3pp-mirror/penpot
1
0
Fork 0
mirror of https://github.com/penpot/penpot.git synced 2025-05-12 19:16:37 +02:00
Code Issues Projects Releases Packages Wiki Activity

Normalize permission checks.

Browse source
This commit is contained in:
Andrey Antukh 2021-01-21 11:19:03 +01:00 committed by Alonso Torres
parent 66fe0048a5
commit b4ba9d4375
4 changed files with 72 additions and 62 deletions
Download patch file Download diff file Expand all files Collapse all files

41
backend/src/app/rpc/permissions.clj Normal file
View file

@ -0,0 +1,41 @@
;; This Source Code Form is subject to the terms of the Mozilla Public
;; License, v. 2.0. If a copy of the MPL was not distributed with this
;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
;;
;; This Source Code Form is "Incompatible With Secondary Licenses", as
;; defined by the Mozilla Public License, v. 2.0.
;;
;; Copyright (c) 2020 UXBOX Labs SL
(ns app.rpc.permissions
"A permission checking helper factories."
(:require
[app.common.spec :as us]
[app.common.exceptions :as ex]
[clojure.spec.alpha :as s]))
(defn make-edition-check-fn
"A simple factory for edition permission check functions."
[qfn]
(us/assert fn? qfn)
(fn [& args]
(let [rows (apply qfn args)]
(when (or (empty? rows)
(not (or (some :can-edit rows)
(some :is-admin rows)
(some :is-owner rows))))
(ex/raise :type :not-found
:code :object-not-found
:hint "not found")))))
(defn make-read-check-fn
"A simple factory for read permission check functions."
[qfn]
(us/assert fn? qfn)
(fn [& args]
(let [rows (apply qfn args)]
(when-not (seq rows)
(ex/raise :type :not-found
:code :object-not-found)))))

38
backend/src/app/rpc/queries/files.clj
View file

@ -13,6 +13,7 @@
[app.common.pages.migrations :as pmg] [app.common.pages.migrations :as pmg]
[app.common.spec :as us] [app.common.spec :as us]
[app.db :as db] [app.db :as db]
[app.rpc.permissions :as perms]
[app.rpc.queries.projects :as projects] [app.rpc.queries.projects :as projects]
[app.util.services :as sv] [app.util.services :as sv]
[app.util.blob :as blob] [app.util.blob :as blob]
@ -59,31 +60,18 @@
where f.id = ? where f.id = ?
and ppr.profile_id = ?") and ppr.profile_id = ?")
(defn check-edition-permissions! (defn- retrieve-file-permissions
[conn profile-id file-id] [conn profile-id file-id]
(let [rows (db/exec! conn [sql:file-permissions (db/exec! conn [sql:file-permissions
file-id profile-id file-id profile-id
file-id profile-id file-id profile-id
file-id profile-id])] file-id profile-id]))
(when (empty? rows)
(ex/raise :type :not-found))
(when-not (or (some :can-edit rows) (def check-edition-permissions!
(some :is-admin rows) (perms/make-edition-check-fn retrieve-file-permissions))
(some :is-owner rows))
(ex/raise :type :authorization
:code :not-authorized))))
(def check-read-permissions!
(defn check-read-permissions! (perms/make-read-check-fn retrieve-file-permissions))
[conn profile-id file-id]
(let [rows (db/exec! conn [sql:file-permissions
file-id profile-id
file-id profile-id
file-id profile-id])]
(when-not (seq rows)
(ex/raise :type :authorization
:code :not-authorized))))
;; --- Query: Files search ;; --- Query: Files search
@ -155,9 +143,9 @@
(defn retrieve-file (defn retrieve-file
[conn id] [conn id]
(let [file (db/get-by-id conn :file id)] (-> (db/get-by-id conn :file id)
(-> (decode-row file) (decode-row)
(pmg/migrate-file)))) (pmg/migrate-file)))
(s/def ::file (s/def ::file
(s/keys :req-un [::profile-id ::id])) (s/keys :req-un [::profile-id ::id]))

