documize/domain/permission/permission.go

// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.
//
// This software (Documize Community Edition) is licensed under
// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html
//
// You can operate outside the AGPL restrictions by purchasing
// Documize Enterprise Edition and obtaining a commercial license
// by contacting <sales@documize.com>.
//
// https://documize.com

package permission

import (
	"database/sql"

	"github.com/documize/community/domain"
	group "github.com/documize/community/model/group"
	pm "github.com/documize/community/model/permission"
	u "github.com/documize/community/model/user"
)

// CanViewSpaceDocument returns if the user has permission to view a document within the specified folder.
func CanViewSpaceDocument(ctx domain.RequestContext, s domain.Store, labelID string) bool {
	roles, err := s.Permission.GetUserSpacePermissions(ctx, labelID)
	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	for _, role := range roles {
		if role.RefID == labelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
			pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {
			return true
		}
	}

	return false
}

// CanViewDocument returns if the client has permission to view a given document.
func CanViewDocument(ctx domain.RequestContext, s domain.Store, documentID string) bool {
	document, err := s.Document.Get(ctx, documentID)
	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	roles, err := s.Permission.GetUserSpacePermissions(ctx, document.LabelID)
	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	for _, role := range roles {
		if role.RefID == document.LabelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
			pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {
			return true
		}
	}

	return false
}

// CanChangeDocument returns if the clinet has permission to change a given document.
func CanChangeDocument(ctx domain.RequestContext, s domain.Store, documentID string) bool {
	document, err := s.Document.Get(ctx, documentID)

	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	roles, err := s.Permission.GetUserSpacePermissions(ctx, document.LabelID)

	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	for _, role := range roles {
		if role.RefID == document.LabelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow && role.Action == pm.DocumentEdit {
			return true
		}
	}

	return false
}

// CanDeleteDocument returns if the clinet has permission to change a given document.
func CanDeleteDocument(ctx domain.RequestContext, s domain.Store, documentID string) bool {
	document, err := s.Document.Get(ctx, documentID)

	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	roles, err := s.Permission.GetUserSpacePermissions(ctx, document.LabelID)

	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	for _, role := range roles {
		if role.RefID == document.LabelID && role.Location == "space" && role.Scope == "object" && role.Action == pm.DocumentDelete {
			return true
		}
	}

	return false
}

// CanUploadDocument returns if the client has permission to upload documents to the given space.
func CanUploadDocument(ctx domain.RequestContext, s domain.Store, spaceID string) bool {
	roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)
	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	for _, role := range roles {
		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
			pm.ContainsPermission(role.Action, pm.DocumentAdd) {
			return true
		}
	}

	return false
}

// CanViewSpace returns if the user has permission to view the given spaceID.
func CanViewSpace(ctx domain.RequestContext, s domain.Store, spaceID string) bool {
	roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)
	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}
	for _, role := range roles {
		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
			pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {
			return true
		}
	}

	return false
}

// CanViewDrafts returns if the user has permission to view drafts in space.
func CanViewDrafts(ctx domain.RequestContext, s domain.Store, spaceID string) bool {
	roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)
	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}
	for _, role := range roles {
		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
			pm.ContainsPermission(role.Action, pm.DocumentLifecycle) {
			return true
		}
	}

	return false
}

// HasPermission returns if user can perform specified actions.
func HasPermission(ctx domain.RequestContext, s domain.Store, spaceID string, actions ...pm.Action) bool {
	roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)

	if err == sql.ErrNoRows {
		err = nil
	}
	if err != nil {
		return false
	}

	for _, role := range roles {
		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow {
			for _, a := range actions {
				if role.Action == a {
					return true
				}
			}
		}
	}

	return false
}

// GetDocumentApprovers returns list of users who can approve given document in given space
func GetDocumentApprovers(ctx domain.RequestContext, s domain.Store, spaceID, documentID string) (users []u.User, err error) {
	users = []u.User{}
	prev := make(map[string]bool) // used to ensure we only process user once

	// Permissions can be assigned to both groups and individual users.
	// Pre-fetch users with group membership to help us work out
	// if user belongs to a group with permissions.
	groupMembers, err := s.Group.GetMembers(ctx)
	if err != nil {
		return users, err
	}

	// space permissions
	sp, err := s.Permission.GetSpacePermissions(ctx, spaceID)
	if err != nil {
		return users, err
	}
	// document permissions
	dp, err := s.Permission.GetDocumentPermissions(ctx, documentID)
	if err != nil {
		return users, err
	}

	// all permissions
	all := sp
	all = append(all, dp...)

