Refactor crud handler methods to use the new rights checking
continuous-integration/drone/push Build was killed
Details
continuous-integration/drone/push Build was killed
Details
This commit is contained in:
parent
cdb63d33af
commit
202d357890
GPG Key ID:
F40E70337AB24C9B
|
|
@ -5,7 +5,7 @@ Authorization: Bearer {{auth_token}}
|
|||
###
|
||||
|
||||
# Get one list
|
||||
GET http://localhost:8080/api/v1/lists/1
|
||||
GET http://localhost:8080/api/v1/lists/27
|
||||
Authorization: Bearer {{auth_token}}
|
||||
|
||||
###
|
||||
|
|
|
|||
|
|
@ -22,66 +22,27 @@ import (
|
|||
"github.com/go-xorm/builder"
|
||||
)
|
||||
|
||||
// IsAdmin returns whether the user has admin rights on the list or not
|
||||
func (l *List) IsAdmin(a web.Auth) bool {
|
||||
u := getUserForRights(a)
|
||||
|
||||
// Owners are always admins
|
||||
if l.OwnerID == u.ID {
|
||||
return true
|
||||
}
|
||||
|
||||
// Check individual rights
|
||||
if l.checkListUserRight(u, UserRightAdmin) {
|
||||
return true
|
||||
}
|
||||
|
||||
return l.checkListTeamRight(u, TeamRightAdmin)
|
||||
}
|
||||
|
||||
// CanWrite return whether the user can write on that list or not
|
||||
func (l *List) CanWrite(a web.Auth) bool {
|
||||
user := getUserForRights(a)
|
||||
|
||||
// Admins always have write access
|
||||
if l.IsAdmin(user) {
|
||||
return true
|
||||
}
|
||||
|
||||
// Check individual rights
|
||||
if l.checkListUserRight(user, UserRightWrite) {
|
||||
return true
|
||||
}
|
||||
|
||||
return l.checkListTeamRight(user, TeamRightWrite)
|
||||
// Check all the things
|
||||
// Check if the user is either owner or can write to the list
|
||||
return l.isOwner(user) || l.checkListRight(user, ListRightWrite, ListRightAdmin)
|
||||
}
|
||||
|
||||
// CanRead checks if a user has read access to a list
|
||||
func (l *List) CanRead(a web.Auth) bool {
|
||||
user := getUserForRights(a)
|
||||
|
||||
// Admins always have read access
|
||||
if l.IsAdmin(user) {
|
||||
return true
|
||||
}
|
||||
|
||||
// Check individual rights
|
||||
if l.checkListUserRight(user, UserRightRead) {
|
||||
return true
|
||||
}
|
||||
|
||||
if l.checkListTeamRight(user, TeamRightRead) {
|
||||
return true
|
||||
}
|
||||
|
||||
// Users who are able to write should also be able to read
|
||||
return l.CanWrite(a)
|
||||
// Check all the things
|
||||
// Check if the user is either owner or can read
|
||||
return l.isOwner(user) || l.checkListRight(user, ListRightRead, ListRightWrite, ListRightAdmin)
|
||||
}
|
||||
|
||||
// CanDelete checks if the user can delete a list
|
||||
func (l *List) CanDelete(a web.Auth) bool {
|
||||
doer := getUserForRights(a)
|
||||
return l.IsAdmin(doer)
|
||||
return l.IsAdmin(a)
|
||||
}
|
||||
|
||||
// CanUpdate checks if the user can update a list
|
||||
|
|
@ -97,66 +58,47 @@ func (l *List) CanCreate(a web.Auth) bool {
|
|||
return n.CanWrite(a)
|
||||
}
|
||||
|
||||
func (l *List) checkListTeamRight(user *User, r TeamRight) bool {
|
||||
exists, err := x.Select("l.*").
|
||||
Table("list").
|
||||
Alias("l").
|
||||
Join("LEFT", []string{"team_namespaces", "tn"}, " l.namespace_id = tn.namespace_id").
|
||||
Join("LEFT", []string{"team_members", "tm"}, "tm.team_id = tn.team_id").
|
||||
Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id").
|
||||
Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
|
||||
Where("((tm.user_id = ? AND tn.right = ?) OR (tm2.user_id = ? AND tl.right = ?)) AND l.id = ?",
|
||||
user.ID, r, user.ID, r, l.ID).
|
||||
Exist(&List{})
|
||||
if err != nil {
|
||||
log.Log.Error("Error occurred during checkListTeamRight for List: %s", err)
|
||||
return false
|
||||
}
|
||||
// IsAdmin returns whether the user has admin rights on the list or not
|
||||
func (l *List) IsAdmin(a web.Auth) bool {
|
||||
user := getUserForRights(a)
|
||||
|
||||
return exists
|
||||
// Check all the things
|
||||
// Check if the user is either owner or can write to the list
|
||||
// Owners are always admins
|
||||
return l.isOwner(user) || l.checkListRight(user, ListRightAdmin)
|
||||
}
|
||||
|
||||
func (l *List) checkListUserRight(user *User, r UserRight) bool {
|
||||
exists, err := x.Select("l.*").
