Set category permissions for both users and groups

2025-08-04 21:15:24 +02:00 · 2018-03-06 10:39:47 +00:00 · 2018-03-06 10:39:47 +00:00 · 22679920d0
commit 22679920d0
parent d1fdb385e9
17 changed files with 335 additions and 124 deletions
--- a/domain/category/endpoint.go
+++ b/domain/category/endpoint.go
@ -155,15 +155,11 @@ func (h *Handler) GetAll(w http.ResponseWriter, r *http.Request) {
 	}

 	cat, err := h.Store.Category.GetAllBySpace(ctx, spaceID)
-	if err != nil && err != sql.ErrNoRows {
+	if err != nil {
 		response.WriteServerError(w, method, err)
 		return
 	}

-	if len(cat) == 0 {
-		cat = []category.Category{}
-	}
-
 	response.WriteJSON(w, cat)
 }

@ -320,10 +316,6 @@ func (h *Handler) GetSummary(w http.ResponseWriter, r *http.Request) {
 		return
 	}

-	if len(s) == 0 {
-		s = []category.SummaryModel{}
-	}
-
 	response.WriteJSON(w, s)
 }

--- a/domain/category/mysql/store.go
+++ b/domain/category/mysql/store.go
@ -80,8 +80,9 @@ func (s Scope) GetAllBySpace(ctx domain.RequestContext, spaceID string) (c []cat
 		))
 	  ORDER BY category`, ctx.OrgID, spaceID, ctx.OrgID, ctx.OrgID, ctx.UserID, ctx.OrgID, ctx.UserID)

-	if err == sql.ErrNoRows {
+	if err == sql.ErrNoRows || len(c) == 0 {
 		err = nil
+		c = []category.Category{}
 	}
 	if err != nil {
 		err = errors.Wrap(err, fmt.Sprintf("unable to execute select all categories for space %s", spaceID))
@ -190,20 +191,20 @@ func (s Scope) DeleteBySpace(ctx domain.RequestContext, spaceID string) (rows in
 // GetSpaceCategorySummary returns number of documents and users for space categories.
 func (s Scope) GetSpaceCategorySummary(ctx domain.RequestContext, spaceID string) (c []category.SummaryModel, err error) {
 	err = s.Runtime.Db.Select(&c, `
-		SELECT 'documents' as type, categoryid, COUNT(*) as count FROM categorymember WHERE orgid=? AND labelid=? GROUP BY categoryid, type
+		SELECT 'documents' as type, categoryid, COUNT(*) as count
+			FROM categorymember
+			WHERE orgid=? AND labelid=? GROUP BY categoryid, type
 		UNION ALL
-		SELECT 'users' as type, refid AS categoryid, count(*) AS count FROM permission WHERE orgid=? AND who='user' AND location='category'
-			AND refid IN (SELECT refid FROM category WHERE orgid=? AND labelid=?)
-			GROUP BY refid, type
-		UNION ALL
-		SELECT 'users' as type, p.refid AS categoryid, count(*) AS count FROM rolemember r LEFT JOIN permission p ON p.whoid=r.roleid
-			WHERE p.orgid=? AND p.who='role' AND p.location='category'
-			AND p.refid IN (SELECT refid FROM category WHERE orgid=? AND labelid=?)
-			GROUP BY p.refid, type`,
-		ctx.OrgID, spaceID, ctx.OrgID, ctx.OrgID, spaceID, ctx.OrgID, ctx.OrgID, spaceID)
+		SELECT 'users' as type, refid AS categoryid, count(*) AS count
+			FROM permission
+			WHERE orgid=? AND location='category' 
+				AND refid IN (SELECT refid FROM category WHERE orgid=? AND labelid=?)
+			GROUP BY refid, type`,
+		ctx.OrgID, spaceID, ctx.OrgID, ctx.OrgID, spaceID /*, ctx.OrgID, ctx.OrgID, spaceID*/)