29
backend/src/app/rpc/queries/projects.clj
View file

@ -12,6 +12,7 @@
[app.common.exceptions :as ex] [app.common.exceptions :as ex]
[app.common.spec :as us] [app.common.spec :as us]
[app.db :as db] [app.db :as db]
[app.rpc.permissions :as perms]
[app.rpc.queries.teams :as teams] [app.rpc.queries.teams :as teams]
[app.util.services :as sv] [app.util.services :as sv]
[clojure.spec.alpha :as s])) [clojure.spec.alpha :as s]))
@ -34,29 +35,17 @@
where ppr.project_id = ? where ppr.project_id = ?
and ppr.profile_id = ?") and ppr.profile_id = ?")
(defn check-edition-permissions! (defn- retrieve-project-permissions
[conn profile-id project-id] [conn profile-id project-id]
(let [rows (db/exec! conn [sql:project-permissions (db/exec! conn [sql:project-permissions
project-id profile-id project-id profile-id
project-id profile-id])] project-id profile-id]))
(when (empty? rows)
(ex/raise :type :not-found))
(when-not (or (some :can-edit rows)
(some :is-admin rows)
(some :is-owner rows))
(ex/raise :type :authorization
:code :not-authorized))))
(defn check-read-permissions! (def check-edition-permissions!
[conn profile-id project-id] (perms/make-edition-check-fn retrieve-project-permissions))
(let [rows (db/exec! conn [sql:project-permissions
project-id profile-id
project-id profile-id])]
(when-not (seq rows)
(ex/raise :type :authorization
:code :not-authorized))))
(def check-read-permissions!
(perms/make-read-check-fn retrieve-project-permissions))
;; --- Query: Projects ;; --- Query: Projects

26
backend/src/app/rpc/queries/teams.clj
View file

@ -12,6 +12,7 @@
[app.common.exceptions :as ex] [app.common.exceptions :as ex]
[app.common.spec :as us] [app.common.spec :as us]
[app.db :as db] [app.db :as db]
[app.rpc.permissions :as perms]
[app.rpc.queries.profile :as profile] [app.rpc.queries.profile :as profile]
[app.util.services :as sv] [app.util.services :as sv]
[clojure.spec.alpha :as s])) [clojure.spec.alpha :as s]))
@ -26,24 +27,15 @@
where tpr.profile_id = ? where tpr.profile_id = ?
and tpr.team_id = ?") and tpr.team_id = ?")
(defn check-edition-permissions! (defn- retrieve-team-permissions
[conn profile-id team-id] [conn profile-id team-id]
(let [row (db/exec-one! conn [sql:team-permissions profile-id team-id])] (db/exec! conn [sql:team-permissions profile-id team-id]))
(when-not (or (:can-edit row)
(:is-admin row)
(:is-owner row))
(ex/raise :type :authorization
:code :not-authorized))
row))
(defn check-read-permissions! (def check-edition-permissions!
[conn profile-id team-id] (perms/make-edition-check-fn retrieve-team-permissions))
(let [row (db/exec-one! conn [sql:team-permissions profile-id team-id])]
;; when row is found this means that read permission is granted. (def check-read-permissions!
(when-not row (perms/make-read-check-fn retrieve-team-permissions))
(ex/raise :type :authorization
:code :not-authorized))
row))
;; --- Query: Teams ;; --- Query: Teams
@ -96,7 +88,7 @@
result (db/exec-one! conn [sql (:default-team-id defaults) profile-id team-id])] result (db/exec-one! conn [sql (:default-team-id defaults) profile-id team-id])]
(when-not result (when-not result
(ex/raise :type :not-found (ex/raise :type :not-found
:code :object-does-not-exists)) :code :team-does-not-exist))
result)) result))