From 521e7c3bef8be31692559e6eac70ff36691ed92c Mon Sep 17 00:00:00 2001
From: konrad <konrad@kola-entertainments.de>
Date: Thu, 6 Sep 2018 08:42:18 +0200
Subject: [PATCH] List rights are now respected

---
 REST-Tests/auth.http       | 13 +++++++++++++
 REST-Tests/lists.http      | 10 +++++-----
 REST-Tests/namespaces.http | 12 +++++++++---
 models/list.go             |  4 ++++
 models/list_rights.go      | 35 +++++++++++++++++++++++++----------
 5 files changed, 56 insertions(+), 18 deletions(-)

diff --git a/REST-Tests/auth.http b/REST-Tests/auth.http
index e87a9753a4..bb2424d62c 100644
--- a/REST-Tests/auth.http
+++ b/REST-Tests/auth.http
@@ -10,3 +10,16 @@ Content-Type: application/json
 > {% client.global.set("auth_token", response.body.token); %}
 
 ###
+
+## Register
+
+POST http://localhost:8080/api/v1/register
+Content-Type: application/json
+
+{
+  "username": "user3",
+  "password": "1234",
+  "email": "3@knt.li"
+}
+
+###
diff --git a/REST-Tests/lists.http b/REST-Tests/lists.http
index 399127dcda..89d3aab6ba 100644
--- a/REST-Tests/lists.http
+++ b/REST-Tests/lists.http
@@ -26,7 +26,7 @@ Authorization: Bearer {{auth_token}}
 ###
 
 # Get all teams who have access to that list
-GET http://localhost:8080/api/v1/lists/10/teams
+GET http://localhost:8080/api/v1/lists/28/teams
 Authorization: Bearer {{auth_token}}
 
 ###
@@ -53,22 +53,22 @@ Authorization: Bearer {{auth_token}}
 ###
 
 # Get all users who have access to that list
-GET http://localhost:8080/api/v1/lists/10/users
+GET http://localhost:8080/api/v1/lists/28/users
 Authorization: Bearer {{auth_token}}
 
 ###
 
 # Give a user access to that list
-PUT http://localhost:8080/api/v1/lists/1/users
+PUT http://localhost:8080/api/v1/lists/28/users
 Authorization: Bearer {{auth_token}}
 Content-Type: application/json
 
-{"user_id":2, "right": 5}
+{"user_id":3, "right":1}
 
 ###
 
 # Delete a user from a list
-DELETE http://localhost:8080/api/v1/lists/10/users/2
+DELETE http://localhost:8080/api/v1/lists/28/users/3
 Authorization: Bearer {{auth_token}}
 
 ###
\ No newline at end of file
diff --git a/REST-Tests/namespaces.http b/REST-Tests/namespaces.http
index 169239d2a2..fb2b19cc91 100644
--- a/REST-Tests/namespaces.http
+++ b/REST-Tests/namespaces.http
@@ -4,18 +4,24 @@ Authorization: Bearer {{auth_token}}
 
 ###
 
+# Get one namespaces
+GET http://localhost:8080/api/v1/namespaces/12
+Authorization: Bearer {{auth_token}}
+
+###
+
 # Get all users who have access to that namespace
-GET http://localhost:8080/api/v1/namespaces/1/users
+GET http://localhost:8080/api/v1/namespaces/12/users
 Authorization: Bearer {{auth_token}}
 
 ###
 
 # Give a user access to that namespace
-PUT http://localhost:8080/api/v1/namespaces/1/users
+PUT http://localhost:8080/api/v1/namespaces/12/users
 Authorization: Bearer {{auth_token}}
 Content-Type: application/json
 
-{"user_id":2, "right": 0}
+{"user_id":3, "right": 0}
 
 ###
 
diff --git a/models/list.go b/models/list.go
index a6c7db905b..2e42164094 100644
--- a/models/list.go
+++ b/models/list.go
@@ -66,9 +66,13 @@ func (l *List) ReadAll(user *User) (interface{}, error) {
 		Join("LEFT", []string{"team_members", "tm"}, "tm.team_id = tn.team_id").
 		Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id").
 		Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
+		Join("LEFT", []string{"users_list", "ul"}, "ul.list_id = l.id").
+		Join("LEFT", []string{"users_namespace", "un"}, "un.namespace_id = l.namespace_id").
 		Where("tm.user_id = ?", fullUser.ID).
 		Or("tm2.user_id = ?", fullUser.ID).
 		Or("l.owner_id = ?", fullUser.ID).
+		Or("ul.user_id = ?", fullUser.ID).
+		Or("un.user_id = ?", fullUser.ID).
 		GroupBy("l.id").
 		Find(&lists)
 
diff --git a/models/list_rights.go b/models/list_rights.go
index a4a27a3c76..94cf5a1d55 100644
--- a/models/list_rights.go
+++ b/models/list_rights.go
@@ -8,21 +8,22 @@ func (l *List) IsAdmin(user *User) bool {
 	}
 
 	// Check individual rights
+	if l.checkListUserRight(user, UserRightAdmin) {
+		return true
+	}
 
 	return l.checkListTeamRight(user, TeamRightAdmin)
 }
 
 // CanWrite return whether the user can write on that list or not
 func (l *List) CanWrite(user *User) bool {
-	// Owners always have write access
-	if l.Owner.ID == user.ID {
+	// Admins always have write access
+	if l.IsAdmin(user) {
 		return true
 	}
 
 	// Check individual rights
-
-	// Admins always have write access
-	if l.IsAdmin(user) {
+	if l.checkListUserRight(user, UserRightWrite) {
 		return true
 	}
 
@@ -31,15 +32,13 @@ func (l *List) CanWrite(user *User) bool {
 
 // CanRead checks if a user has read access to a list
 func (l *List) CanRead(user *User) bool {
-	// Owners always have read access
-	if l.Owner.ID == user.ID {
+	// Admins always have read access
+	if l.IsAdmin(user) {
 		return true
 	}
 
 	// Check individual rights
-
-	// Admins always have read access
-	if l.IsAdmin(user) {
+	if l.checkListUserRight(user, UserRightRead) {
 		return true
 	}
 
@@ -82,3 +81,19 @@ func (l *List) checkListTeamRight(user *User, r TeamRight) bool {
 
 	return exists
 }
+
+func (l *List) checkListUserRight(user *User, r UserRight) bool {
+	exists, err := x.Select("l.*").
+		Table("list").
+		Alias("l").
+		Join("LEFT", []string{"users_namespace", "un"}, "un.namespace_id = l.namespace_id").
+		Join("LEFT", []string{"users_list", "ul"}, "ul.list_id = l.id").
+		Where("(ul.user_id = ? AND ul.right = ?) AND l.id = ?",
+			user.ID, r, l.ID).
+		Get(&List{})
+	if err != nil {
+		return false
+	}
+
+	return exists
+}