-	if err == sql.ErrNoRows {
+	if err == sql.ErrNoRows || len(c) == 0 {
 		err = nil
+		c = []category.SummaryModel{}
 	}
 	if err != nil {
 		err = errors.Wrap(err, fmt.Sprintf("select category summary for space %s", spaceID))
--- a/domain/meta/endpoint.go
+++ b/domain/meta/endpoint.go
@ -41,8 +41,8 @@ func (h *Handler) Meta(w http.ResponseWriter, r *http.Request) {

 	org, err := h.Store.Organization.GetOrganizationByDomain(data.URL)
 	if err != nil {
-		h.Runtime.Log.Error("unable to fetch request meta for "+data.URL, err)
-		response.WriteForbiddenError(w)
+		h.Runtime.Log.Info("unable to fetch request meta for " + data.URL)
+		response.WriteNotFound(w)
 		return
 	}

--- a/domain/organization/mysql/store.go
+++ b/domain/organization/mysql/store.go
@ -79,16 +79,15 @@ func (s Scope) GetOrganizationByDomain(subdomain string) (o org.Organization, er
 		return
 	}

-	err = s.Runtime.Db.Get(&o, "SELECT id, refid, company, title, message, url, domain, service as conversionendpoint, email, serial, active, allowanonymousaccess, authprovider, coalesce(authconfig,JSON_UNQUOTE('{}')) as authconfig, created, revised FROM organization WHERE domain=? AND active=1",
-		subdomain)
-
+	// match on given domain name
+	err = s.Runtime.Db.Get(&o, "SELECT id, refid, company, title, message, url, domain, service as conversionendpoint, email, serial, active, allowanonymousaccess, authprovider, coalesce(authconfig,JSON_UNQUOTE('{}')) as authconfig, created, revised FROM organization WHERE domain=? AND active=1", subdomain)
 	if err == nil {
 		return
 	}
+	err = nil

-	// we try to match on empty domain as last resort
+	// match on empty domain as last resort
 	err = s.Runtime.Db.Get(&o, "SELECT id, refid, company, title, message, url, domain, service as conversionendpoint, email, serial, active, allowanonymousaccess, authprovider, coalesce(authconfig,JSON_UNQUOTE('{}')) as authconfig, created, revised FROM organization WHERE domain='' AND active=1")
-
 	if err != nil && err != sql.ErrNoRows {
 		err = errors.Wrap(err, "unable to execute select for empty subdomain")
 	}
--- a/domain/permission/endpoint.go
+++ b/domain/permission/endpoint.go
@ -266,7 +266,7 @@ func (h *Handler) GetSpacePermissions(w http.ResponseWriter, r *http.Request) {
 	}

 	perms, err := h.Store.Permission.GetSpacePermissions(ctx, spaceID)
-	if err != nil && err != sql.ErrNoRows {
+	if err != nil {
 		response.WriteServerError(w, method, err)
 		h.Runtime.Log.Error(method, err)
 		return
@ -302,7 +302,7 @@ func (h *Handler) GetSpacePermissions(w http.ResponseWriter, r *http.Request) {

 		if records[i].Who == permission.UserPermission {
 			if records[i].WhoID == user.EveryoneUserID {
-				records[i].Name = "Everyone"
+				records[i].Name = user.EveryoneUserName
 			} else {
 				u, err := h.Store.User.Get(ctx, records[i].WhoID)
 				if err != nil {
@ -371,13 +371,58 @@ func (h *Handler) GetCategoryPermissions(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	u, err := h.Store.Permission.GetCategoryPermissions(ctx, categoryID)
-	if err != nil && err != sql.ErrNoRows {
+	perms, err := h.Store.Permission.GetCategoryPermissions(ctx, categoryID)
+	if err != nil {
 		response.WriteServerError(w, method, err)
+		h.Runtime.Log.Error(method, err)
 		return
 	}

