3pp-mirror/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-05-29 13:46:12 +02:00
Code Issues Projects Releases Packages Wiki Activity

Add viewer only mode on webhook

Browse source
This commit is contained in:
Eva Marco 2024-10-10 14:02:05 +02:00 committed by Pablo Alba
parent 823792339f
commit 043c4105db
11 changed files with 223 additions and 46 deletions
Download patch file Download diff file Expand all files Collapse all files

5
backend/src/app/migrations.clj
View file

@ -412,7 +412,10 @@
:fn (mg/resource "app/migrations/sql/0129-mod-file-change-table.sql")}
{:name "0130-mod-file-change-table"
:fn (mg/resource "app/migrations/sql/0130-mod-file-change-table.sql")}])
:fn (mg/resource "app/migrations/sql/0130-mod-file-change-table.sql")}
{:name "0131-mod-webhook-table"
:fn (mg/resource "app/migrations/sql/0131-mod-webhook-table.sql")}])
(defn apply-migrations!
[pool name migrations]

6
backend/src/app/migrations/sql/0131-mod-webhook-table.sql Normal file
View file

@ -0,0 +1,6 @@
ALTER TABLE webhook
ADD COLUMN profile_id uuid NULL REFERENCES profile (id) ON DELETE SET NULL;
CREATE INDEX webhook__profile_id__idx
ON webhook (profile_id)
WHERE profile_id IS NOT NULL;

32
backend/src/app/rpc/commands/webhooks.clj
View file

@ -15,12 +15,27 @@
[app.http.client :as http]
[app.loggers.webhooks :as webhooks]
[app.rpc :as-alias rpc]
[app.rpc.commands.teams :refer [check-edition-permissions! check-read-permissions!]]
[app.rpc.commands.teams :refer [check-read-permissions!] :as t]
[app.rpc.doc :as-alias doc]
[app.rpc.permissions :as perms]
[app.util.services :as sv]
[app.util.time :as dt]
[cuerdas.core :as str]))
(defn get-webhooks-permissions
[conn profile-id team-id creator-id]
(let [permissions (t/get-permissions conn profile-id team-id)
can-edit (boolean (or (:can-edit permissions)
(= profile-id creator-id)))]
(assoc permissions :can-edit can-edit)))
(def has-webhook-edit-permissions?
(perms/make-edition-predicate-fn get-webhooks-permissions))
(def check-webhook-edition-permissions!
(perms/make-check-fn has-webhook-edit-permissions?))
(defn decode-row
[{:keys [uri] :as row}]
(cond-> row
@ -65,11 +80,12 @@
max-hooks-for-team)))))
(defn- insert-webhook!
[{:keys [::db/pool]} {:keys [team-id uri mtype is-active] :as params}]
[{:keys [::db/pool]} {:keys [team-id uri mtype is-active ::rpc/profile-id] :as params}]
(-> (db/insert! pool :webhook
{:id (uuid/next)
:team-id team-id
:uri (str uri)
:profile-id profile-id
:is-active is-active
:mtype mtype})
(decode-row)))
@ -101,7 +117,7 @@
{::doc/added "1.17"
::sm/params schema:create-webhook}
[{:keys [::db/pool] :as cfg} {:keys [::rpc/profile-id team-id] :as params}]
(check-edition-permissions! pool profile-id team-id)
(check-webhook-edition-permissions! pool profile-id team-id profile-id)
(validate-quotes! cfg params)
(validate-webhook! cfg nil params)
(insert-webhook! cfg params))
@ -118,7 +134,7 @@
::sm/params schema:update-webhook}
[{:keys [::db/pool] :as cfg} {:keys [::rpc/profile-id id] :as params}]
(let [whook (-> (db/get pool :webhook {:id id}) (decode-row))]
(check-edition-permissions! pool profile-id (:team-id whook))
(check-webhook-edition-permissions! pool profile-id (:team-id whook) (:profile-id whook))
(validate-webhook! cfg whook params)
(update-webhook! cfg whook params)))
@ -132,15 +148,17 @@
[{:keys [::db/pool] :as cfg} {:keys [::rpc/profile-id id]}]
(db/with-atomic [conn pool]
(let [whook (-> (db/get conn :webhook {:id id}) decode-row)]
(check-edition-permissions! conn profile-id (:team-id whook))
(check-webhook-edition-permissions! conn profile-id (:team-id whook) (:profile-id whook))
(db/delete! conn :webhook {:id id})
nil)))
;; --- Query: Webhooks
(def sql:get-webhooks
"select id, uri, mtype, is_active, error_code, error_count
from webhook where team_id = ? order by uri")
"SELECT id, uri, mtype, is_active, error_code, error_count, profile_id
FROM webhook
WHERE team_id = ?
ORDER BY uri")
(def ^:private schema:get-webhooks
[:map {:title "get-webhooks"}

