refined category permission checks

2025-08-02 20:15:26 +02:00 · 2017-09-21 18:59:43 +01:00 · 2017-09-21 18:59:43 +01:00 · 3a9675eb14
commit 3a9675eb14
parent 4d989e2497
11 changed files with 149 additions and 22 deletions
--- a/domain/category/endpoint.go
+++ b/domain/category/endpoint.go
@ -278,6 +278,37 @@ func (h *Handler) Delete(w http.ResponseWriter, r *http.Request) {
 	response.WriteEmpty(w)
 }

+// GetSummary returns number of documents and users for space categories.
+func (h *Handler) GetSummary(w http.ResponseWriter, r *http.Request) {
+	method := "category.GetSummary"
+	ctx := domain.GetRequestContext(r)
+
+	spaceID := request.Param(r, "spaceID")
+	if len(spaceID) == 0 {
+		response.WriteMissingDataError(w, method, "spaceID")
+		return
+	}
+
+	ok := permission.HasPermission(ctx, *h.Store, spaceID, pm.SpaceManage, pm.SpaceOwner)
+	if !ok || !ctx.Authenticated {
+		response.WriteForbiddenError(w)
+		return
+	}
+
+	s, err := h.Store.Category.GetSpaceCategorySummary(ctx, spaceID)
+	if err != nil {
+		h.Runtime.Log.Error("get space category summary failed", err)
+		response.WriteServerError(w, method, err)
+		return
+	}
+
+	if len(s) == 0 {
+		s = []category.SummaryModel{}
+	}
+
+	response.WriteJSON(w, s)
+}
+
 /*
 	- category view permission handling
 	- filter users using new permission
--- a/domain/category/mysql/store.go
+++ b/domain/category/mysql/store.go
@ -199,3 +199,29 @@ func (s Scope) DeleteBySpace(ctx domain.RequestContext, spaceID string) (rows in
 	s2 := fmt.Sprintf("DELETE FROM category WHERE orgid='%s' AND labelid='%s'", ctx.OrgID, spaceID)
 	return b.DeleteWhere(ctx.Transaction, s2)
 }
+
+// GetSpaceCategorySummary returns number of documents and users for space categories.
+func (s Scope) GetSpaceCategorySummary(ctx domain.RequestContext, spaceID string) (c []category.SummaryModel, err error) {
+	err = s.Runtime.Db.Select(&c, `
+		SELECT 'documents' as type, categoryid, COUNT(*) as count FROM categorymember WHERE orgid=? AND labelid=? GROUP BY categoryid, type
+		UNION ALL
+		SELECT 'users' as type, refid AS categoryid, count(*) AS count FROM permission WHERE orgid=? AND who='user' AND location='category'
+			AND refid IN (SELECT refid FROM category WHERE orgid=? AND labelid=?)
+			GROUP BY refid, type
+		UNION ALL
+		SELECT 'users' as type, p.refid AS categoryid, count(*) AS count FROM rolemember r LEFT JOIN permission p ON p.whoid=r.roleid
+			WHERE p.orgid=? AND p.who='role' AND p.location='category'
+			AND p.refid IN (SELECT refid FROM category WHERE orgid=? AND labelid=?)
+			GROUP BY p.refid, type`,
+		ctx.OrgID, spaceID, ctx.OrgID, ctx.OrgID, spaceID, ctx.OrgID, ctx.OrgID, spaceID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category summary for space %s", spaceID))
+		return
+	}
+
+	return
+}
--- a/domain/permission/endpoint.go
+++ b/domain/permission/endpoint.go
@ -273,9 +273,9 @@ func (h *Handler) GetUserSpacePermissions(w http.ResponseWriter, r *http.Request
 	response.WriteJSON(w, record)
 }

