diff --git a/Makefile b/Makefile index 658e8d7..8b3ee64 100644 --- a/Makefile +++ b/Makefile @@ -16,9 +16,3 @@ typescript: typescript-watch: npm run build-watch - -migrate: - sea-orm-cli migrate - -entities: - sea-orm-cli generate entity -o src/entity --with-serde both diff --git a/src/handler/documents.rs b/src/handler/documents.rs index 5170155..1281761 100644 --- a/src/handler/documents.rs +++ b/src/handler/documents.rs @@ -7,7 +7,7 @@ use axum_login::AuthSession; use crate::handler::internal_error; use crate::models::documents::{self, NewDocument}; use crate::models::users::User; -use crate::permissions::q::Permission; +use crate::permissions::q::{Decision, Permission}; use crate::permissions::{self}; use crate::prelude::*; @@ -79,7 +79,7 @@ pub async fn create_document_submit( }; let mut db = provider.db_pool.get().map_err(internal_error)?; - let project_allowed = permissions::q::check_user_project( + let access_decision = permissions::q::check_user_project( &mut db, &user.id, &form.project_id.to_string(), @@ -87,7 +87,7 @@ pub async fn create_document_submit( ) .map_err(internal_error)?; - if !project_allowed { + if matches!(access_decision, Decision::Denied) { return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); } @@ -116,11 +116,11 @@ pub async fn view_document_page( let mut db = provider.db_pool.get().map_err(internal_error)?; - let document_allowed = + let access_decision = permissions::q::check_user_document(&mut db, &user.id, &id.to_string(), Permission::Write) .map_err(internal_error)?; - if !document_allowed { + if matches!(access_decision, Decision::Denied) { return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); } @@ -155,11 +155,11 @@ pub async fn edit_document_page( let mut db = provider.db_pool.get().map_err(internal_error)?; - let document_allowed = + let access_decision = permissions::q::check_user_document(&mut db, &user.id, &id.to_string(), Permission::Write) .map_err(internal_error)?; - if !document_allowed { + if matches!(access_decision, Decision::Denied) { return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); } @@ -195,7 +195,7 @@ pub async fn edit_document_submit( let mut db = provider.db_pool.get().map_err(internal_error)?; - let document_allowed = permissions::q::check_user_document( + let access_decision = permissions::q::check_user_document( &mut db, &user.id, &document_id.to_string(), @@ -203,7 +203,7 @@ pub async fn edit_document_submit( ) .map_err(internal_error)?; - if !document_allowed { + if matches!(access_decision, Decision::Denied) { return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); } diff --git a/src/permissions.rs b/src/permissions.rs index a7c64d2..5590545 100644 --- a/src/permissions.rs +++ b/src/permissions.rs @@ -13,31 +13,38 @@ pub mod q { Admin, } + #[derive(Debug, Clone, Copy)] + pub enum Decision { + Allowed, + Denied, + } + pub fn check_user_project( db: &mut SqliteConnection, user_id: &str, project_id: &str, - permission: Permission, - ) -> Result { + requested_permission: Permission, + ) -> Result { use crate::schema::project_memberships::dsl as pm; - if permission == Permission::Admin { - let is_admin = pm::project_memberships + let row_count = match requested_permission { + Permission::Admin => pm::project_memberships .filter(pm::user_id.eq(user_id)) .filter(pm::project_id.eq(project_id)) .filter(pm::role.eq(ProjectRole::Admin.to_string())) .count() - .get_result::(db)?; - - Ok(is_admin > 0) - } else { - let is_member = pm::project_memberships + .get_result::(db)?, + _ => pm::project_memberships .filter(pm::user_id.eq(user_id)) .filter(pm::project_id.eq(project_id)) .count() - .get_result::(db)?; + .get_result::(db)?, + }; - Ok(is_member > 0) + if row_count > 0 { + Ok(Decision::Allowed) + } else { + Ok(Decision::Denied) } } @@ -46,7 +53,7 @@ pub mod q { user_id: &str, document_id: &str, permission: Permission, - ) -> Result { + ) -> Result { use crate::schema::documents::dsl as d; let document = @@ -54,7 +61,7 @@ pub mod q { match document { Some(doc) => check_user_project(db, user_id, &doc.project_id, permission), - None => Ok(false), + None => Ok(Decision::Denied), } }