nicole
/
pique
1
0
Fork 0
Code Pull Requests Activity

Remove unused Makefile commands, and switch from boolean permission checks to an enum

This commit is contained in:
Nicole Tietz-Sokolskaya 2024-06-05 22:13:02 -04:00
parent 30473344af
commit 45b58ed9ab
3 changed files with 29 additions and 28 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
Makefile
View File

@ -16,9 +16,3 @@ typescript:
typescript-watch: typescript-watch:
npm run build-watch npm run build-watch
migrate:
sea-orm-cli migrate
entities:
sea-orm-cli generate entity -o src/entity --with-serde both

18
src/handler/documents.rs
View File

@ -7,7 +7,7 @@ use axum_login::AuthSession;
use crate::handler::internal_error; use crate::handler::internal_error;
use crate::models::documents::{self, NewDocument}; use crate::models::documents::{self, NewDocument};
use crate::models::users::User; use crate::models::users::User;
use crate::permissions::q::Permission; use crate::permissions::q::{Decision, Permission};
use crate::permissions::{self}; use crate::permissions::{self};
use crate::prelude::*; use crate::prelude::*;
@ -79,7 +79,7 @@ pub async fn create_document_submit(
}; };
let mut db = provider.db_pool.get().map_err(internal_error)?; let mut db = provider.db_pool.get().map_err(internal_error)?;
let project_allowed = permissions::q::check_user_project( let access_decision = permissions::q::check_user_project(
&mut db, &mut db,
&user.id, &user.id,
&form.project_id.to_string(), &form.project_id.to_string(),
@ -87,7 +87,7 @@ pub async fn create_document_submit(
) )
.map_err(internal_error)?; .map_err(internal_error)?;
if !project_allowed { if matches!(access_decision, Decision::Denied) {
return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); return Err((StatusCode::FORBIDDEN, "permission denied".to_owned()));
} }
@ -116,11 +116,11 @@ pub async fn view_document_page(
let mut db = provider.db_pool.get().map_err(internal_error)?; let mut db = provider.db_pool.get().map_err(internal_error)?;
let document_allowed = let access_decision =
permissions::q::check_user_document(&mut db, &user.id, &id.to_string(), Permission::Write) permissions::q::check_user_document(&mut db, &user.id, &id.to_string(), Permission::Write)
.map_err(internal_error)?; .map_err(internal_error)?;
if !document_allowed { if matches!(access_decision, Decision::Denied) {
return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); return Err((StatusCode::FORBIDDEN, "permission denied".to_owned()));
} }
@ -155,11 +155,11 @@ pub async fn edit_document_page(
let mut db = provider.db_pool.get().map_err(internal_error)?; let mut db = provider.db_pool.get().map_err(internal_error)?;
let document_allowed = let access_decision =
permissions::q::check_user_document(&mut db, &user.id, &id.to_string(), Permission::Write) permissions::q::check_user_document(&mut db, &user.id, &id.to_string(), Permission::Write)
.map_err(internal_error)?; .map_err(internal_error)?;
if !document_allowed { if matches!(access_decision, Decision::Denied) {
return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); return Err((StatusCode::FORBIDDEN, "permission denied".to_owned()));
} }
@ -195,7 +195,7 @@ pub async fn edit_document_submit(
let mut db = provider.db_pool.get().map_err(internal_error)?; let mut db = provider.db_pool.get().map_err(internal_error)?;
let document_allowed = permissions::q::check_user_document( let access_decision = permissions::q::check_user_document(
&mut db, &mut db,
&user.id, &user.id,
&document_id.to_string(), &document_id.to_string(),
@ -203,7 +203,7 @@ pub async fn edit_document_submit(
) )
.map_err(internal_error)?; .map_err(internal_error)?;
if !document_allowed { if matches!(access_decision, Decision::Denied) {
return Err((StatusCode::FORBIDDEN, "permission denied".to_owned())); return Err((StatusCode::FORBIDDEN, "permission denied".to_owned()));
} }

33
src/permissions.rs
View File

@ -13,31 +13,38 @@ pub mod q {
Admin, Admin,
} }
#[derive(Debug, Clone, Copy)]
pub enum Decision {
Allowed,
Denied,
}
pub fn check_user_project( pub fn check_user_project(
db: &mut SqliteConnection, db: &mut SqliteConnection,
user_id: &str, user_id: &str,
project_id: &str, project_id: &str,
permission: Permission, requested_permission: Permission,
) -> Result<bool, diesel::result::Error> { ) -> Result<Decision, diesel::result::Error> {
use crate::schema::project_memberships::dsl as pm; use crate::schema::project_memberships::dsl as pm;
if permission == Permission::Admin { let row_count = match requested_permission {
let is_admin = pm::project_memberships Permission::Admin => pm::project_memberships
.filter(pm::user_id.eq(user_id)) .filter(pm::user_id.eq(user_id))
.filter(pm::project_id.eq(project_id)) .filter(pm::project_id.eq(project_id))
.filter(pm::role.eq(ProjectRole::Admin.to_string())) .filter(pm::role.eq(ProjectRole::Admin.to_string()))
.count() .count()
.get_result::<i64>(db)?; .get_result::<i64>(db)?,
_ => pm::project_memberships
Ok(is_admin > 0)
} else {
let is_member = pm::project_memberships
.filter(pm::user_id.eq(user_id)) .filter(pm::user_id.eq(user_id))
.filter(pm::project_id.eq(project_id)) .filter(pm::project_id.eq(project_id))
.count() .count()
.get_result::<i64>(db)?; .get_result::<i64>(db)?,
};
Ok(is_member > 0) if row_count > 0 {
Ok(Decision::Allowed)
} else {
Ok(Decision::Denied)
} }
} }
@ -46,7 +53,7 @@ pub mod q {
user_id: &str, user_id: &str,
document_id: &str, document_id: &str,
permission: Permission, permission: Permission,
) -> Result<bool, diesel::result::Error> { ) -> Result<Decision, diesel::result::Error> {
use crate::schema::documents::dsl as d; use crate::schema::documents::dsl as d;
let document = let document =
@ -54,7 +61,7 @@ pub mod q {
match document { match document {
Some(doc) => check_user_project(db, user_id, &doc.project_id, permission), Some(doc) => check_user_project(db, user_id, &doc.project_id, permission),
None => Ok(false), None => Ok(Decision::Denied),
} }
} }