local-it/vikunja-api
0
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Implemented proper check for team rights on lists

Browse source
This commit is contained in:
kolaente 2018-07-25 00:40:24 +02:00 committed by konrad
parent 7dc8699cbd
commit f36eeb662a
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
3 changed files with 24 additions and 45 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
Featurecreep.md
View file

@ -120,9 +120,9 @@ Teams sind global, d.h. Ein Team kann mehrere Namespaces verwalten.
#### v0.2 #### v0.2
* [ ] Listen teilbar * [x] Listen teilbar
* [ ] Mit anderen Nutzern * [ ] Mit anderen Nutzern
* [ ] Teams * [x] Teams
* [ ] Mit Link * [ ] Mit Link
* [ ] Offen * [ ] Offen
* [ ] Passwortgeschützt * [ ] Passwortgeschützt

1
models/list.go
View file

@ -69,6 +69,7 @@ func (l *List) ReadAll(user *User) (interface{}, error) {
Where("tm.user_id = ?", fullUser.ID). Where("tm.user_id = ?", fullUser.ID).
Or("tm2.user_id = ?", fullUser.ID). Or("tm2.user_id = ?", fullUser.ID).
Or("l.owner_id = ?", fullUser.ID). Or("l.owner_id = ?", fullUser.ID).
GroupBy("l.id").
Find(&lists) Find(&lists)
return lists, err return lists, err

64
models/list_rights.go
View file

@ -7,17 +7,7 @@ func (l *List) IsAdmin(user *User) bool {
return true return true
} }
// Check Team rights return l.checkListTeamRight(user, TeamRightAdmin)
// aka "is the user in a team which has admin rights?"
// TODO
// Check Namespace rights
// TODO
// Check individual rights
// TODO
return false
} }
// CanWrite return whether the user can write on that list or not // CanWrite return whether the user can write on that list or not
@ -32,17 +22,7 @@ func (l *List) CanWrite(user *User) bool {
return true return true
} }
// Check Namespace rights return l.checkListTeamRight(user, TeamRightWrite)
// TODO
// TODO find a way to prioritize: what happens if a user has namespace write access but is not in that list?
// Check Team rights
// TODO
// Check individual rights
// TODO
return false
} }
// CanRead checks if a user has read access to a list // CanRead checks if a user has read access to a list
@ -57,27 +37,7 @@ func (l *List) CanRead(user *User) bool {
return true return true
} }
// Check Namespace rights return l.checkListTeamRight(user, TeamRightRead)
exists, _ := x.Select("list.*").
Table("namespaces").
Join("INNER", "list", "list.namespace_id = namespaces.id").
Join("INNER", "team_namespaces", "team_namespaces.namespace_id = namespaces.id").
Join("INNER", "team_members", "team_members.team_id = team_namespaces.team_id").
Where("team_members.user_id = ?", user.ID).
And("list.id = ?", l.ID).
Get(&List{})
if exists {
return true
}
// Check Team rights
// TODO
// Check individual rights
// TODO
return false
} }
// CanDelete checks if the user can delete a list // CanDelete checks if the user can delete a list
@ -98,3 +58,21 @@ func (l *List) CanCreate(doer *User) bool {
n, _ := GetNamespaceByID(l.NamespaceID) n, _ := GetNamespaceByID(l.NamespaceID)
return n.CanWrite(doer) return n.CanWrite(doer)
} }
func (l *List) checkListTeamRight(user *User, r TeamRight) bool {
exists, err := x.Select("l.*").
Table("list").
Alias("l").
Join("LEFT", []string{"team_namespaces", "tn"}, "tn.namespace_id = tn.id").
Join("LEFT", []string{"team_members", "tm"}, "tm.team_id = tn.team_id").
Join("LEFT", []string{"team_list", "tl"}, "l.id = tl.list_id").
Join("LEFT", []string{"team_members", "tm2"}, "tm2.team_id = tl.team_id").
Where("((tm.user_id = ? AND tn.right = ?) OR (tm2.user_id = ? AND tl.rights = ?)) AND l.id = ?",
user.ID, r, user.ID, r, l.ID).
Get(&List{})
if err != nil {
return false
}
return exists
}