local-it/vikunja-api
0
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Optimized right checking

Browse source 
+ list.ReadAll now really gets all lists
This commit is contained in:
konrad 2018-07-12 21:07:59 +02:00 committed by kolaente
parent bae9c7f35e
commit 32fde286db
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
5 changed files with 179 additions and 129 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

64
models/lists.go → models/list.go
View file

@ -59,12 +59,19 @@ func (l *List) ReadAll(user *User) (interface{}, error) {
return lists, err return lists, err
} }
// TODO: namespaces... // Gets all Lists where the user is either owner or in a team which has access to the list
err = x.Select("list.*"). // Or in a team which has namespace read access
Join("LEFT", "team_list", "list.id = team_list.list_id"). err = x.Select("l.*").
Join("LEFT", "team_members", "team_members.team_id = team_list.team_id"). Table("list").
Where("team_members.user_id = ?", fullUser.ID). Alias("l").
Or("list.owner_id = ?", fullUser.ID). Join("INNER", []string{"namespaces", "n"}, "l.namespace_id = n.id").
Join("LEFT", []string{"team_namespaces", "tn"}, "tn.namespace_id = n.id").
Join("LEFT", []string{"team_members", "tm"}, "tm.team_id = tn.team_id").
Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id").
Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
Where("tm.user_id = ?", fullUser.ID).
Or("tm2.user_id = ?", fullUser.ID).
Or("l.owner_id = ?", fullUser.ID).
Find(&lists) Find(&lists)
return lists, err return lists, err
@ -75,48 +82,3 @@ func (l *List) ReadOne(id int64) (err error) {
*l, err = GetListByID(id) *l, err = GetListByID(id)
return return
} }
// IsAdmin returns whether the user has admin rights on the list or not
func (l *List) IsAdmin(user *User) bool {
// Owners are always admins
if l.Owner.ID == user.ID {
return true
}
// Check Team rights
// aka "is the user in a team which has admin rights?"
// TODO
// Check Namespace rights
// TODO
// Check individual rights
// TODO
return false
}
// CanWrite return whether the user can write on that list or not
func (l *List) CanWrite(user *User) bool {
// Admins always have write access
if l.IsAdmin(user) {
return true
}
// Owners always have write access
if l.Owner.ID == user.ID {
return true
}
// Check Namespace rights
// TODO
// TODO find a way to prioritize: what happens if a user has namespace write access but is not in that list?
// Check Team rights
// TODO
// Check individual rights
// TODO
return false
}

81
models/list_rights.go Normal file
View file

@ -0,0 +1,81 @@
package models
// IsAdmin returns whether the user has admin rights on the list or not
func (l *List) IsAdmin(user *User) bool {
// Owners are always admins
if l.Owner.ID == user.ID {
return true
}
// Check Team rights
// aka "is the user in a team which has admin rights?"
// TODO
// Check Namespace rights
// TODO
// Check individual rights
// TODO
return false
}
// CanWrite return whether the user can write on that list or not
func (l *List) CanWrite(user *User) bool {
// Owners always have write access
if l.Owner.ID == user.ID {
return true
}
// Admins always have write access
if l.IsAdmin(user) {
return true
}
// Check Namespace rights
// TODO
// TODO find a way to prioritize: what happens if a user has namespace write access but is not in that list?
// Check Team rights
// TODO
// Check individual rights
// TODO
return false
}
// CanRead checks if a user has read access to a list
func (l *List) CanRead(user *User) bool {
// Owners always have read access
if l.Owner.ID == user.ID {
return true
}
// Admins always have read access
if l.IsAdmin(user) {
return true
}
// Check Namespace rights
exists, _ := x.Select("list.*").
Table("namespaces").
Join("INNER", "list", "list.namespace_id = namespaces.id").
Join("INNER", "team_namespaces", "team_namespaces.namespace_id = namespaces.id").
Join("INNER", "team_members", "team_members.team_id = team_namespaces.team_id").
Where("team_members.user_id = ?", user.ID).
And("list.id = ?", l.ID).
Get(&List{})
if exists {
return true
}
// Check Team rights
// TODO
// Check individual rights
// TODO
return false
}

4
models/models.go
View file

@ -51,8 +51,8 @@ func SetEngine() (err error) {
} }
// Cache // Cache
cacher := xorm.NewLRUCacher(xorm.NewMemoryStore(), 1000) //cacher := xorm.NewLRUCacher(xorm.NewMemoryStore(), 1000)
x.SetDefaultCacher(cacher) //x.SetDefaultCacher(cacher)
x.SetMapper(core.GonicMapper{}) x.SetMapper(core.GonicMapper{})

