edit

dsp_permissions_scripts/models/scope.py

@@ -1,19 +1,33 @@
-from pydantic import BaseModel
+from pydantic import BaseModel, model_validator
 
 from dsp_permissions_scripts.models.groups import BuiltinGroup
 
 
-class PermissionScope(BaseModel):
+class PermissionScope(BaseModel, validate_assignment=True):
     """
     A scope is an object encoding the information:
     "Which user group gets which permissions on a resource/value?"
     """
 
-    CR: set[str | BuiltinGroup] = set()
-    D: set[str | BuiltinGroup] = set()
-    M: set[str | BuiltinGroup] = set()
-    V: set[str | BuiltinGroup] = set()
-    RV: set[str | BuiltinGroup] = set()
+    CR: frozenset[str | BuiltinGroup] = frozenset()
+    D: frozenset[str | BuiltinGroup] = frozenset()
+    M: frozenset[str | BuiltinGroup] = frozenset()
+    V: frozenset[str | BuiltinGroup] = frozenset()
+    RV: frozenset[str | BuiltinGroup] = frozenset()
+
+    def __init__(self, **kwargs):
+        kwargs_frozenset = {frozenset(x) for x in kwargs}
+        super().__init__(**kwargs_frozenset)
+
+    @model_validator(mode="after")
+    def check_fields(self):
+        all_groups = []
+        for field in self.model_fields:
+            all_groups.extend(getattr(self, field))
+        for group in all_groups:
+            if all_groups.count(group) > 1:
+                raise ValueError(f"Group {group} must not occur in more than one field")
+        return self
 
 
 PUBLIC = PermissionScope(

dsp_permissions_scripts/template.py

@@ -22,7 +22,7 @@
 def modify_oaps(oaps: list[Oap]) -> list[Oap]:
     """Adapt this sample to your needs."""
     for oap in oaps:
-        oap.scope.CR.add(BuiltinGroup.SYSTEM_ADMIN)
+        oap.scope.CR = frozenset(oap.scope.CR | {BuiltinGroup.SYSTEM_ADMIN})
     return oaps
 
 

tests/test_scope.py

@@ -0,0 +1,35 @@
+import unittest
+
+from dsp_permissions_scripts.models.groups import BuiltinGroup
+from dsp_permissions_scripts.models.scope import PermissionScope
+
+
+class TestScope(unittest.TestCase):
+
+    def test_scope_validation_on_creation(self) -> None:
+        with self.assertRaisesRegex(ValueError, "must not occur in more than one field"):
+            PermissionScope(
+                CR={BuiltinGroup.PROJECT_ADMIN},
+                D={BuiltinGroup.PROJECT_ADMIN},
+                V={BuiltinGroup.UNKNOWN_USER, BuiltinGroup.KNOWN_USER},
+            )
+
+    def test_scope_validation_on_assignment(self) -> None:
+        scope = PermissionScope(
+            CR={BuiltinGroup.PROJECT_ADMIN},
+            V={BuiltinGroup.UNKNOWN_USER, BuiltinGroup.KNOWN_USER},
+        )
+        with self.assertRaisesRegex(ValueError, "must not occur in more than one field"):
+            scope.D = frozenset({BuiltinGroup.PROJECT_ADMIN})
+
+    # def test_scope_validation_on_update(self) -> None:
+    #     scope = PermissionScope(
+    #         CR={BuiltinGroup.PROJECT_ADMIN},
+    #         V={BuiltinGroup.UNKNOWN_USER, BuiltinGroup.KNOWN_USER},
+    #     )
+    #     with self.assertRaisesRegex(ValueError, "must not occur in more than one field"):
+    #         scope.D.add(BuiltinGroup.PROJECT_ADMIN)
+
+
+if __name__ == "__main__":
+    unittest.main()