Implemented proper check for team rights on namespaces

This commit is contained in:
kolaente 2018-07-25 00:49:44 +02:00 committed by konrad
parent f36eeb662a
commit e602914659
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
2 changed files with 26 additions and 18 deletions

View file

@ -68,7 +68,7 @@ func (l *List) checkListTeamRight(user *User, r TeamRight) bool {
Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id"). Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id").
Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id"). Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
Where("((tm.user_id = ? AND tn.right = ?) OR (tm2.user_id = ? AND tl.rights = ?)) AND l.id = ?", Where("((tm.user_id = ? AND tn.right = ?) OR (tm2.user_id = ? AND tl.rights = ?)) AND l.id = ?",
user.ID, r, user.ID, r, l.ID). user.ID, r, user.ID, r, l.ID).
Get(&List{}) Get(&List{})
if err != nil { if err != nil {
return false return false

View file

@ -9,9 +9,7 @@ func (n *Namespace) IsAdmin(user *User) bool {
} }
// Check if that user is in a team which has admin rights to that namespace // Check if that user is in a team which has admin rights to that namespace
// TODO return n.checkTeamRights(user, TeamRightAdmin)
return false
} }
// CanWrite checks if a user has write access to a namespace // CanWrite checks if a user has write access to a namespace
@ -21,7 +19,13 @@ func (n *Namespace) CanWrite(user *User) bool {
return true return true
} }
return true // Admins always have write access
if n.IsAdmin(user) {
return true
}
// Check if that user is in a team which has write rights to that namespace
return n.checkTeamRights(user, TeamRightWrite)
} }
// CanRead checks if a user has read access to that namespace // CanRead checks if a user has read access to that namespace
@ -37,19 +41,7 @@ func (n *Namespace) CanRead(user *User) bool {
} }
// Check if the user is in a team which has access to the namespace // Check if the user is in a team which has access to the namespace
all := Namespace{} return n.checkTeamRights(user, TeamRightRead)
// TODO respect individual rights
exists, _ := x.Select("namespaces.*").
Table("namespaces").
Join("LEFT", "team_namespaces", "namespaces.id = team_namespaces.namespace_id").
Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id").
Where("team_members.user_id = ?", user.ID).
Or("namespaces.owner_id = ?", user.ID).
And("namespaces.id = ?", n.ID).
GroupBy("namespaces.id").
Get(&all)
return exists
} }
// CanUpdate checks if the user can update the namespace // CanUpdate checks if the user can update the namespace
@ -69,3 +61,19 @@ func (n *Namespace) CanCreate(user *User) bool {
// This is currently a dummy function, later on we could imagine global limits etc. // This is currently a dummy function, later on we could imagine global limits etc.
return true return true
} }
func (n *Namespace) checkTeamRights(user *User, r TeamRight) bool {
exists, err := x.Select("namespaces.*").
Table("namespaces").
Join("LEFT", "team_namespaces", "namespaces.id = team_namespaces.namespace_id").
Join("LEFT", "team_members", "team_members.team_id = team_namespaces.team_id").
Where("team_members.user_id = ? AND team_namespaces.right = ?", user.ID, r).
Or("namespaces.owner_id = ?", user.ID).
Get(&Namespace{})
if err != nil {
return false
}
return exists
}