	for _, p := range all {
		// only approvers
		if p.Action != pm.DocumentApprove {
			continue
		}

		if p.Who == pm.GroupPermission {
			// get group records for just this group
			groupRecords := group.FilterGroupRecords(groupMembers, p.WhoID)

			for i := range groupRecords {
				user, err := s.User.Get(ctx, groupRecords[i].UserID)
				if err != nil {
					return users, err
				}
				if _, isExisting := prev[user.RefID]; !isExisting {
					users = append(users, user)
					prev[user.RefID] = true
				}
			}
		}

		if p.Who == pm.UserPermission {
			user, err := s.User.Get(ctx, p.WhoID)
			if err != nil {
				return users, err
			}

			if _, isExisting := prev[user.RefID]; !isExisting {
				users = append(users, user)
				prev[user.RefID] = true
			}
		}
	}

	return users, err
}
refactored permission code 2017-09-18 17:53:42 +01:00			`// Copyright 2016 Documize Inc. <legal@documize.com>. All rights reserved.`
			`//`
			`// This software (Documize Community Edition) is licensed under`
			`// GNU AGPL v3 http://www.gnu.org/licenses/agpl-3.0.en.html`
			`//`
			`// You can operate outside the AGPL restrictions by purchasing`
			`// Documize Enterprise Edition and obtaining a commercial license`
			`// by contacting <sales@documize.com>.`
			`//`
			`// https://documize.com`

			`package permission`

			`import (`
			`"database/sql"`

			`"github.com/documize/community/domain"`
Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00			`group "github.com/documize/community/model/group"`
refactored permission code 2017-09-18 17:53:42 +01:00			`pm "github.com/documize/community/model/permission"`
improve level code 2018-01-10 16:07:17 +00:00			`u "github.com/documize/community/model/user"`
refactored permission code 2017-09-18 17:53:42 +01:00			`)`

			`// CanViewSpaceDocument returns if the user has permission to view a document within the specified folder.`
			`func CanViewSpaceDocument(ctx domain.RequestContext, s domain.Store, labelID string) bool {`
			`roles, err := s.Permission.GetUserSpacePermissions(ctx, labelID)`
			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`for _, role := range roles {`
Set category permissions for both users and groups 2018-03-06 10:39:47 +00:00			`if role.RefID == labelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&`
space categorty management 2017-09-19 17:58:33 +01:00			`pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {`
refactored permission code 2017-09-18 17:53:42 +01:00			`return true`
			`}`
			`}`

			`return false`
			`}`

			`// CanViewDocument returns if the client has permission to view a given document.`
			`func CanViewDocument(ctx domain.RequestContext, s domain.Store, documentID string) bool {`
			`document, err := s.Document.Get(ctx, documentID)`
			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`roles, err := s.Permission.GetUserSpacePermissions(ctx, document.LabelID)`
			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`for _, role := range roles {`
Set category permissions for both users and groups 2018-03-06 10:39:47 +00:00			`if role.RefID == document.LabelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&`
space categorty management 2017-09-19 17:58:33 +01:00			`pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {`
refactored permission code 2017-09-18 17:53:42 +01:00			`return true`
			`}`
			`}`

			`return false`
			`}`

			`// CanChangeDocument returns if the clinet has permission to change a given document.`
			`func CanChangeDocument(ctx domain.RequestContext, s domain.Store, documentID string) bool {`
			`document, err := s.Document.Get(ctx, documentID)`

			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`roles, err := s.Permission.GetUserSpacePermissions(ctx, document.LabelID)`

			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`for _, role := range roles {`
Set category permissions for both users and groups 2018-03-06 10:39:47 +00:00			`if role.RefID == document.LabelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow && role.Action == pm.DocumentEdit {`
refactored permission code 2017-09-18 17:53:42 +01:00			`return true`
			`}`
			`}`

			`return false`
			`}`

			`// CanDeleteDocument returns if the clinet has permission to change a given document.`
			`func CanDeleteDocument(ctx domain.RequestContext, s domain.Store, documentID string) bool {`
			`document, err := s.Document.Get(ctx, documentID)`

			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`roles, err := s.Permission.GetUserSpacePermissions(ctx, document.LabelID)`

			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`for _, role := range roles {`
			`if role.RefID == document.LabelID && role.Location == "space" && role.Scope == "object" && role.Action == pm.DocumentDelete {`
			`return true`
			`}`
			`}`

			`return false`
			`}`

			`// CanUploadDocument returns if the client has permission to upload documents to the given space.`
			`func CanUploadDocument(ctx domain.RequestContext, s domain.Store, spaceID string) bool {`
			`roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)`
			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`for _, role := range roles {`
Set category permissions for both users and groups 2018-03-06 10:39:47 +00:00			`if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&`
space categorty management 2017-09-19 17:58:33 +01:00			`pm.ContainsPermission(role.Action, pm.DocumentAdd) {`
refactored permission code 2017-09-18 17:53:42 +01:00			`return true`
			`}`
			`}`