76
models/namespaces.go
View file

@ -26,60 +26,6 @@ func (n *Namespace) AfterLoad() {
n.Owner, _, _ = GetUserByID(n.OwnerID) n.Owner, _, _ = GetUserByID(n.OwnerID)
} }
// NamespaceRight defines the rights teams can have for namespaces
type NamespaceRight int
// define unknown namespace right
const (
NamespaceRightUnknown = -1
)
// Enumerate all the namespace rights
const (
// Can read lists in a namespace
NamespaceRightRead NamespaceRight = iota
// Cat write items in a namespace like lists and todo items
NamespaceRightWrite
// Can manage a namespace, can do everything
NamespaceRightAdmin
)
// IsNamespaceAdmin returns whether the usre has admin rights in a namespace
func (user *User) IsNamespaceAdmin(namespace *Namespace) (err error) {
// Owners always have admin rights
if user.ID == namespace.Owner.ID {
return nil
}
// Check if that user is in a team which has admin rights to that namespace
return ErrUserNeedsToBeNamespaceAdmin{UserID: user.ID, NamespaceID: namespace.ID}
}
// IsAdmin returns true or false if the user is admin on that namespace or not
func (n *Namespace) IsAdmin(user *User) bool {
// Owners always have admin rights
if user.ID == n.Owner.ID {
return true
}
// Check if that user is in a team which has admin rights to that namespace
// TODO
return false
}
// CanWrite checks if a user has write access to a namespace
func (n *Namespace) CanWrite(user *User) bool {
// Owners always have access
if user.ID == n.Owner.ID {
return true
}
return true
}
// GetNamespaceByID returns a namespace object by its ID // GetNamespaceByID returns a namespace object by its ID
func GetNamespaceByID(id int64) (namespace Namespace, err error) { func GetNamespaceByID(id int64) (namespace Namespace, err error) {
namespace.ID = id namespace.ID = id
@ -165,25 +111,3 @@ func (n *Namespace) ReadAll(doer *User) (interface{}, error) {
return all, nil return all, nil
} }
func (n *Namespace) CanRead(user *User) bool {
// Owners always have access
if user.ID == n.Owner.ID {
return true
}
// Check if the user is in a team which has access to the namespace
all := Namespace{}
// TODO respect individual rights
exists, _ := x.Select("namespaces.*").
Table("namespaces").
Join("LEFT", "team_namespaces", "namespaces.id = team_namespaces.namespace_id").
Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id").
Where("team_members.user_id = ?", user.ID).
Or("namespaces.owner_id = ?", user.ID).
And("namespaces.id = ?", n.ID).
GroupBy("namespaces.id").
Get(&all)
return exists
}

83
models/namespaces_rights.go Normal file
View file

@ -0,0 +1,83 @@
package models
// NamespaceRight defines the rights teams can have for namespaces
type NamespaceRight int
// define unknown namespace right
const (
NamespaceRightUnknown = -1
)
// Enumerate all the namespace rights
const (
// Can read lists in a namespace
NamespaceRightRead NamespaceRight = iota
// Cat write items in a namespace like lists and todo items
NamespaceRightWrite
// Can manage a namespace, can do everything
NamespaceRightAdmin
)
// IsNamespaceAdmin returns whether the usre has admin rights in a namespace
func (user *User) IsNamespaceAdmin(namespace *Namespace) (err error) {
// Owners always have admin rights
if user.ID == namespace.Owner.ID {
return nil
}
// Check if that user is in a team which has admin rights to that namespace
return ErrUserNeedsToBeNamespaceAdmin{UserID: user.ID, NamespaceID: namespace.ID}
}
// IsAdmin returns true or false if the user is admin on that namespace or not
func (n *Namespace) IsAdmin(user *User) bool {
// Owners always have admin rights
if user.ID == n.Owner.ID {
return true
}
// Check if that user is in a team which has admin rights to that namespace
// TODO
return false
}
// CanWrite checks if a user has write access to a namespace
func (n *Namespace) CanWrite(user *User) bool {
// Owners always have access
if user.ID == n.Owner.ID {
return true
}
return true
}
// CanRead checks if a user has read access to that namespace
func (n *Namespace) CanRead(user *User) bool {
// Owners always have access
if user.ID == n.Owner.ID {
return true
}
// Admins always have read access
if n.IsAdmin(user) {
return true
}
// Check if the user is in a team which has access to the namespace
all := Namespace{}
// TODO respect individual rights
exists, _ := x.Select("namespaces.*").
Table("namespaces").
Join("LEFT", "team_namespaces", "namespaces.id = team_namespaces.namespace_id").
Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id").
Where("team_members.user_id = ?", user.ID).
Or("namespaces.owner_id = ?", user.ID).
And("namespaces.id = ?", n.ID).
GroupBy("namespaces.id").
Get(&all)
return exists
}