-	response.WriteJSON(w, u)
+	userPerms := make(map[string][]permission.Permission)
+	for _, p := range perms {
+		userPerms[p.WhoID] = append(userPerms[p.WhoID], p)
+	}
+
+	records := []permission.CategoryRecord{}
+	for _, up := range userPerms {
+		records = append(records, permission.DecodeUserCategoryPermissions(up))
+	}
+
+	// populate user/group name for thing that has permission record
+	groups, err := h.Store.Group.GetAll(ctx)
+	if err != nil && err != sql.ErrNoRows {
+		response.WriteServerError(w, method, err)
+		h.Runtime.Log.Error(method, err)
+		return
+	}
+
+	for i := range records {
+		if records[i].Who == permission.GroupPermission {
+			for j := range groups {
+				if records[i].WhoID == groups[j].RefID {
+					records[i].Name = groups[j].Name
+					break
+				}
+			}
+		}
+
+		if records[i].Who == permission.UserPermission {
+			if records[i].WhoID == user.EveryoneUserID {
+				records[i].Name = user.EveryoneUserName
+			} else {
+				u, err := h.Store.User.Get(ctx, records[i].WhoID)
+				if err != nil {
+					h.Runtime.Log.Info(fmt.Sprintf("user not found %s", records[i].WhoID))
+					h.Runtime.Log.Error(method, err)
+					continue
+				}
+
+				records[i].Name = u.Fullname()
+			}
+		}
+	}
+
+	response.WriteJSON(w, records)
 }

 // SetCategoryPermissions persists specified category permissions
@ -405,7 +450,7 @@ func (h *Handler) SetCategoryPermissions(w http.ResponseWriter, r *http.Request)
 		return
 	}

-	var model = []permission.CategoryViewRequestModel{}
+	var model = []permission.CategoryRecord{}
 	err = json.Unmarshal(body, &model)
 	if err != nil {
 		response.WriteServerError(w, method, err)
@ -415,6 +460,7 @@ func (h *Handler) SetCategoryPermissions(w http.ResponseWriter, r *http.Request)

 	if !HasPermission(ctx, *h.Store, spaceID, permission.SpaceManage, permission.SpaceOwner) {
 		response.WriteForbiddenError(w)
+		h.Runtime.Log.Info("no permission to set category permissions")
 		return
 	}

@ -437,8 +483,8 @@ func (h *Handler) SetCategoryPermissions(w http.ResponseWriter, r *http.Request)
 	for _, m := range model {
 		perm := permission.Permission{}
 		perm.OrgID = ctx.OrgID
-		perm.Who = permission.UserPermission
-		perm.WhoID = m.UserID
+		perm.Who = m.Who
+		perm.WhoID = m.WhoID
 		perm.Scope = permission.ScopeRow
 		perm.Location = permission.LocationCategory
 		perm.RefID = m.CategoryID
--- a/domain/permission/mysql/store.go
+++ b/domain/permission/mysql/store.go
@ -112,15 +112,16 @@ func (s Scope) GetSpacePermissions(ctx domain.RequestContext, spaceID string) (r
 func (s Scope) GetCategoryPermissions(ctx domain.RequestContext, catID string) (r []permission.Permission, err error) {
 	err = s.Runtime.Db.Select(&r, `
 		SELECT id, orgid, who, whoid, action, scope, location, refid
-			FROM permission WHERE orgid=? AND location='category' AND refid=? AND who='user'
+			FROM permission
+			WHERE orgid=? AND location='category' AND who='user' AND (refid=? OR refid='0')
 		UNION ALL
 		SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
 			FROM permission p
 			LEFT JOIN rolemember r ON p.whoid=r.roleid
-			WHERE p.orgid=? AND p.location='space' AND p.refid=? AND p.who='role'`,
+			WHERE p.orgid=? AND p.location='category' AND p.who='role' AND (p.refid=? OR p.refid='0')`,
 		ctx.OrgID, catID, ctx.OrgID, catID)

