From f36eeb662a281037ad760d70330355fd421b5ede Mon Sep 17 00:00:00 2001
From: kolaente <konrad@kola-entertainments.de>
Date: Wed, 25 Jul 2018 00:40:24 +0200
Subject: [PATCH] Implemented proper check for team rights on lists

---
 Featurecreep.md       |  4 +--
 models/list.go        |  1 +
 models/list_rights.go | 64 ++++++++++++++-----------------------------
 3 files changed, 24 insertions(+), 45 deletions(-)

diff --git a/Featurecreep.md b/Featurecreep.md
index 5f02e5670a..5876c20f9f 100644
--- a/Featurecreep.md
+++ b/Featurecreep.md
@@ -120,9 +120,9 @@ Teams sind global, d.h. Ein Team kann mehrere Namespaces verwalten.
 
 #### v0.2
 
-* [ ] Listen teilbar
+* [x] Listen teilbar
   * [ ] Mit anderen Nutzern
-  * [ ] Teams
+  * [x] Teams
   * [ ] Mit Link
     * [ ] Offen
     * [ ] Passwortgeschützt
diff --git a/models/list.go b/models/list.go
index 022925eef3..b2752d144f 100644
--- a/models/list.go
+++ b/models/list.go
@@ -69,6 +69,7 @@ func (l *List) ReadAll(user *User) (interface{}, error) {
 		Where("tm.user_id = ?", fullUser.ID).
 		Or("tm2.user_id = ?", fullUser.ID).
 		Or("l.owner_id = ?", fullUser.ID).
+		GroupBy("l.id").
 		Find(&lists)
 
 	return lists, err
diff --git a/models/list_rights.go b/models/list_rights.go
index d61b995b4e..c58eacbbd4 100644
--- a/models/list_rights.go
+++ b/models/list_rights.go
@@ -7,17 +7,7 @@ func (l *List) IsAdmin(user *User) bool {
 		return true
 	}
 
-	// Check Team rights
-	// aka "is the user in a team which has admin rights?"
-	// TODO
-
-	// Check Namespace rights
-	// TODO
-
-	// Check individual rights
-	// TODO
-
-	return false
+	return l.checkListTeamRight(user, TeamRightAdmin)
 }
 
 // CanWrite return whether the user can write on that list or not
@@ -32,17 +22,7 @@ func (l *List) CanWrite(user *User) bool {
 		return true
 	}
 
-	// Check Namespace rights
-	// TODO
-	// TODO find a way to prioritize: what happens if a user has namespace write access but is not in that list?
-
-	// Check Team rights
-	// TODO
-
-	// Check individual rights
-	// TODO
-
-	return false
+	return l.checkListTeamRight(user, TeamRightWrite)
 }
 
 // CanRead checks if a user has read access to a list
@@ -57,27 +37,7 @@ func (l *List) CanRead(user *User) bool {
 		return true
 	}
 
-	// Check Namespace rights
-	exists, _ := x.Select("list.*").
-		Table("namespaces").
-		Join("INNER", "list", "list.namespace_id = namespaces.id").
-		Join("INNER", "team_namespaces", "team_namespaces.namespace_id = namespaces.id").
-		Join("INNER", "team_members", "team_members.team_id = team_namespaces.team_id").
-		Where("team_members.user_id = ?", user.ID).
-		And("list.id = ?", l.ID).
-		Get(&List{})
-
-	if exists {
-		return true
-	}
-
-	// Check Team rights
-	// TODO
-
-	// Check individual rights
-	// TODO
-
-	return false
+	return l.checkListTeamRight(user, TeamRightRead)
 }
 
 // CanDelete checks if the user can delete a list
@@ -98,3 +58,21 @@ func (l *List) CanCreate(doer *User) bool {
 	n, _ := GetNamespaceByID(l.NamespaceID)
 	return n.CanWrite(doer)
 }
+
+func (l *List) checkListTeamRight(user *User, r TeamRight) bool {
+	exists, err := x.Select("l.*").
+		Table("list").
+		Alias("l").
+		Join("LEFT", []string{"team_namespaces", "tn"}, "tn.namespace_id = tn.id").
+		Join("LEFT", []string{"team_members", "tm"}, "tm.team_id = tn.team_id").
+		Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id").
+		Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
+		Where("((tm.user_id = ? AND tn.right = ?) OR (tm2.user_id = ? AND tl.rights = ?)) AND l.id = ?",
+		user.ID, r, user.ID, r, l.ID).
+		Get(&List{})
+	if err != nil {
+		return false
+	}
+
+	return exists
+}