🐛 Fix files, projects and shared-files queries.

2025-06-05 07:51:41 +02:00 · 2020-08-19 13:04:37 +02:00 · 2020-08-19 13:04:37 +02:00 · 5ae1b72943
commit 5ae1b72943
parent fc01690315
4 changed files with 96 additions and 92 deletions
--- a/backend/src/app/services/queries/projects.clj
+++ b/backend/src/app/services/queries/projects.clj
@ -2,91 +2,96 @@
 ;; License, v. 2.0. If a copy of the MPL was not distributed with this
 ;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
 ;;
-;; Copyright (c) 2019 Andrey Antukh <niwi@niwi.nz>
+;; This Source Code Form is "Incompatible With Secondary Licenses", as
+;; defined by the Mozilla Public License, v. 2.0.
+;;
+;; Copyright (c) 2020 UXBOX Labs SL

 (ns app.services.queries.projects
  (:require
   [clojure.spec.alpha :as s]
-   [promesa.core :as p]
   [app.common.spec :as us]
+   [app.common.exceptions :as ex]
   [app.db :as db]
   [app.services.queries :as sq]
-   [app.util.blob :as blob]))
+   [app.services.queries.teams :as teams]))

-(declare decode-row)
+;; --- Check Project Permissions
+
+;; This SQL checks if the: (1) project is part of the team where the
+;; profile has edition permissions or (2) the profile has direct
+;; edition access granted to this project.
+
+(def sql:project-permissions
+  "select tp.can_edit,
+          tp.is_admin,
+          tp.is_owner
+     from team_profile_rel as tp
+    where tp.profile_id = ?
+      and tp.team_id = ?
+    union
+   select pp.can_edit,
+          pp.is_admin,
+          pp.is_owner
+     from project_profile_rel as pp
+    where pp.profile_id = ?
+      and pp.project_id = ?;")
+
+(defn check-edition-permissions!
+  [conn profile-id project]
+  (let [rows (db/exec! conn [sql:project-permissions
+                             profile-id
+                             (:team-id project)
+                             profile-id
+                             (:id project)])]
+    (when (empty? rows)
+      (ex/raise :type :not-found))
+
+    (when-not (or (some :can-edit rows)
+                  (some :is-admin rows)
+                  (some :is-owner rows))
+      (ex/raise :type :validation
+                :code :not-authorized))))

-;; TODO: this module should be refactored for to separate the
-;; permissions checks from the main queries in the same way as pages
-;; and files. This refactor will make this functions more "reusable"
-;; and will prevent duplicating queries on `queries.view` ns as
-;; example.

 ;; --- Query: Projects

-(def ^:private sql:projects
-  "with projects as (
-     select p.*,
-            (select count(*) from file as f
-              where f.project_id = p.id
-                and deleted_at is null) as file_count
-       from project as p
-      inner join team_profile_rel as tpr on (tpr.team_id = p.team_id)
-      where tpr.profile_id = ?
-        and p.deleted_at is null
-        and (tpr.is_admin = true or
-             tpr.is_owner = true or
-             tpr.can_edit = true)
-      union
-     select p.*,
-            (select count(*) from file as f
-              where f.project_id = p.id
-                and deleted_at is null)
-       from project as p
-      inner join project_profile_rel as ppr on (ppr.project_id = p.id)
-      where ppr.profile_id = ?
-        and p.deleted_at is null
-        and (ppr.is_admin = true or
-             ppr.is_owner = true or
-             ppr.can_edit = true)
-   )
-   select *
-     from projects
-    where team_id = ?
-    order by modified_at desc")
-
-(def ^:private sql:project-by-id
-  "select p.*
-     from project as p
-    inner join project_profile_rel as ppr on (ppr.project_id = p.id)
-    where ppr.profile_id = ?
-      and p.id = ?
-      and p.deleted_at is null
-      and (ppr.is_admin = true or
-           ppr.is_owner = true or
-           ppr.can_edit = true)")
+(declare retrieve-projects)

 (s/def ::team-id ::us/uuid)
 (s/def ::profile-id ::us/uuid)
-(s/def ::project-id ::us/uuid)

-(s/def ::projects-by-team
+(s/def ::projects
  (s/keys :req-un [::profile-id ::team-id]))

+(sq/defquery ::projects
+  [{:keys [profile-id team-id]}]
+  (with-open [conn (db/open)]
+    (teams/check-read-permissions! conn profile-id team-id)
+    (retrieve-projects conn team-id)))
+
+(def sql:projects
+  "select p.*,
+          (select count(*) from file as f
+              where f.project_id = p.id
+                and deleted_at is null)
+     from project as p
+    where team_id = ?
+    order by modified_at desc")
+
+(defn retrieve-projects
+  [conn team-id]
+  (db/exec! conn [sql:projects team-id]))
+
+;; --- Query: Projec by ID
+
+(s/def ::project-id ::us/uuid)
 (s/def ::project-by-id
  (s/keys :req-un [::profile-id ::project-id]))

-(defn retrieve-projects
-  [conn profile-id team-id]
-  (db/exec! conn [sql:projects profile-id profile-id team-id]))
-
-(defn retrieve-project
-  [conn profile-id id]
-  (db/exec-one! conn [sql:project-by-id profile-id id]))
-
-(sq/defquery ::projects-by-team
-  [{:keys [profile-id team-id]}]
-  (retrieve-projects db/pool profile-id team-id))
-
 (sq/defquery ::project-by-id
  [{:keys [profile-id project-id]}]
-  (retrieve-project db/pool profile-id project-id))
+  (with-open [conn (db/open)]
+    (let [project (db/get-by-id conn :project project-id)]
+      (check-edition-permissions! conn profile-id project)
+      project)))