-	if err == sql.ErrNoRows {
+	if err == sql.ErrNoRows || len(r) == 0 {
 		err = nil
 		r = []permission.Permission{}
 	}
@ -137,7 +138,8 @@ func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []us
 		SELECT u.id, IFNULL(u.refid, '') AS refid, IFNULL(u.firstname, '') AS firstname, IFNULL(u.lastname, '') as lastname, u.email, u.initials, u.password, u.salt, u.reset, u.created, u.revised
 		FROM user u LEFT JOIN account a ON u.refid = a.userid 
 		WHERE a.orgid=? AND a.active=1 AND u.refid IN (
-			SELECT whoid from permission WHERE orgid=? AND who='user' AND location='category' AND refid=?
+			SELECT whoid from permission 
+			WHERE orgid=? AND who='user' AND location='category' AND refid=?
 			UNION ALL
 			SELECT r.userid from rolemember r
 				LEFT JOIN permission p ON p.whoid=r.roleid
@ -147,7 +149,7 @@ func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []us
 		ORDER BY firstname, lastname`,
 		ctx.OrgID, ctx.OrgID, catID, ctx.OrgID, catID)

-	if err == sql.ErrNoRows {
+	if err == sql.ErrNoRows || len(u) == 0 {
 		err = nil
 		u = []user.User{}
 	}
@ -170,7 +172,7 @@ func (s Scope) GetUserCategoryPermissions(ctx domain.RequestContext, userID stri
 			WHERE p.orgid=? AND p.location='category' AND p.who='role' AND (r.userid=? OR r.userid='0')`,
 		ctx.OrgID, userID, ctx.OrgID, userID)

-	if err == sql.ErrNoRows {
+	if err == sql.ErrNoRows || len(r) == 0 {
 		err = nil
 		r = []permission.Permission{}
 	}
--- a/domain/permission/permission.go
+++ b/domain/permission/permission.go
@ -30,7 +30,7 @@ func CanViewSpaceDocument(ctx domain.RequestContext, s domain.Store, labelID str
 	}

 	for _, role := range roles {
-		if role.RefID == labelID && role.Location == "space" && role.Scope == "object" &&
+		if role.RefID == labelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
 			pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {
 			return true
 		}
@ -58,7 +58,7 @@ func CanViewDocument(ctx domain.RequestContext, s domain.Store, documentID strin
 	}

 	for _, role := range roles {
-		if role.RefID == document.LabelID && role.Location == "space" && role.Scope == "object" &&
+		if role.RefID == document.LabelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
 			pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {
 			return true
 		}
@ -88,7 +88,7 @@ func CanChangeDocument(ctx domain.RequestContext, s domain.Store, documentID str
 	}

 	for _, role := range roles {
-		if role.RefID == document.LabelID && role.Location == "space" && role.Scope == "object" && role.Action == pm.DocumentEdit {
+		if role.RefID == document.LabelID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow && role.Action == pm.DocumentEdit {
 			return true
 		}
 	}
@ -136,7 +136,7 @@ func CanUploadDocument(ctx domain.RequestContext, s domain.Store, spaceID string
 	}

 	for _, role := range roles {
-		if role.RefID == spaceID && role.Location == "space" && role.Scope == "object" &&
+		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
 			pm.ContainsPermission(role.Action, pm.DocumentAdd) {
 			return true
 		}
@ -155,7 +155,7 @@ func CanViewSpace(ctx domain.RequestContext, s domain.Store, spaceID string) boo
 		return false
 	}
 	for _, role := range roles {
-		if role.RefID == spaceID && role.Location == "space" && role.Scope == "object" &&
+		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow &&
 			pm.ContainsPermission(role.Action, pm.SpaceView, pm.SpaceManage, pm.SpaceOwner) {
 			return true
 		}
@ -176,7 +176,7 @@ func HasPermission(ctx domain.RequestContext, s domain.Store, spaceID string, ac
 	}

 	for _, role := range roles {
-		if role.RefID == spaceID && role.Location == "space" && role.Scope == "object" {
+		if role.RefID == spaceID && role.Location == pm.LocationSpace && role.Scope == pm.ScopeRow {
 			for _, a := range actions {
 				if role.Action == a {
 					return true