			`return false`
			`}`

			`// CanViewSpace returns if the user has permission to view the given spaceID.`
			`func CanViewSpace(ctx domain.RequestContext, s domain.Store, spaceID string) bool {`
			`roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)`
			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`
			`for _, role := range roles {`
Set category permissions for both users and groups 2018-03-06 10:39:47 +00:00			`if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&`
space categorty management 2017-09-19 17:58:33 +01:00			`pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {`
refactored permission code 2017-09-18 17:53:42 +01:00			`return true`
			`}`
			`}`

			`return false`
			`}`

Provide basis for document lifecycle 2018-03-15 17:11:53 +00:00			`// CanViewDrafts returns if the user has permission to view drafts in space.`
			`func CanViewDrafts(ctx domain.RequestContext, s domain.Store, spaceID string) bool {`
			`roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)`
			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`
			`for _, role := range roles {`
			`if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&`
			`pm.ContainsPermission(role.Action, pm.DocumentLifecycle) {`
			`return true`
			`}`
			`}`

			`return false`
			`}`

space categorty management 2017-09-19 17:58:33 +01:00			`// HasPermission returns if user can perform specified actions.`
			`func HasPermission(ctx domain.RequestContext, s domain.Store, spaceID string, actions ...pm.Action) bool {`
			`roles, err := s.Permission.GetUserSpacePermissions(ctx, spaceID)`
refactored permission code 2017-09-18 17:53:42 +01:00
			`if err == sql.ErrNoRows {`
			`err = nil`
			`}`
			`if err != nil {`
			`return false`
			`}`

			`for _, role := range roles {`
Set category permissions for both users and groups 2018-03-06 10:39:47 +00:00			`if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow {`
space categorty management 2017-09-19 17:58:33 +01:00			`for _, a := range actions {`
			`if role.Action == a {`
			`return true`
			`}`
			`}`
refactored permission code 2017-09-18 17:53:42 +01:00			`}`
			`}`

			`return false`
			`}`
improve level code 2018-01-10 16:07:17 +00:00
			`// GetDocumentApprovers returns list of users who can approve given document in given space`
			`func GetDocumentApprovers(ctx domain.RequestContext, s domain.Store, spaceID, documentID string) (users []u.User, err error) {`
			`users = []u.User{}`
			`prev := make(map[string]bool) // used to ensure we only process user once`

Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00			`// Permissions can be assigned to both groups and individual users.`
			`// Pre-fetch users with group membership to help us work out`
			`// if user belongs to a group with permissions.`
			`groupMembers, err := s.Group.GetMembers(ctx)`
			`if err != nil {`
			`return users, err`
improve level code 2018-01-10 16:07:17 +00:00			`}`

Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00			`// space permissions`
			`sp, err := s.Permission.GetSpacePermissions(ctx, spaceID)`
			`if err != nil {`
			`return users, err`
			`}`
			`// document permissions`
improve level code 2018-01-10 16:07:17 +00:00			`dp, err := s.Permission.GetDocumentPermissions(ctx, documentID)`
Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00			`if err != nil {`
			`return users, err`
			`}`

			`// all permissions`
			`all := sp`
			`all = append(all, dp...)`

			`for _, p := range all {`
			`// only approvers`
			`if p.Action != pm.DocumentApprove {`
			`continue`
			`}`

			`if p.Who == pm.GroupPermission {`
			`// get group records for just this group`
			`groupRecords := group.FilterGroupRecords(groupMembers, p.WhoID)`

			`for i := range groupRecords {`
			`user, err := s.User.Get(ctx, groupRecords[i].UserID)`
			`if err != nil {`
			`return users, err`
			`}`
improve level code 2018-01-10 16:07:17 +00:00			`if _, isExisting := prev[user.RefID]; !isExisting {`
			`users = append(users, user)`
Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00			`prev[user.RefID] = true`
improve level code 2018-01-10 16:07:17 +00:00			`}`
Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00			`}`
			`}`

			`if p.Who == pm.UserPermission {`
			`user, err := s.User.Get(ctx, p.WhoID)`
			`if err != nil {`
improve level code 2018-01-10 16:07:17 +00:00			`return users, err`
			`}`
Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00
			`if _, isExisting := prev[user.RefID]; !isExisting {`
			`users = append(users, user)`
			`prev[user.RefID] = true`
			`}`
improve level code 2018-01-10 16:07:17 +00:00			`}`
			`}`

Ensure permission records parsed for groups and users 2018-03-06 15:40:00 +00:00			`return users, err`
improve level code 2018-01-10 16:07:17 +00:00			`}`