-// GetCategoryPermissions returns user permissions for given category.
-func (h *Handler) GetCategoryPermissions(w http.ResponseWriter, r *http.Request) {
-	method := "space.GetCategoryPermissions"
+// GetCategoryViewers returns user permissions for given category.
+func (h *Handler) GetCategoryViewers(w http.ResponseWriter, r *http.Request) {
+	method := "space.GetCategoryViewers"
 	ctx := domain.GetRequestContext(r)

 	categoryID := request.Param(r, "categoryID")
@ -296,6 +296,29 @@ func (h *Handler) GetCategoryPermissions(w http.ResponseWriter, r *http.Request)
 	response.WriteJSON(w, u)
 }

+// GetCategoryPermissions returns user permissions for given category.
+func (h *Handler) GetCategoryPermissions(w http.ResponseWriter, r *http.Request) {
+	method := "space.GetCategoryPermissions"
+	ctx := domain.GetRequestContext(r)
+
+	categoryID := request.Param(r, "categoryID")
+	if len(categoryID) == 0 {
+		response.WriteMissingDataError(w, method, "categoryID")
+		return
+	}
+
+	u, err := h.Store.Permission.GetCategoryPermissions(ctx, categoryID)
+	if err != nil && err != sql.ErrNoRows {
+		response.WriteServerError(w, method, err)
+		return
+	}
+	if len(u) == 0 {
+		u = []permission.Permission{}
+	}
+
+	response.WriteJSON(w, u)
+}
+
 // SetCategoryPermissions persists specified category permissions
 func (h *Handler) SetCategoryPermissions(w http.ResponseWriter, r *http.Request) {
 	method := "permission.SetCategoryPermissions"
--- a/domain/permission/mysql/store.go
+++ b/domain/permission/mysql/store.go
@ -182,9 +182,9 @@ func (s Scope) GetCategoryPermissions(ctx domain.RequestContext, catID string) (
 // GetCategoryUsers returns space permissions for all users.
 func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []user.User, err error) {
 	err = s.Runtime.Db.Select(&u, `
-		SELECT u.id, u.refid, u.firstname, u.lastname, u.email, u.initials, u.password, u.salt, u.reset, u.created, u.revised
-		FROM user u, account a
-		WHERE a.orgid=? AND u.refid = a.userid AND a.active=1 AND u.refid IN (
+		SELECT u.id, IFNULL(u.refid, '') AS refid, IFNULL(u.firstname, '') AS firstname, IFNULL(u.lastname, '') as lastname, u.email, u.initials, u.password, u.salt, u.reset, u.created, u.revised
+		FROM user u LEFT JOIN account a ON u.refid = a.userid 
+		WHERE a.orgid=? AND a.active=1 AND u.refid IN (
 			SELECT whoid from permission WHERE orgid=? AND who='user' AND location='category' AND refid=? UNION ALL
 			SELECT r.userid from rolemember r LEFT JOIN permission p ON p.whoid=r.roleid WHERE p.orgid=? AND p.who='role' 
 				AND p.location='category' AND p.refid=?
@ -197,7 +197,7 @@ func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []us
 		err = nil
 	}
 	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category user %s", catID))
+		err = errors.Wrap(err, fmt.Sprintf("unable to execute select users for category %s", catID))
 		return
 	}

--- a/domain/storer.go
+++ b/domain/storer.go
@ -68,6 +68,7 @@ type CategoryStorer interface {
 	Get(ctx RequestContext, id string) (c category.Category, err error)
 	GetBySpace(ctx RequestContext, spaceID string) (c []category.Category, err error)
 	GetAllBySpace(ctx RequestContext, spaceID string) (c []category.Category, err error)
+	GetSpaceCategorySummary(ctx RequestContext, spaceID string) (c []category.SummaryModel, err error)
 	Delete(ctx RequestContext, id string) (rows int64, err error)
 	AssociateDocument(ctx RequestContext, m category.Member) (err error)
 	DisassociateDocument(ctx RequestContext, categoryID, documentID string) (rows int64, err error)