// Vikunja is a to-do list application to facilitate your life. // Copyright 2018-2021 Vikunja and contributors. All rights reserved. // // This program is free software: you can redistribute it and/or modify // it under the terms of the GNU Affero General Public Licensee as published by // the Free Software Foundation, either version 3 of the License, or // (at your option) any later version. // // This program is distributed in the hope that it will be useful, // but WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the // GNU Affero General Public Licensee for more details. // // You should have received a copy of the GNU Affero General Public Licensee // along with this program. If not, see . package models import ( "time" "code.vikunja.io/api/pkg/db" "code.vikunja.io/api/pkg/events" "code.vikunja.io/api/pkg/user" "code.vikunja.io/web" "xorm.io/xorm" ) // ProjectUser represents a project <-> user relation type ProjectUser struct { // The unique, numeric id of this project <-> user relation. ID int64 `xorm:"bigint autoincr not null unique pk" json:"id" param:"namespace"` // The username. Username string `xorm:"-" json:"user_id" param:"user"` // Used internally to reference the user UserID int64 `xorm:"bigint not null INDEX" json:"-"` // The project id. ProjectID int64 `xorm:"bigint not null INDEX" json:"-" param:"project"` // The right this user has. 0 = Read only, 1 = Read & Write, 2 = Admin. See the docs for more details. Right Right `xorm:"bigint INDEX not null default 0" json:"right" valid:"length(0|2)" maximum:"2" default:"0"` // A timestamp when this relation was created. You cannot change this value. Created time.Time `xorm:"created not null" json:"created"` // A timestamp when this relation was last updated. You cannot change this value. Updated time.Time `xorm:"updated not null" json:"updated"` web.CRUDable `xorm:"-" json:"-"` web.Rights `xorm:"-" json:"-"` } // TableName is the table name for ProjectUser func (ProjectUser) TableName() string { return "users_projects" } // UserWithRight represents a user in combination with the right it can have on a project/namespace type UserWithRight struct { user.User `xorm:"extends"` Right Right `json:"right"` } // Create creates a new project <-> user relation // @Summary Add a user to a project // @Description Gives a user access to a project. // @tags sharing // @Accept json // @Produce json // @Security JWTKeyAuth // @Param id path int true "Project ID" // @Param project body models.ProjectUser true "The user you want to add to the project." // @Success 201 {object} models.ProjectUser "The created user<->project relation." // @Failure 400 {object} web.HTTPError "Invalid user project object provided." // @Failure 404 {object} web.HTTPError "The user does not exist." // @Failure 403 {object} web.HTTPError "The user does not have access to the project" // @Failure 500 {object} models.Message "Internal error" // @Router /projects/{id}/users [put] func (lu *ProjectUser) Create(s *xorm.Session, a web.Auth) (err error) { // Check if the right is valid if err := lu.Right.isValid(); err != nil { return err } // Check if the project exists l, err := GetProjectSimpleByID(s, lu.ProjectID) if err != nil { return } // Check if the user exists u, err := user.GetUserByUsername(s, lu.Username) if err != nil { return err } lu.UserID = u.ID // Check if the user already has access or is owner of that project // We explicitly DONT check for teams here if l.OwnerID == lu.UserID { return ErrUserAlreadyHasAccess{UserID: lu.UserID, ProjectID: lu.ProjectID} } exist, err := s.Where("project_id = ? AND user_id = ?", lu.ProjectID, lu.UserID).Get(&ProjectUser{}) if err != nil { return } if exist { return ErrUserAlreadyHasAccess{UserID: lu.UserID, ProjectID: lu.ProjectID} } // Insert user <-> project relation _, err = s.Insert(lu) if err != nil { return err } err = events.Dispatch(&ProjectSharedWithUserEvent{ Project: l, User: u, Doer: a, }) if err != nil { return err } err = updateProjectLastUpdated(s, l) return } // Delete deletes a project <-> user relation // @Summary Delete a user from a project // @Description Delets a user from a project. The user won't have access to the project anymore. // @tags sharing // @Produce json // @Security JWTKeyAuth // @Param projectID path int true "Project ID" // @Param userID