Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-08-02 20:15:26 +02:00
Code Releases Activity

restrict user lists based on account.users permission

Browse source
This commit is contained in:
Harvey Kandola 2017-09-22 10:22:52 +01:00
parent b56d3426d2
commit 508ec00c6a
9 changed files with 37 additions and 44 deletions
Download patch file Download diff file Expand all files Collapse all files

2
domain/category/endpoint.go
View file

@ -310,8 +310,6 @@ func (h *Handler) GetSummary(w http.ResponseWriter, r *http.Request) {
}
/*
- filter users using account.users = true/false
- link/unlink document to category
- check print/pdf
- filter space documents by category -- URL param? nested route?
*/

46
domain/user/endpoint.go
View file

@ -35,7 +35,6 @@ import (
"github.com/documize/community/domain/organization"
"github.com/documize/community/model/account"
"github.com/documize/community/model/audit"
"github.com/documize/community/model/space"
"github.com/documize/community/model/user"
)
@ -244,7 +243,6 @@ func (h *Handler) GetOrganizationUsers(w http.ResponseWriter, r *http.Request) {
h.Runtime.Log.Error(method, err)
return
}
} else {
u, err = h.Store.User.GetUsersForOrganization(ctx)
if err != nil && err != sql.ErrNoRows {
@ -273,45 +271,43 @@ func (h *Handler) GetSpaceUsers(w http.ResponseWriter, r *http.Request) {
var u []user.User
var err error
folderID := request.Param(r, "folderID")
if len(folderID) == 0 {
response.WriteMissingDataError(w, method, "folderID")
spaceID := request.Param(r, "spaceID")
if len(spaceID) == 0 {
response.WriteMissingDataError(w, method, "spaceID")
return
}
// check to see space type as it determines user selection criteria
folder, err := h.Store.Space.Get(ctx, folderID)
// Get user account as we need to know if user can see all users.
// account.users == false means we restrict viewing to just space users
account, err := h.Store.Account.GetUserAccount(ctx, ctx.UserID)
if err != nil && err != sql.ErrNoRows {
response.WriteJSON(w, u)
h.Runtime.Log.Error(method, err)
return
}
switch folder.Type {
case space.ScopePublic:
if account.Users {
// can see all users
u, err = h.Store.User.GetActiveUsersForOrganization(ctx)
break
case space.ScopePrivate:
// just me
var me user.User
me, err = h.Store.User.Get(ctx, ctx.UserID)
u = append(u, me)
break
case space.ScopeRestricted:
u, err = h.Store.User.GetSpaceUsers(ctx, folderID)
break
if err != nil && err != sql.ErrNoRows {
response.WriteJSON(w, u)
h.Runtime.Log.Error(method, err)
return
}
} else {
// send back existing space users
u, err = h.Store.User.GetSpaceUsers(ctx, spaceID)
if err != nil && err != sql.ErrNoRows {
response.WriteJSON(w, u)
h.Runtime.Log.Error(method, err)
return
}
}
if len(u) == 0 {
u = []user.User{}
}
if err != nil && err != sql.ErrNoRows {
response.WriteJSON(w, u)
h.Runtime.Log.Error(method, err)
return
}
response.WriteJSON(w, u)
}

7
domain/user/mysql/store.go
View file

@ -173,7 +173,9 @@ func (s Scope) GetActiveUsersForOrganization(ctx domain.RequestContext) (u []use
// identified in the Persister.
func (s Scope) GetUsersForOrganization(ctx domain.RequestContext) (u []user.User, err error) {
err = s.Runtime.Db.Select(&u,
"SELECT id, refid, firstname, lastname, email, initials, password, salt, reset, created, revised FROM user WHERE refid IN (SELECT userid FROM account where orgid = ?) ORDER BY firstname,lastname", ctx.OrgID)
`SELECT id, refid, firstname, lastname, email, initials, password, salt, reset, created, revised
FROM user WHERE refid IN (SELECT userid FROM account where orgid = ?)
ORDER BY firstname,lastname`, ctx.OrgID)
if err != nil {
err = errors.Wrap(err, fmt.Sprintf(" get users for org %s", ctx.OrgID))
@ -186,7 +188,8 @@ func (s Scope) GetUsersForOrganization(ctx domain.RequestContext) (u []user.User
// GetSpaceUsers returns a slice containing all user records for given folder.
func (s Scope) GetSpaceUsers(ctx domain.RequestContext, spaceID string) (u []user.User, err error) {
err = s.Runtime.Db.Select(&u, `
SELECT u.id, u.refid, u.firstname, u.lastname, u.email, u.initials, u.password, u.salt, u.reset, u.created, u.revised
SELECT u.id, u.refid, u.firstname, u.lastname, u.email, u.initials, u.password, u.salt, u.reset, u.created, u.revised, u.global
a.active, a.users AS viewusers, a.editor, a.admin
FROM user u, account a
WHERE a.orgid=? AND u.refid = a.userid AND a.active=1 AND u.refid IN (
SELECT whoid from permission WHERE orgid=? AND who='user' AND scope='object' AND location='space' AND refid=? UNION ALL