document list: show by selected space/category

domain/category/endpoint.go

@@ -415,6 +415,32 @@ func (h *Handler) GetDocumentCategoryMembership(w http.ResponseWriter, r *http.R
 	response.WriteJSON(w, cat)
 }
 
-/*
-	- filter space documents by category -- URL param? nested route?
-*/
+// GetSpaceCategoryMembers returns category/document associations within space.
+func (h *Handler) GetSpaceCategoryMembers(w http.ResponseWriter, r *http.Request) {
+	method := "category.GetSpaceCategoryMembers"
+	ctx := domain.GetRequestContext(r)
+
+	spaceID := request.Param(r, "spaceID")
+	if len(spaceID) == 0 {
+		response.WriteMissingDataError(w, method, "spaceID")
+		return
+	}
+
+	if !permission.HasPermission(ctx, *h.Store, spaceID, pm.SpaceView) {
+		response.WriteForbiddenError(w)
+		return
+	}
+
+	cat, err := h.Store.Category.GetSpaceCategoryMembership(ctx, spaceID)
+	if err != nil && err != sql.ErrNoRows {
+		h.Runtime.Log.Error("get document category membership for space", err)
+		response.WriteServerError(w, method, err)
+		return
+	}
+
+	if len(cat) == 0 {
+		cat = []category.Member{}
+	}
+
+	response.WriteJSON(w, cat)
+}

domain/category/mysql/store.go

@@ -45,7 +45,7 @@ func (s Scope) Add(ctx domain.RequestContext, c category.Category) (err error) {
 	return
 }
 
-// GetBySpace returns space categories for a user.
+// GetBySpace returns space categories accessible by user.
 // Context is used to for user ID.
 func (s Scope) GetBySpace(ctx domain.RequestContext, spaceID string) (c []category.Category, err error) {
 	err = s.Runtime.Db.Select(&c, `
@@ -185,7 +185,7 @@ func (s Scope) GetSpaceCategorySummary(ctx domain.RequestContext, spaceID string
 		err = nil
 	}
 	if err != nil {
-		err = errors.Wrap(err, fmt.Sprintf("unable to execute select category summary for space %s", spaceID))
+		err = errors.Wrap(err, fmt.Sprintf("select category summary for space %s", spaceID))
 	}
 
 	return
@@ -206,3 +206,25 @@ func (s Scope) GetDocumentCategoryMembership(ctx domain.RequestContext, document
 
 	return
 }
+
+// GetSpaceCategoryMembership returns category/document associations within space.
+func (s Scope) GetSpaceCategoryMembership(ctx domain.RequestContext, spaceID string) (c []category.Member, err error) {
+	err = s.Runtime.Db.Select(&c, `
+		SELECT id, refid, orgid, labelid, categoryid, documentid, created, revised FROM categorymember
+		WHERE orgid=? AND labelid=?
+			  AND labelid IN (SELECT refid FROM permission WHERE orgid=? AND location='space' AND refid IN (
+				SELECT refid from permission WHERE orgid=? AND who='user' AND whoid=? AND location='space' UNION ALL
+				SELECT p.refid from permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? AND p.who='role' AND p.location='space' 
+					AND p.action='view' AND r.userid=?
+		))
+	  ORDER BY documentid`, ctx.OrgID, spaceID, ctx.OrgID, ctx.OrgID, ctx.UserID, ctx.OrgID, ctx.UserID)
+
+	if err == sql.ErrNoRows {
+		err = nil
+	}
+	if err != nil {
+		err = errors.Wrap(err, fmt.Sprintf("select all category/document membership for space %s", spaceID))
+	}
+
+	return
+}

domain/document/endpoint.go

@@ -137,11 +137,10 @@ func (h *Handler) DocumentLinks(w http.ResponseWriter, r *http.Request) {
 
