SimpleCloudNotifier/scnserver/logic/permissions.go

package logic

import (
	"blackforestbytes.com/simplecloudnotifier/api/apierr"
	"blackforestbytes.com/simplecloudnotifier/api/ginresp"
	"blackforestbytes.com/simplecloudnotifier/models"
	"database/sql"
	"errors"
	"gogs.mikescher.com/BlackForestBytes/goext/langext"
)

func (ac *AppContext) CheckPermissionUserRead(userid models.UserID) *ginresp.HTTPResponse {
	p := ac.permissions
	if p.Token != nil && p.Token.IsUserRead(userid) {
		return nil
	}

	return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
}

func (ac *AppContext) CheckPermissionSelfAllMessagesRead() *ginresp.HTTPResponse {
	p := ac.permissions
	if p.Token != nil && p.Token.IsAllMessagesRead(p.Token.OwnerUserID) {
		return nil
	}

	return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
}

func (ac *AppContext) CheckPermissionAllMessagesRead(userid models.UserID) *ginresp.HTTPResponse {
	p := ac.permissions
	if p.Token != nil && p.Token.IsAllMessagesRead(userid) {
		return nil
	}

	return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
}

func (ac *AppContext) CheckPermissionChanMessagesRead(channel models.Channel) *ginresp.HTTPResponse {
	p := ac.permissions
	if p.Token != nil && p.Token.IsChannelMessagesRead(channel.ChannelID) {

		if channel.OwnerUserID == p.Token.OwnerUserID {
			return nil // owned channel
		} else {
			sub, err := ac.app.Database.Primary.GetSubscriptionBySubscriber(ac, p.Token.OwnerUserID, channel.ChannelID)
			if errors.Is(err, sql.ErrNoRows) {
				return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
			}
			if err != nil {
				return langext.Ptr(ginresp.APIError(ac.ginContext, 500, apierr.DATABASE_ERROR, "Failed to query subscription", err))
			}
			if sub == nil {
				return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action (no subscription)", nil))
			}
			if !sub.Confirmed {
				return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action (subscription not confirmed)", nil))
			}
			return nil // subscribed channel
		}
	}

	return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
}

func (ac *AppContext) CheckPermissionUserAdmin(userid models.UserID) *ginresp.HTTPResponse {
	p := ac.permissions
	if p.Token != nil && p.Token.IsAdmin(userid) {
		return nil
	}

	return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
}

func (ac *AppContext) CheckPermissionSend(channel models.Channel, key string) (*models.KeyToken, *ginresp.HTTPResponse) {

	keytok, err := ac.app.Database.Primary.GetKeyTokenByToken(ac, key)
	if err != nil {
		return nil, langext.Ptr(ginresp.APIError(ac.ginContext, 500, apierr.DATABASE_ERROR, "Failed to query token", err))
	}
	if keytok == nil {
		return nil, langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
	}

	if keytok.IsChannelMessagesSend(channel) {
		return keytok, nil
	}

	return nil, langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
}

func (ac *AppContext) CheckPermissionMessageRead(msg models.Message) bool {
	p := ac.permissions
	if p.Token != nil && p.Token.IsChannelMessagesRead(msg.ChannelID) {
		return true
	}

	return false
}

func (ac *AppContext) CheckPermissionMessageDelete(msg models.Message) bool {
	p := ac.permissions
	if p.Token != nil && p.Token.IsAdmin(msg.SenderUserID) {
		return true
	}

	return false
}

func (ac *AppContext) CheckPermissionAny() *ginresp.HTTPResponse {
	p := ac.permissions
	if p.Token == nil {
		return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))
	}

	return nil
}

func (ac *AppContext) GetPermissionUserID() *models.UserID {
	if ac.permissions.Token == nil {
		return nil
	} else {
		return langext.Ptr(ac.permissions.Token.OwnerUserID)
	}
}

func (ac *AppContext) GetPermissionKeyTokenID() *models.KeyTokenID {
	if ac.permissions.Token == nil {
		return nil
	} else {
		return langext.Ptr(ac.permissions.Token.KeyTokenID)
	}
}
GetUser() works 2022-11-18 23:12:37 +01:00			`package logic`

			`import (`
			`"blackforestbytes.com/simplecloudnotifier/api/apierr"`
Refactoring 2022-12-20 13:55:09 +01:00			`"blackforestbytes.com/simplecloudnotifier/api/ginresp"`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`"blackforestbytes.com/simplecloudnotifier/models"`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`"database/sql"`
Refactor API of `/api/v2/users/{uid}/subscriptions` 2023-07-30 15:58:37 +02:00			`"errors"`
GetUser() works 2022-11-18 23:12:37 +01:00			`"gogs.mikescher.com/BlackForestBytes/goext/langext"`
			`)`

Use ID types 2022-11-20 22:18:24 +01:00			`func (ac AppContext) CheckPermissionUserRead(userid models.UserID) ginresp.HTTPResponse {`
GetUser() works 2022-11-18 23:12:37 +01:00			`p := ac.permissions`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`if p.Token != nil && p.Token.IsUserRead(userid) {`
GetUser() works 2022-11-18 23:12:37 +01:00			`return nil`
			`}`

CreateMessage() 2022-11-20 20:34:18 +01:00			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
GetUser() works 2022-11-18 23:12:37 +01:00			`}`
UpdateUser() works 2022-11-18 23:28:37 +01:00
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac AppContext) CheckPermissionSelfAllMessagesRead() ginresp.HTTPResponse {`
ListMessages() 2022-11-20 00:19:41 +01:00			`p := ac.permissions`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`if p.Token != nil && p.Token.IsAllMessagesRead(p.Token.OwnerUserID) {`
ListMessages() 2022-11-20 00:19:41 +01:00			`return nil`
			`}`