|
||||
Table("list").
|
||||
Alias("l").
|
||||
Join("LEFT", []string{"users_namespace", "un"}, "un.namespace_id = l.namespace_id").
|
||||
Join("LEFT", []string{"users_list", "ul"}, "ul.list_id = l.id").
|
||||
Join("LEFT", []string{"namespaces", "n"}, "n.id = l.namespace_id").
|
||||
Where("((ul.user_id = ? AND ul.right = ?) "+
|
||||
"OR (un.user_id = ? AND un.right = ?) "+
|
||||
"OR n.owner_id = ?)"+
|
||||
"AND l.id = ?",
|
||||
user.ID, r, user.ID, r, user.ID, l.ID).
|
||||
Exist(&List{})
|
||||
if err != nil {
|
||||
log.Log.Error("Error occurred during checkListUserRight for List: %s", err)
|
||||
return false
|
||||
// Little helper function to check if a user is list owner
|
||||
func (l *List) isOwner(u *User) bool {
|
||||
if l.OwnerID == u.ID {
|
||||
return true
|
||||
}
|
||||
|
||||
return exists
|
||||
return false
|
||||
}
|
||||
|
||||
func (l *List) checkListRight(user *User, rights ...UserRight) bool {
|
||||
// Checks n different rights for any given user
|
||||
func (l *List) checkListRight(user *User, rights ...ListRight) bool {
|
||||
|
||||
/*
|
||||
The following loop creates an sql condition like this one:
|
||||
The following loop creates an sql condition like this one:
|
||||
|
||||
(ul.user_id = 1 AND ul.right = 1) OR (un.user_id = 1 AND un.right = 1) OR
|
||||
(tm.user_id = 1 AND tn.right = 1) OR (tm2.user_id = 1 AND tl.right = 1) OR
|
||||
(ul.user_id = 1 AND ul.right = 1) OR (un.user_id = 1 AND un.right = 1) OR
|
||||
(tm.user_id = 1 AND tn.right = 1) OR (tm2.user_id = 1 AND tl.right = 1) OR
|
||||
|
||||
for each passed right. That way, we can check with a single sql query (instead if 8)
|
||||
if the user has the right to see the list or not.
|
||||
for each passed right. That way, we can check with a single sql query (instead if 8)
|
||||
if the user has the right to see the list or not.
|
||||
*/
|
||||
|
||||
var conds []builder.Cond
|
||||
for _, r := range rights {
|
||||
// User conditions
|
||||
conds = append(conds, builder.Or(
|
||||
// If the list was shared directly with the user and the user has the right
|
||||
builder.And(
|
||||
builder.Eq{"ul.user_id": user.ID},
|
||||
builder.Eq{"ul.right": r},
|
||||
),
|
||||
// If the namespace this list belongs to was shared directly with the user and the user has the right
|
||||
builder.And(
|
||||
builder.Eq{"un.user_id": user.ID},
|
||||
builder.Eq{"un.right": r},
|
||||
|
|
@ -164,14 +106,16 @@ func (l *List) checkListRight(user *User, rights ...UserRight) bool {
|
|||
))
|
||||
// Team rights
|
||||
conds = append(conds, builder.Or(
|
||||
builder.And(
|
||||
builder.Eq{"tm.user_id": user.ID},
|
||||
builder.Eq{"tn.right": r},
|
||||
),
|
||||
// If the list was shared directly with the team and the team has the right
|
||||
builder.And(
|
||||
builder.Eq{"tm2.user_id": user.ID},
|
||||
builder.Eq{"tl.right": r},
|
||||
),
|
||||
// If the namespace this list belongs to was shared directly with the team and the team has the right
|
||||
builder.And(
|
||||
builder.Eq{"tm.user_id": user.ID},
|
||||
builder.Eq{"tn.right": r},
|
||||
),
|
||||
))
|
||||
}
|
||||
|
||||
|
|
@ -196,7 +140,7 @@ func (l *List) checkListRight(user *User, rights ...UserRight) bool {
|
|||
)).
|
||||
Exist(&List{})
|
||||
if err != nil {
|
||||
log.Log.Error("Error occurred during checkListUserRight for List: %s", err)
|
||||
log.Log.Error("Error occurred during checkListRight for List: %s", err)
|
||||
return false
|
||||
}
|
||||
|
||||
|
|
|
|||
Loading…
Reference in New Issue