 // BySpace is an endpoint that returns the documents for given space.
 func (h *Handler) BySpace(w http.ResponseWriter, r *http.Request) {
-	method := "document.space"
+	method := "document.BySpace"
 	ctx := domain.GetRequestContext(r)
 
 	spaceID := request.Query(r, "space")
-
 	if len(spaceID) == 0 {
 		response.WriteMissingDataError(w, method, "space")
 		return
@@ -152,45 +151,47 @@ func (h *Handler) BySpace(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	// get complete list of documents
 	documents, err := h.Store.Document.GetBySpace(ctx, spaceID)
-
-	if len(documents) == 0 {
-		documents = []doc.Document{}
-	}
-
 	if err != nil && err != sql.ErrNoRows {
 		response.WriteServerError(w, method, err)
 		h.Runtime.Log.Error(method, err)
 		return
 	}
-
-	response.WriteJSON(w, documents)
-}
-
-// ByTag is an endpoint that returns the documents with a given tag.
-func (h *Handler) ByTag(w http.ResponseWriter, r *http.Request) {
-	method := "document.space"
-	ctx := domain.GetRequestContext(r)
-
-	tag := request.Query(r, "tag")
-	if len(tag) == 0 {
-		response.WriteMissingDataError(w, method, "tag")
-		return
-	}
-
-	documents, err := h.Store.Document.GetByTag(ctx, tag)
-
 	if len(documents) == 0 {
 		documents = []doc.Document{}
 	}
 
-	if err != nil && err != sql.ErrNoRows {
-		response.WriteServerError(w, method, err)
-		h.Runtime.Log.Error(method, err)
-		return
+	// remove documents that cannot be seen due to lack of
+	// category view/access permission
+	filtered := []doc.Document{}
+	cats, err := h.Store.Category.GetBySpace(ctx, spaceID)
+	members, err := h.Store.Category.GetSpaceCategoryMembership(ctx, spaceID)
+
+	for _, doc := range documents {
+		hasCategory := false
+		canSeeCategory := false
+
+	OUTER:
+
+		for _, m := range members {
+			if m.DocumentID == doc.RefID {
+				hasCategory = true
+				for _, cat := range cats {
+					if cat.RefID == m.CategoryID {
+						canSeeCategory = true
+						continue OUTER
+					}
+				}
+			}
+		}
+
+		if !hasCategory || canSeeCategory {
+			filtered = append(filtered, doc)
+		}
 	}
 
-	response.WriteJSON(w, documents)
+	response.WriteJSON(w, filtered)
 }
 
 // Update updates an existing document using the

domain/document/mysql/store.go

@@ -101,9 +101,22 @@ func (s Scope) GetAll() (ctx domain.RequestContext, documents []doc.Document, er
 	return
 }
 
-// GetBySpace returns a slice containing the documents for a given space, most recient first.
-func (s Scope) GetBySpace(ctx domain.RequestContext, folderID string) (documents []doc.Document, err error) {
-	err = s.Runtime.Db.Select(&documents, "SELECT id, refid, orgid, labelid, userid, job, location, title, excerpt, slug, tags, template, layout, created, revised FROM document WHERE orgid=? AND template=0 AND labelid=? ORDER BY revised DESC", ctx.OrgID, folderID)
+// GetBySpace returns a slice containing the documents for a given space.
+// No attempt is made to hide documents that are protected
+// by category permissions -- caller must filter as required.
+func (s Scope) GetBySpace(ctx domain.RequestContext, spaceID string) (documents []doc.Document, err error) {
+	err = s.Runtime.Db.Select(&documents, `
+		SELECT id, refid, orgid, labelid, userid, job, location, title, excerpt, slug, tags, template, layout, created, revised
+		FROM document
+		WHERE orgid=? AND template=0 AND labelid IN (
+			SELECT refid FROM label WHERE orgid=? AND refid IN 
+				(SELECT refid FROM permission WHERE orgid=? AND location='space' AND refid=? AND refid IN (
+						SELECT refid from permission WHERE orgid=? AND who='user' AND whoid=? AND location='space' UNION ALL
+						SELECT p.refid from permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? 
+						AND p.who='role' AND p.location='space' AND p.refid=? AND p.action='view' AND r.userid=?
+				))
+		)
+		ORDER BY title`, ctx.OrgID, ctx.OrgID, ctx.OrgID, spaceID, ctx.OrgID, ctx.UserID, ctx.OrgID, spaceID, ctx.UserID)
 
