From d57f030687f22a1d7125aa91fd48fc39e77b4dc2 Mon Sep 17 00:00:00 2001 From: kolaente Date: Sun, 9 Aug 2020 17:17:26 +0200 Subject: [PATCH] Update label rights to return the max right --- pkg/models/label_rights.go | 29 +++++++++++++++++++++-------- pkg/models/label_task.go | 2 +- pkg/models/label_task_rights.go | 2 +- 3 files changed, 23 insertions(+), 10 deletions(-) diff --git a/pkg/models/label_rights.go b/pkg/models/label_rights.go index d3ced45a4..5a08e79b0 100644 --- a/pkg/models/label_rights.go +++ b/pkg/models/label_rights.go @@ -33,7 +33,7 @@ func (l *Label) CanDelete(a web.Auth) (bool, error) { } // CanRead checks if a user can read a label -func (l *Label) CanRead(a web.Auth) (bool, error) { +func (l *Label) CanRead(a web.Auth) (bool, int, error) { return l.hasAccessToLabel(a) } @@ -61,24 +61,37 @@ func (l *Label) isLabelOwner(a web.Auth) (bool, error) { } // Helper method to check if a user can see a specific label -func (l *Label) hasAccessToLabel(a web.Auth) (bool, error) { +func (l *Label) hasAccessToLabel(a web.Auth) (has bool, maxRight int, err error) { // TODO: add an extra check for link share handling // Get all tasks taskIDs, err := getUserTaskIDs(&user.User{ID: a.GetID()}) if err != nil { - return false, err + return false, 0, err } // Get all labels associated with these tasks - var labels []*Label - has, err := x.Table("labels"). - Select("labels.*"). + ll := &LabelTask{} + has, err = x.Table("labels"). + Select("labels_task.*"). Join("LEFT", "label_task", "label_task.label_id = labels.id"). Where("label_task.label_id is not null OR labels.created_by_id = ?", a.GetID()). Or(builder.In("label_task.task_id", taskIDs)). And("labels.id = ?", l.ID). - Exist(&labels) - return has, err + Exist(ll) + if err != nil { + return + } + + // Since the right depends on the task the label is associated with, we need to check that too. + if ll.TaskID > 0 { + t := &Task{ID: ll.TaskID} + _, maxRight, err = t.CanRead(a) + if err != nil { + return + } + } + + return } diff --git a/pkg/models/label_task.go b/pkg/models/label_task.go index 60f26061c..181cea390 100644 --- a/pkg/models/label_task.go +++ b/pkg/models/label_task.go @@ -291,7 +291,7 @@ func (t *Task) updateTaskLabels(creator web.Auth, labels []*Label) (err error) { } // Check if the user has the rights to see the label he is about to add - hasAccessToLabel, err := label.hasAccessToLabel(creator) + hasAccessToLabel, _, err := label.hasAccessToLabel(creator) if err != nil { return err } diff --git a/pkg/models/label_task_rights.go b/pkg/models/label_task_rights.go index 68b1afe1c..f3d24c181 100644 --- a/pkg/models/label_task_rights.go +++ b/pkg/models/label_task_rights.go @@ -27,7 +27,7 @@ func (lt *LabelTask) CanCreate(a web.Auth) (bool, error) { return false, err } - hasAccessTolabel, err := label.hasAccessToLabel(a) + hasAccessTolabel, _, err := label.hasAccessToLabel(a) if err != nil || !hasAccessTolabel { // If the user doesn't have access to the label, we can error out here return false, err }