1
backend/test/backend_tests/helpers.clj
View file

@ -332,6 +332,7 @@
(t/is (nil? (:error out)))
(:result out)))
(defn create-webhook*
([params] (create-webhook* *system* params))
([system {:keys [team-id id uri mtype is-active]

156
backend/test/backend_tests/rpc_webhooks_test.clj
View file

@ -19,6 +19,23 @@
(t/use-fixtures :once th/state-init)
(t/use-fixtures :each th/database-reset)
(defn create-webhook-params [id team]
{::th/type :create-webhook
::rpc/profile-id id
:team-id team
:uri (u/uri "http://example.com")
:mtype "application/json"})
(defn check-webhook-format
([result]
(t/is (contains? result :id))
(t/is (contains? result :team-id))
(t/is (contains? result :created-at))
(t/is (contains? result :profile-id))
(t/is (contains? result :updated-at))
(t/is (contains? result :uri))
(t/is (contains? result :mtype))))
(t/deftest webhook-crud
(with-mocks [http-mock {:target 'app.http.client/req!
:return {:status 200}}]
@ -39,15 +56,8 @@
(t/is (nil? (:error out)))
(t/is (= 1 (:call-count @http-mock)))
;; (th/print-result! out)
(let [result (:result out)]
(t/is (contains? result :id))
(t/is (contains? result :team-id))
(t/is (contains? result :created-at))
(t/is (contains? result :updated-at))
(t/is (contains? result :uri))
(t/is (contains? result :mtype))
(check-webhook-format result)
(t/is (= (:uri params) (:uri result)))
(t/is (= (:team-id params) (:team-id result)))
@ -69,12 +79,7 @@
(t/is (= 0 (:call-count @http-mock)))
(let [result (:result out)]
(t/is (contains? result :id))
(t/is (contains? result :team-id))
(t/is (contains? result :created-at))
(t/is (contains? result :updated-at))
(t/is (contains? result :uri))
(t/is (contains? result :mtype))
(check-webhook-format result)
(t/is (= (:id params) (:id result)))
(t/is (= (:id @whook) (:id result)))
@ -130,13 +135,14 @@
(let [rows (th/db-exec! ["select * from webhook"])]
(t/is (= 0 (count rows))))))
(t/testing "delete webhook (unauthorozed)"
(th/reset-mock! http-mock)
(t/testing "delete webhook (unauthorized)"
(let [params {::th/type :delete-webhook
::rpc/profile-id uuid/zero
:id (:id @whook)}
out (th/command! params)]
;; (th/print-result! out)
(t/is (= 0 (:call-count @http-mock)))
(let [error (:error out)
error-data (ex-data error)]
@ -144,6 +150,124 @@
(t/is (= (:type error-data) :not-found))
(t/is (= (:code error-data) :object-not-found))))))))
(t/deftest webhooks-permissions-crud-viewer-only
(with-mocks [http-mock {:target 'app.http.client/req!
:return {:status 200}}]
(let [owner (th/create-profile* 1 {:is-active true})
viewer (th/create-profile* 2 {:is-active true})
team (th/create-team* 1 {:profile-id (:id owner)})
whook (volatile! nil)]
(th/create-team-role* {:team-id (:id team)
:profile-id (:id viewer)
:role :viewer})
;; Assert all roles for team
(let [roles (th/db-query :team-profile-rel {:team-id (:id team)})]
(t/is (= 2 (count roles))))
(t/testing "viewer creates a webhook"
(let [viewers-webhook (create-webhook-params (:id viewer) (:id team))
out (th/command! viewers-webhook)]
(t/is (nil? (:error out)))
(t/is (= 1 (:call-count @http-mock)))
