Docker/documize
Docker/documize
1
0
Fork 0
mirror of https://github.com/documize/community.git synced 2025-07-27 09:09:44 +02:00
Code Releases Activity

secure category list when viewing document

Browse source
This commit is contained in:
Harvey Kandola 2017-10-04 14:42:07 -04:00
parent 1d2109aa44
commit ab7a515b9d
3 changed files with 41 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

21
domain/category/endpoint.go
View file

@ -378,7 +378,7 @@ func (h *Handler) SetDocumentCategoryMembership(w http.ResponseWriter, r *http.R
response.WriteEmpty(w) response.WriteEmpty(w)
} }
// GetDocumentCategoryMembership returns categories associated with given document. // GetDocumentCategoryMembership returns user viewable categories associated with a given document.
func (h *Handler) GetDocumentCategoryMembership(w http.ResponseWriter, r *http.Request) { func (h *Handler) GetDocumentCategoryMembership(w http.ResponseWriter, r *http.Request) {
method := "category.GetDocumentCategoryMembership" method := "category.GetDocumentCategoryMembership"
ctx := domain.GetRequestContext(r) ctx := domain.GetRequestContext(r)
@ -412,7 +412,24 @@ func (h *Handler) GetDocumentCategoryMembership(w http.ResponseWriter, r *http.R
cat = []category.Category{} cat = []category.Category{}
} }
response.WriteJSON(w, cat) perm, err := h.Store.Permission.GetUserCategoryPermissions(ctx, ctx.UserID)
if err != nil {
h.Runtime.Log.Error("get user category permissions", err)
response.WriteServerError(w, method, err)
return
}
see := []category.Category{}
for _, c := range cat {
for _, p := range perm {
if p.RefID == c.RefID {
see = append(see, c)
break
}
}
}
response.WriteJSON(w, see)
} }
// GetSpaceCategoryMembers returns category/document associations within space. // GetSpaceCategoryMembers returns category/document associations within space.

21
domain/permission/mysql/store.go
View file

@ -191,3 +191,24 @@ func (s Scope) GetCategoryUsers(ctx domain.RequestContext, catID string) (u []us
return return
} }
// GetUserCategoryPermissions returns category permissions for given user.
func (s Scope) GetUserCategoryPermissions(ctx domain.RequestContext, userID string) (r []permission.Permission, err error) {
err = s.Runtime.Db.Select(&r, `
SELECT id, orgid, who, whoid, action, scope, location, refid
FROM permission WHERE orgid=? AND location='category' AND who='user' AND (whoid=? OR whoid='0')
UNION ALL
SELECT p.id, p.orgid, p.who, p.whoid, p.action, p.scope, p.location, p.refid
FROM permission p LEFT JOIN rolemember r ON p.whoid=r.roleid
WHERE p.orgid=? AND p.location='category' AND p.who='role'`,
ctx.OrgID, userID, ctx.OrgID)
if err == sql.ErrNoRows {
err = nil
}
if err != nil {
err = errors.Wrap(err, fmt.Sprintf("unable to execute select category permissions for user %s", userID))
}
return
}

1
domain/storer.go
View file

@ -93,6 +93,7 @@ type PermissionStorer interface {
DeleteSpaceCategoryPermissions(ctx RequestContext, spaceID string) (rows int64, err error) DeleteSpaceCategoryPermissions(ctx RequestContext, spaceID string) (rows int64, err error)
GetCategoryPermissions(ctx RequestContext, catID string) (r []permission.Permission, err error) GetCategoryPermissions(ctx RequestContext, catID string) (r []permission.Permission, err error)
GetCategoryUsers(ctx RequestContext, catID string) (u []user.User, err error) GetCategoryUsers(ctx RequestContext, catID string) (u []user.User, err error)
GetUserCategoryPermissions(ctx RequestContext, userID string) (r []permission.Permission, err error)
} }
// UserStorer defines required methods for user management // UserStorer defines required methods for user management