookup("", types_not_assigned, TYPE_ATTRIBUTES)
+        print()
+        return
+
+    proposed_pointer_types = [
+        current_pointer_type
+        for current_pointer_type in current_pointer_types
+        if current_pointer_type not in pointer_types_to_remove
+    ]
+    print()
+    _print_perm_with_lookup(
+        "proposed pointer types", proposed_pointer_types, TYPE_ATTRIBUTES
+    )
+
+    if COMPARE_AND_CONFIRM:
+        print()
+        confirm = (
+            input("Do you want to proceed with these changes? (yes/NO): ")
+            .strip()
+            .lower()
+        )
+        if confirm != "yes":
+            print("Operation cancelled at user request.")
+            return
+
+    current_perms["types"] = proposed_pointer_types
+
+    s3 = _get_s3_client()
+    s3.put_object(
+        Bucket=nrl_auth_bucket_name,
+        Key=lookup_path,
+        Body=json.dumps(current_perms, indent=4),
+        ContentType="application/json",
+    )
+
+    print()
+    print(f"Set permissions for {lookup_path}")
+
+    print()
+    show_perms(supplier_type, app_id, org_ods)
+
+
 def clear_perms(supplier_type: SupplierType, app_id: str, org_ods=None) -> None:
     """
     Clear permissions for an application or organization.
@@ -425,6 +520,7 @@ def clear_perms(supplier_type: SupplierType, app_id: str, org_ods=None) -> None:
             "list_available_access_controls": list_available_access_controls,
             "show_perms": show_perms,
             "add_pointer_type_to_perms": add_pointer_type_perms,
+            "remove_pointer_type_perms": remove_pointer_type_perms,
             "clear_perms": clear_perms,
             # "help": help,
         }