CreateMessage() 2022-11-20 20:34:18 +01:00			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
ListMessages() 2022-11-20 00:19:41 +01:00			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac AppContext) CheckPermissionAllMessagesRead(userid models.UserID) ginresp.HTTPResponse {`
UpdateUser() works 2022-11-18 23:28:37 +01:00			`p := ac.permissions`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`if p.Token != nil && p.Token.IsAllMessagesRead(userid) {`
UpdateUser() works 2022-11-18 23:28:37 +01:00			`return nil`
			`}`

CreateMessage() 2022-11-20 20:34:18 +01:00			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac AppContext) CheckPermissionChanMessagesRead(channel models.Channel) ginresp.HTTPResponse {`
CreateMessage() 2022-11-20 20:34:18 +01:00			`p := ac.permissions`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`if p.Token != nil && p.Token.IsChannelMessagesRead(channel.ChannelID) {`

			`if channel.OwnerUserID == p.Token.OwnerUserID {`
			`return nil // owned channel`
			`} else {`
			`sub, err := ac.app.Database.Primary.GetSubscriptionBySubscriber(ac, p.Token.OwnerUserID, channel.ChannelID)`
Refactor API of `/api/v2/users/{uid}/subscriptions` 2023-07-30 15:58:37 +02:00			`if errors.Is(err, sql.ErrNoRows) {`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
			`}`
			`if err != nil {`
			`return langext.Ptr(ginresp.APIError(ac.ginContext, 500, apierr.DATABASE_ERROR, "Failed to query subscription", err))`
			`}`
Tests[ListChannelMessagesOfUnsubscribed, ListChannelMessagesOfUnconfirmed1, ListChannelMessagesOfUnconfirmed2, ListChannelMessagesOfRevokedConfirmation] 2023-05-28 03:38:33 +02:00			`if sub == nil {`
			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action (no subscription)", nil))`
			`}`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`if !sub.Confirmed {`
Tests[ListChannelMessagesOfUnsubscribed, ListChannelMessagesOfUnconfirmed1, ListChannelMessagesOfUnconfirmed2, ListChannelMessagesOfRevokedConfirmation] 2023-05-28 03:38:33 +02:00			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action (subscription not confirmed)", nil))`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`}`
Tests[ListSubscribedChannelMessages] 2023-05-28 02:50:55 +02:00			`return nil // subscribed channel`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`}`
CreateMessage() 2022-11-20 20:34:18 +01:00			`}`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00
			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
			`}`

			`func (ac AppContext) CheckPermissionUserAdmin(userid models.UserID) ginresp.HTTPResponse {`
			`p := ac.permissions`
			`if p.Token != nil && p.Token.IsAdmin(userid) {`
CreateMessage() 2022-11-20 20:34:18 +01:00			`return nil`
			`}`

			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
UpdateUser() works 2022-11-18 23:28:37 +01:00			`}`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac AppContext) CheckPermissionSend(channel models.Channel, key string) (models.KeyToken, *ginresp.HTTPResponse) {`

			`keytok, err := ac.app.Database.Primary.GetKeyTokenByToken(ac, key)`
			`if err != nil {`
			`return nil, langext.Ptr(ginresp.APIError(ac.ginContext, 500, apierr.DATABASE_ERROR, "Failed to query token", err))`
			`}`
			`if keytok == nil {`
			`return nil, langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`if keytok.IsChannelMessagesSend(channel) {`
			`return keytok, nil`
			`}`

			`return nil, langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac *AppContext) CheckPermissionMessageRead(msg models.Message) bool {`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`p := ac.permissions`
Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`if p.Token != nil && p.Token.IsChannelMessagesRead(msg.ChannelID) {`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`return true`
			`}`

			`return false`
			`}`

Prevent deleting messages of subscribed-only channels 2023-07-27 15:23:56 +02:00			`func (ac *AppContext) CheckPermissionMessageDelete(msg models.Message) bool {`
			`p := ac.permissions`
Remove message.owner_user_id field and implement db migrations 2023-07-27 17:44:06 +02:00			`if p.Token != nil && p.Token.IsAdmin(msg.SenderUserID) {`
Prevent deleting messages of subscribed-only channels 2023-07-27 15:23:56 +02:00			`return true`
			`}`

			`return false`
			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac AppContext) CheckPermissionAny() ginresp.HTTPResponse {`
			`p := ac.permissions`
			`if p.Token == nil {`
			`return langext.Ptr(ginresp.APIError(ac.ginContext, 401, apierr.USER_AUTH_FAILED, "You are not authorized for this action", nil))`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`return nil`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac AppContext) GetPermissionUserID() models.UserID {`
			`if ac.permissions.Token == nil {`
			`return nil`
			`} else {`
			`return langext.Ptr(ac.permissions.Token.OwnerUserID)`
			`}`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`}`

Add KeyToken authorization 2023-04-21 21:45:16 +02:00			`func (ac AppContext) GetPermissionKeyTokenID() models.KeyTokenID {`
			`if ac.permissions.Token == nil {`
			`return nil`
			`} else {`
			`return langext.Ptr(ac.permissions.Token.KeyTokenID)`
			`}`
CreateSubscription(), UpdateSubscription(), GetMessage(), DeleteMessage() 2022-11-19 23:16:54 +01:00			`}`