JonasFranz
/
api
forked from vikunja/vikunja
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

List rights are now respected

This commit is contained in:
konrad 2018-09-06 08:42:18 +02:00 committed by kolaente
parent 92174aac08
commit 521e7c3bef
Signed by untrusted user: konrad
GPG Key ID: F40E70337AB24C9B
5 changed files with 56 additions and 18 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
REST-Tests/auth.http
View File

@ -10,3 +10,16 @@ Content-Type: application/json
> {% client.global.set("auth_token", response.body.token); %} > {% client.global.set("auth_token", response.body.token); %}
### ###
## Register
POST http://localhost:8080/api/v1/register
Content-Type: application/json
{
"username": "user3",
"password": "1234",
"email": "3@knt.li"
}
###

10
REST-Tests/lists.http
View File

@ -26,7 +26,7 @@ Authorization: Bearer {{auth_token}}
### ###
# Get all teams who have access to that list # Get all teams who have access to that list
GET http://localhost:8080/api/v1/lists/10/teams GET http://localhost:8080/api/v1/lists/28/teams
Authorization: Bearer {{auth_token}} Authorization: Bearer {{auth_token}}
### ###
@ -53,22 +53,22 @@ Authorization: Bearer {{auth_token}}
### ###
# Get all users who have access to that list # Get all users who have access to that list
GET http://localhost:8080/api/v1/lists/10/users GET http://localhost:8080/api/v1/lists/28/users
Authorization: Bearer {{auth_token}} Authorization: Bearer {{auth_token}}
### ###
# Give a user access to that list # Give a user access to that list
PUT http://localhost:8080/api/v1/lists/1/users PUT http://localhost:8080/api/v1/lists/28/users
Authorization: Bearer {{auth_token}} Authorization: Bearer {{auth_token}}
Content-Type: application/json Content-Type: application/json
{"user_id":2, "right": 5} {"user_id":3, "right":1}
### ###
# Delete a user from a list # Delete a user from a list
DELETE http://localhost:8080/api/v1/lists/10/users/2 DELETE http://localhost:8080/api/v1/lists/28/users/3
Authorization: Bearer {{auth_token}} Authorization: Bearer {{auth_token}}
### ###

12
REST-Tests/namespaces.http
View File

@ -4,18 +4,24 @@ Authorization: Bearer {{auth_token}}
### ###
# Get one namespaces
GET http://localhost:8080/api/v1/namespaces/12
Authorization: Bearer {{auth_token}}
###
# Get all users who have access to that namespace # Get all users who have access to that namespace
GET http://localhost:8080/api/v1/namespaces/1/users GET http://localhost:8080/api/v1/namespaces/12/users
Authorization: Bearer {{auth_token}} Authorization: Bearer {{auth_token}}
### ###
# Give a user access to that namespace # Give a user access to that namespace
PUT http://localhost:8080/api/v1/namespaces/1/users PUT http://localhost:8080/api/v1/namespaces/12/users
Authorization: Bearer {{auth_token}} Authorization: Bearer {{auth_token}}
Content-Type: application/json Content-Type: application/json
{"user_id":2, "right": 0} {"user_id":3, "right": 0}
### ###

4
models/list.go
View File

@ -66,9 +66,13 @@ func (l *List) ReadAll(user *User) (interface{}, error) {
Join("LEFT", []string{"team_members", "tm"}, "tm.team_id = tn.team_id"). Join("LEFT", []string{"team_members", "tm"}, "tm.team_id = tn.team_id").
Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id"). Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id").
Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id"). Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
Join("LEFT", []string{"users_list", "ul"}, "ul.list_id = l.id").
Join("LEFT", []string{"users_namespace", "un"}, "un.namespace_id = l.namespace_id").
Where("tm.user_id = ?", fullUser.ID). Where("tm.user_id = ?", fullUser.ID).
Or("tm2.user_id = ?", fullUser.ID). Or("tm2.user_id = ?", fullUser.ID).
Or("l.owner_id = ?", fullUser.ID). Or("l.owner_id = ?", fullUser.ID).
Or("ul.user_id = ?", fullUser.ID).
Or("un.user_id = ?", fullUser.ID).
GroupBy("l.id"). GroupBy("l.id").
Find(&lists) Find(&lists)

35
models/list_rights.go
View File

@ -8,21 +8,22 @@ func (l *List) IsAdmin(user *User) bool {
} }
// Check individual rights // Check individual rights
if l.checkListUserRight(user, UserRightAdmin) {
return true
}
return l.checkListTeamRight(user, TeamRightAdmin) return l.checkListTeamRight(user, TeamRightAdmin)
} }
// CanWrite return whether the user can write on that list or not // CanWrite return whether the user can write on that list or not
func (l *List) CanWrite(user *User) bool { func (l *List) CanWrite(user *User) bool {
// Owners always have write access // Admins always have write access
if l.Owner.ID == user.ID { if l.IsAdmin(user) {
return true return true
} }
// Check individual rights // Check individual rights
if l.checkListUserRight(user, UserRightWrite) {
// Admins always have write access
if l.IsAdmin(user) {
return true return true
} }
@ -31,15 +32,13 @@ func (l *List) CanWrite(user *User) bool {
// CanRead checks if a user has read access to a list // CanRead checks if a user has read access to a list
func (l *List) CanRead(user *User) bool { func (l *List) CanRead(user *User) bool {
// Owners always have read access // Admins always have read access
if l.Owner.ID == user.ID { if l.IsAdmin(user) {
return true return true
} }
// Check individual rights // Check individual rights
if l.checkListUserRight(user, UserRightRead) {
// Admins always have read access
if l.IsAdmin(user) {
return true return true
} }
@ -82,3 +81,19 @@ func (l *List) checkListTeamRight(user *User, r TeamRight) bool {
return exists return exists
} }
func (l *List) checkListUserRight(user *User, r UserRight) bool {
exists, err := x.Select("l.*").
Table("list").
Alias("l").
Join("LEFT", []string{"users_namespace", "un"}, "un.namespace_id = l.namespace_id").
Join("LEFT", []string{"users_list", "ul"}, "ul.list_id = l.id").
Where("(ul.user_id = ? AND ul.right = ?) AND l.id = ?",
user.ID, r, l.ID).
Get(&List{})
if err != nil {
return false
}
return exists
}