(let [result (:result out)]
(check-webhook-format result)
(t/is (= (:uri viewers-webhook) (:uri result)))
(t/is (= (:team-id viewers-webhook) (:team-id result)))
(t/is (= (::rpc/profile-id viewers-webhook) (:profile-id result)))
(t/is (= (:mtype viewers-webhook) (:mtype result)))
(vreset! whook result))))
(th/reset-mock! http-mock)
(t/testing "viewer updates it's own webhook (success)"
(let [params {::th/type :update-webhook
::rpc/profile-id (:id viewer)
:id (:id @whook)
:uri (:uri @whook)
:mtype "application/transit+json"
:is-active false}
out (th/command! params)
result (:result out)]
(t/is (nil? (:error out)))
(t/is (= 0 (:call-count @http-mock)))
(check-webhook-format result)
(t/is (= (:is-active params) (:is-active result)))
(t/is (= (:team-id @whook) (:team-id result)))
(t/is (= (:mtype params) (:mtype result)))
(vreset! whook result)))
(th/reset-mock! http-mock)
(t/testing "viewer deletes it's own webhook (success)"
(let [params {::th/type :delete-webhook
::rpc/profile-id (:id viewer)
:id (:id @whook)}
out (th/command! params)]
(t/is (= 0 (:call-count @http-mock)))
(t/is (nil? (:error out)))
(t/is (nil? (:result out)))
(let [rows (th/db-exec! ["select * from webhook"])]
(t/is (= 0 (count rows))))))
(th/reset-mock! http-mock))))
(t/deftest webhooks-permissions-crud-viewer-owner
(with-mocks [http-mock {:target 'app.http.client/req!
:return {:status 200}}]
(let [owner (th/create-profile* 1 {:is-active true})
viewer (th/create-profile* 2 {:is-active true})
team (th/create-team* 1 {:profile-id (:id owner)})
whook (volatile! nil)]
(th/create-team-role* {:team-id (:id team)
:profile-id (:id viewer)
:role :viewer})
(t/testing "owner creates a wehbook"
(let [owners-webhook (create-webhook-params (:id owner) (:id team))
out (th/command! owners-webhook)
result (:result out)]
(t/is (nil? (:error out)))
(t/is (= 1 (:call-count @http-mock)))
(check-webhook-format result)
(t/is (= (:uri owners-webhook) (:uri result)))
(t/is (= (:team-id owners-webhook) (:team-id result)))
(t/is (= (:mtype owners-webhook) (:mtype result)))
(vreset! whook result)))
(th/reset-mock! http-mock)
(t/testing "viewer updates owner's webhook (unauthorized)"
(let [params {::th/type :update-webhook
::rpc/profile-id (:id viewer)
:id (:id @whook)
:uri (str (:uri @whook) "/test")
:mtype "application/transit+json"
:is-active false}
out (th/command! params)]
(t/is (= 0 (:call-count @http-mock)))
(let [error (:error out)
error-data (ex-data error)]
(t/is (th/ex-info? error))
(t/is (= (:type error-data) :not-found))
(t/is (= (:code error-data) :object-not-found)))))
(th/reset-mock! http-mock)
(t/testing "viewer deletes owner's webhook (unauthorized)"
(let [params {::th/type :delete-webhook
::rpc/profile-id (:id viewer)
:id (:id @whook)}
out (th/command! params)
error (:error out)
error-data (ex-data error)]
(t/is (= 0 (:call-count @http-mock)))
(t/is (th/ex-info? error))
(t/is (= (:type error-data) :not-found))
(t/is (= (:code error-data) :object-not-found)))))))
(t/deftest webhooks-quotes
(with-mocks [http-mock {:target 'app.http.client/req!
:return {:status 200}}]