path int true "User ID" // @Success 200 {object} models.Message "The user was successfully removed from the project." // @Failure 403 {object} web.HTTPError "The user does not have access to the project" // @Failure 404 {object} web.HTTPError "user or project does not exist." // @Failure 500 {object} models.Message "Internal error" // @Router /projects/{projectID}/users/{userID} [delete] func (lu *ProjectUser) Delete(s *xorm.Session, a web.Auth) (err error) { // Check if the user exists u, err := user.GetUserByUsername(s, lu.Username) if err != nil { return } lu.UserID = u.ID // Check if the user has access to the project has, err := s. Where("user_id = ? AND project_id = ?", lu.UserID, lu.ProjectID). Get(&ProjectUser{}) if err != nil { return } if !has { return ErrUserDoesNotHaveAccessToProject{ProjectID: lu.ProjectID, UserID: lu.UserID} } _, err = s. Where("user_id = ? AND project_id = ?", lu.UserID, lu.ProjectID). Delete(&ProjectUser{}) if err != nil { return err } err = updateProjectLastUpdated(s, &Project{ID: lu.ProjectID}) return } // ReadAll gets all users who have access to a project // @Summary Get users on a project // @Description Returns a project with all users which have access on a given project. // @tags sharing // @Accept json // @Produce json // @Param id path int true "Project ID" // @Param page query int false "The page number. Used for pagination. If not provided, the first page of results is returned." // @Param per_page query int false "The maximum number of items per page. Note this parameter is limited by the configured maximum of items per page." // @Param s query string false "Search users by its name." // @Security JWTKeyAuth // @Success 200 {array} models.UserWithRight "The users with the right they have." // @Failure 403 {object} web.HTTPError "No right to see the project." // @Failure 500 {object} models.Message "Internal error" // @Router /projects/{id}/users [get] func (lu *ProjectUser) ReadAll(s *xorm.Session, a web.Auth, search string, page int, perPage int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) { // Check if the user has access to the project l := &Project{ID: lu.ProjectID} canRead, _, err := l.CanRead(s, a) if err != nil { return nil, 0, 0, err } if !canRead { return nil, 0, 0, ErrNeedToHaveProjectReadAccess{UserID: a.GetID(), ProjectID: lu.ProjectID} } limit, start := getLimitFromPageIndex(page, perPage) // Get all users all := []*UserWithRight{} query := s. Join("INNER", "users_projects", "user_id = users.id"). Where("users_projects.project_id = ?", lu.ProjectID). Where(db.ILIKE("users.username", search)) if limit > 0 { query = query.Limit(limit, start) } err = query.Find(&all) if err != nil { return nil, 0, 0, err } // Obfuscate all user emails for _, u := range all { u.Email = "" } numberOfTotalItems, err = s. Join("INNER", "users_projects", "user_id = users.id"). Where("users_projects.project_id = ?", lu.ProjectID). Where("users.username LIKE ?", "%"+search+"%"). Count(&UserWithRight{}) return all, len(all), numberOfTotalItems, err } // Update updates a user <-> project relation // @Summary Update a user <-> project relation // @Description Update a user <-> project relation. Mostly used to update the right that user has. // @tags sharing // @Accept json // @Produce json // @Param projectID path int true "Project ID" // @Param userID path int true "User ID" // @Param project body models.ProjectUser true "The user you want to update." // @Security JWTKeyAuth // @Success 200 {object} models.ProjectUser "The updated user <-> project relation." // @Failure 403 {object} web.HTTPError "The user does not have admin-access to the project" // @Failure 404 {object} web.HTTPError "User or project does not exist." // @Failure 500 {object} models.Message "Internal error" // @Router /projects/{projectID}/users/{userID} [post] func (lu *ProjectUser) Update(s *xorm.Session, a web.Auth) (err error) { // Check if the right is valid if err := lu.Right.isValid(); err != nil { return err } // Check if the user exists u, err := user.GetUserByUsername(s, lu.Username) if err != nil { return err } lu.UserID = u.ID _, err = s. Where("project_id = ? AND user_id = ?", lu.ProjectID, lu.UserID). Cols("right"). Update(lu) if err != nil { return err } err = updateProjectLastUpdated(s, &Project{ID: lu.ProjectID}) return }