 	if err != nil {
 		err = errors.Wrap(err, "select documents by space")
@@ -112,31 +125,6 @@ func (s Scope) GetBySpace(ctx domain.RequestContext, folderID string) (documents
 	return
 }
 
-// GetByTag returns a slice containing the documents with the specified tag, in title order.
-func (s Scope) GetByTag(ctx domain.RequestContext, tag string) (documents []doc.Document, err error) {
-	tagQuery := "tags LIKE '%#" + tag + "#%'"
-
-	err = s.Runtime.Db.Select(&documents, `
-		SELECT id, refid, orgid, labelid, userid, job, location, title, excerpt, slug, tags, template, layout, created, revised FROM document WHERE orgid=? AND template=0 AND `+tagQuery+` 
-		AND labelid IN
-			(
-				SELECT refid FROM label WHERE orgid=?
-				AND refid IN (SELECT refid FROM permission WHERE orgid=? AND location='space' AND refid IN (
-					SELECT refid from permission WHERE orgid=? AND who='user' AND whoid=? AND location='space'
-					UNION ALL
-					SELECT p.refid from permission p LEFT JOIN rolemember r ON p.whoid=r.roleid WHERE p.orgid=? AND p.who='role' AND p.location='space' AND p.action='view' AND r.userid=?
-				))
-			)
-		ORDER BY title
-		`, ctx.OrgID, ctx.OrgID, ctx.OrgID, ctx.OrgID, ctx.UserID, ctx.OrgID, ctx.UserID)
-
-	if err != nil {
-		err = errors.Wrap(err, "select documents by tag")
-	}
-
-	return
-}
-
 // Templates returns a slice containing the documents available as templates to the client's organisation, in title order.
 func (s Scope) Templates(ctx domain.RequestContext) (documents []doc.Document, err error) {
 	err = s.Runtime.Db.Select(&documents,

domain/space/endpoint.go

@@ -811,4 +811,4 @@ func (h *Handler) Invite(w http.ResponseWriter, r *http.Request) {
 	ctx.Transaction.Commit()
 
 	response.WriteEmpty(w)
-}
+}

domain/storer.go

@@ -75,6 +75,7 @@ type CategoryStorer interface {
 	RemoveCategoryMembership(ctx RequestContext, categoryID string) (rows int64, err error)
 	DeleteBySpace(ctx RequestContext, spaceID string) (rows int64, err error)
 	GetDocumentCategoryMembership(ctx RequestContext, documentID string) (c []category.Category, err error)
+	GetSpaceCategoryMembership(ctx RequestContext, spaceID string) (c []category.Member, err error)
 }
 
 // PermissionStorer defines required methods for space/document permission management
@@ -157,8 +158,7 @@ type DocumentStorer interface {
 	Add(ctx RequestContext, document doc.Document) (err error)
 	Get(ctx RequestContext, id string) (document doc.Document, err error)
 	GetAll() (ctx RequestContext, documents []doc.Document, err error)
-	GetBySpace(ctx RequestContext, folderID string) (documents []doc.Document, err error)
-	GetByTag(ctx RequestContext, tag string) (documents []doc.Document, err error)
+	GetBySpace(ctx RequestContext, spaceID string) (documents []doc.Document, err error)
 	DocumentList(ctx RequestContext) (documents []doc.Document, err error)
 	Templates(ctx RequestContext) (documents []doc.Document, err error)
 	TemplatesBySpace(ctx RequestContext, spaceID string) (documents []doc.Document, err error)