Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-07-21 14:19:43 +02:00
Code Releases Activity

Ensure doc protected from non-category viewers

Browse source 
Closes #310
This commit is contained in:
HarveyKandola 2019-08-27 15:24:59 +01:00
parent 29d7307537
commit 3b76e10ee0
3 changed files with 37 additions and 5 deletions
Download patch file Download diff file Expand all files Collapse all files

6
domain/category/store.go
View file

@ -262,8 +262,6 @@ func (s Store) GetSpaceCategorySummary(ctx domain.RequestContext, spaceID string
// GetDocumentCategoryMembership returns all space categories associated with given document. // GetDocumentCategoryMembership returns all space categories associated with given document.
func (s Store) GetDocumentCategoryMembership(ctx domain.RequestContext, documentID string) (c []category.Category, err error) { func (s Store) GetDocumentCategoryMembership(ctx domain.RequestContext, documentID string) (c []category.Category, err error) {
c = []category.Category{}
err = s.Runtime.Db.Select(&c, s.Bind(` err = s.Runtime.Db.Select(&c, s.Bind(`
SELECT id, c_refid AS refid, c_orgid AS orgid, c_spaceid AS spaceid, c_name AS name, c_created AS created, c_revised AS revised SELECT id, c_refid AS refid, c_orgid AS orgid, c_spaceid AS spaceid, c_name AS name, c_created AS created, c_revised AS revised
FROM dmz_category FROM dmz_category
@ -272,6 +270,7 @@ func (s Store) GetDocumentCategoryMembership(ctx domain.RequestContext, document
if err == sql.ErrNoRows { if err == sql.ErrNoRows {
err = nil err = nil
c = []category.Category{}
} }
if err != nil { if err != nil {
err = errors.Wrap(err, fmt.Sprintf("unable to execute select categories for document %s", documentID)) err = errors.Wrap(err, fmt.Sprintf("unable to execute select categories for document %s", documentID))
@ -280,7 +279,8 @@ func (s Store) GetDocumentCategoryMembership(ctx domain.RequestContext, document
return return
} }
// GetSpaceCategoryMembership returns category/document associations within space. // GetSpaceCategoryMembership returns category/document associations within space,
// for specified user.
func (s Store) GetSpaceCategoryMembership(ctx domain.RequestContext, spaceID string) (c []category.Member, err error) { func (s Store) GetSpaceCategoryMembership(ctx domain.RequestContext, spaceID string) (c []category.Member, err error) {
err = s.Runtime.Db.Select(&c, s.Bind(` err = s.Runtime.Db.Select(&c, s.Bind(`
SELECT id, c_refid AS refid, c_orgid AS orgid, c_spaceid AS spaceid, c_categoryid AS categoryid, c_docid AS documentid, c_created AS created, c_revised AS revised SELECT id, c_refid AS refid, c_orgid AS orgid, c_spaceid AS spaceid, c_categoryid AS categoryid, c_docid AS documentid, c_created AS created, c_revised AS revised

35
domain/document/endpoint.go
View file

@ -33,6 +33,7 @@ import (
"github.com/documize/community/model/activity" "github.com/documize/community/model/activity"
"github.com/documize/community/model/attachment" "github.com/documize/community/model/attachment"
"github.com/documize/community/model/audit" "github.com/documize/community/model/audit"
"github.com/documize/community/model/category"
"github.com/documize/community/model/doc" "github.com/documize/community/model/doc"
"github.com/documize/community/model/link" "github.com/documize/community/model/link"
"github.com/documize/community/model/page" "github.com/documize/community/model/page"
@ -556,7 +557,6 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
return return
} }
// document
document, err := h.Store.Document.Get(ctx, id) document, err := h.Store.Document.Get(ctx, id)
if err == sql.ErrNoRows { if err == sql.ErrNoRows {
response.WriteNotFoundError(w, method, id) response.WriteNotFoundError(w, method, id)
@ -573,7 +573,7 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
return return
} }
// Don't serve archived document // Don't serve archived document.
if document.Lifecycle == workflow.LifecycleArchived { if document.Lifecycle == workflow.LifecycleArchived {
response.WriteForbiddenError(w) response.WriteForbiddenError(w)
return return
@ -585,6 +585,37 @@ func (h *Handler) FetchDocumentData(w http.ResponseWriter, r *http.Request) {
return return
} }
// If document has been assigned one or more categories,
// we check to see if user can view this document.
cat, err := h.Store.Category.GetDocumentCategoryMembership(ctx, document.RefID)
if err != nil && err != sql.ErrNoRows {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
perm, err := h.Store.Permission.GetUserCategoryPermissions(ctx, ctx.UserID)
if err != nil && err != sql.ErrNoRows {
response.WriteServerError(w, method, err)
h.Runtime.Log.Error(method, err)
return
}
see := []category.Category{}
for _, c := range cat {
for _, p := range perm {
if p.RefID == c.RefID {
see = append(see, c)
break
}
}
}
// User cannot view document if document has categories assigned
// but user cannot see any of them.
if len(cat) > 0 && len(see) == 0 {
response.WriteForbiddenError(w)
return
}
// permissions // permissions
perms, err := h.Store.Permission.GetUserSpacePermissions(ctx, document.SpaceID) perms, err := h.Store.Permission.GetUserSpacePermissions(ctx, document.SpaceID)
if err != nil && err != sql.ErrNoRows { if err != nil && err != sql.ErrNoRows {

1
domain/permission/store.go
View file

@ -205,6 +205,7 @@ func (s Store) GetUserCategoryPermissions(ctx domain.RequestContext, userID stri
if err == sql.ErrNoRows { if err == sql.ErrNoRows {
err = nil err = nil
r = []permission.Permission{}
} }
if err != nil { if err != nil {
err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID)) err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID))