WiP on permissions
Table of shares per user
This commit is contained in:
Tomas Bures
parent
89c9615592
commit
89256d62bd
20 changed files with 354 additions and 171 deletions
|
|
@ -19,12 +19,10 @@ function hash(entity) {
|
|||
}
|
||||
|
||||
async function getByIdWithTemplate(context, id) {
|
||||
await shares.enforceEntityPermission(context, 'report', id, 'view');
|
||||
if (context) {
|
||||
await shares.enforceEntityPermission(context, 'report', id, 'view');
|
||||
}
|
||||
|
||||
return await getByIdWithTemplateNoPerms(id);
|
||||
}
|
||||
|
||||
async function getByIdWithTemplateNoPerms(id) {
|
||||
const entity = await knex('reports')
|
||||
.where('reports.id', id)
|
||||
.innerJoin('report_templates', 'reports.report_template', 'report_templates.id')
|
||||
|
|
@ -201,7 +199,6 @@ module.exports = {
|
|||
ReportState,
|
||||
hash,
|
||||
getByIdWithTemplate,
|
||||
getByIdWithTemplateNoPerms,
|
||||
listDTAjax,
|
||||
create,
|
||||
updateWithConsistencyCheck,
|
||||
|
|
|
|||
130
models/shares.js
130
models/shares.js
|
|
@ -9,12 +9,45 @@ const permissions = require('../lib/permissions');
|
|||
const interoperableErrors = require('../shared/interoperable-errors');
|
||||
|
||||
|
||||
async function listDTAjax(context, entityTypeId, entityId, params) {
|
||||
async function listByEntityDTAjax(context, entityTypeId, entityId, params) {
|
||||
const entityType = permissions.getEntityType(entityTypeId);
|
||||
|
||||
await enforceEntityPermission(context, entityTypeId, entityId, 'share');
|
||||
|
||||
return await dtHelpers.ajaxList(params, builder => builder.from(entityType.sharesTable).innerJoin('users', entityType.sharesTable + '.user', 'users.id').where(`${entityType.sharesTable}.entity`, entityId), [entityType.sharesTable + '.id', 'users.username', 'users.name', entityType.sharesTable + '.role', 'users.id']);
|
||||
return await dtHelpers.ajaxList(
|
||||
params,
|
||||
builder => builder
|
||||
.from(entityType.sharesTable)
|
||||
.innerJoin('users', entityType.sharesTable + '.user', 'users.id')
|
||||
.innerJoin('generated_role_names', 'generated_role_names.role', 'users.role')
|
||||
.where('generated_role_names.entity_type', entityTypeId)
|
||||
.where(`${entityType.sharesTable}.entity`, entityId),
|
||||
[ 'users.username', 'users.name', 'generated_role_names.name', 'users.id' ]
|
||||
);
|
||||
}
|
||||
|
||||
async function listByUserDTAjax(context, entityTypeId, userId, params) {
|
||||
const user = await knex('users').where('id', userId).first();
|
||||
if (!user) {
|
||||
shares.throwPermissionDenied();
|
||||
}
|
||||
|
||||
await enforceEntityPermission(context, 'namespace', user.namespace, 'manageUsers');
|
||||
|
||||
const entityType = permissions.getEntityType(entityTypeId);
|
||||
|
||||
return await dtHelpers.ajaxListWithPermissions(
|
||||
context,
|
||||
[{ entityTypeId }],
|
||||
params,
|
||||
builder => builder
|
||||
.from(entityType.sharesTable)
|
||||
.innerJoin(entityType.entitiesTable, entityType.sharesTable + '.entity', entityType.entitiesTable + '.id')
|
||||
.innerJoin('generated_role_names', 'generated_role_names.role', entityType.sharesTable + '.role')
|
||||
.where('generated_role_names.entity_type', entityTypeId)
|
||||
.where(entityType.sharesTable + '.user', userId),
|
||||
[ entityType.entitiesTable + '.name', 'generated_role_names.name', entityType.entitiesTable + '.id' ]
|
||||
);
|
||||
}
|
||||
|
||||
async function listUnassignedUsersDTAjax(context, entityTypeId, entityId, params) {
|
||||
|
|
@ -24,10 +57,28 @@ async function listUnassignedUsersDTAjax(context, entityTypeId, entityId, params
|
|||
|
||||
return await dtHelpers.ajaxList(
|
||||
params,
|
||||
builder => builder.from('users').whereNotExists(function() { return this.select('*').from(entityType.sharesTable).whereRaw(`users.id = ${entityType.sharesTable}.user`).andWhere(`${entityType.sharesTable}.entity`, entityId); }),
|
||||
['users.id', 'users.username', 'users.name']);
|
||||
builder => builder
|
||||
.from('users')
|
||||
.whereNotExists(function() {
|
||||
return this
|
||||
.select('*')
|
||||
.from(entityType.sharesTable)
|
||||
.whereRaw(`users.id = ${entityType.sharesTable}.user`)
|
||||
.andWhere(`${entityType.sharesTable}.entity`, entityId);
|
||||
}),
|
||||
['users.id', 'users.username', 'users.name']
|
||||
);
|
||||
}
|
||||
|
||||
async function listRolesDTAjax(context, entityTypeId, params) {
|
||||
return await dtHelpers.ajaxList(
|
||||
params,
|
||||
builder => builder
|
||||
.from('generated_role_names')
|
||||
.where({entity_type: entityTypeId}),
|
||||
['role', 'name', 'description']
|
||||
);
|
||||
}
|
||||
|
||||
async function assign(context, entityTypeId, entityId, userId, role) {
|
||||
const entityType = permissions.getEntityType(entityTypeId);
|
||||
|
|
@ -38,13 +89,13 @@ async function assign(context, entityTypeId, entityId, userId, role) {
|
|||
enforce(await tx('users').where('id', userId).select('id').first(), 'Invalid user id');
|
||||
enforce(await tx(entityType.entitiesTable).where('id', entityId).select('id').first(), 'Invalid entity id');
|
||||
|
||||
const entry = await tx(entityType.sharesTable).where({user: userId, entity: entityId}).select('id', 'role').first();
|
||||
const entry = await tx(entityType.sharesTable).where({user: userId, entity: entityId}).select('role').first();
|
||||
|
||||
if (entry) {
|
||||
if (!role) {
|
||||
await tx(entityType.sharesTable).where('id', entry.id).del();
|
||||
await tx(entityType.sharesTable).where({user: userId, entity: entityId}).del();
|
||||
} else if (entry.role !== role) {
|
||||
await tx(entityType.sharesTable).where('id', entry.id).update('role', role);
|
||||
await tx(entityType.sharesTable).where({user: userId, entity: entityId}).update('role', role);
|
||||
}
|
||||
} else {
|
||||
await tx(entityType.sharesTable).insert({
|
||||
|
|
@ -100,7 +151,7 @@ async function _rebuildPermissions(tx, restriction) {
|
|||
})
|
||||
.select(['users.id', 'users.namespace', 'users.role as userRole', `${namespaceEntityType.sharesTable}.role`]);
|
||||
if (restriction.userId) {
|
||||
usersWithRoleInOwnNamespaceQuery.where('user', restriction.userId);
|
||||
usersWithRoleInOwnNamespaceQuery.where('users.id', restriction.userId);
|
||||
}
|
||||
const usersWithRoleInOwnNamespace = await usersWithRoleInOwnNamespaceQuery;
|
||||
|
||||
|
|
@ -118,11 +169,13 @@ async function _rebuildPermissions(tx, restriction) {
|
|||
|
||||
|
||||
const usersWithRoleInRootNamespaceQuery = tx('users')
|
||||
.leftJoin(namespaceEntityType.sharesTable, 'users.id', `${namespaceEntityType.sharesTable}.user`)
|
||||
.where(`${namespaceEntityType.sharesTable}.entity`, 1 /* Global namespace id */)
|
||||
.leftJoin(namespaceEntityType.sharesTable, {
|
||||
'users.id': `${namespaceEntityType.sharesTable}.user`,
|
||||
[`${namespaceEntityType.sharesTable}.entity`]: 1 /* Global namespace id */
|
||||
})
|
||||
.select(['users.id', 'users.role as userRole', `${namespaceEntityType.sharesTable}.role`]);
|
||||
if (restriction.userId) {
|
||||
usersWithRoleInRootNamespaceQuery.andWhere('user', restriction.userId);
|
||||
usersWithRoleInRootNamespaceQuery.andWhere('users.id', restriction.userId);
|
||||
}
|
||||
const usersWithRoleInRootNamespace = await usersWithRoleInRootNamespaceQuery;
|
||||
|
||||
|
|
@ -292,7 +345,6 @@ async function _rebuildPermissions(tx, restriction) {
|
|||
}
|
||||
}
|
||||
|
||||
|
||||
async function rebuildPermissions(tx, restriction) {
|
||||
restriction = restriction || {};
|
||||
|
||||
|
|
@ -305,10 +357,50 @@ async function rebuildPermissions(tx, restriction) {
|
|||
}
|
||||
}
|
||||
|
||||
async function regenerateRoleNamesTable() {
|
||||
await knex.transaction(async tx => {
|
||||
await tx('generated_role_names').del();
|
||||
|
||||
const entityTypeIds = ['global', ...Object.keys(permissions.getEntityTypes())];
|
||||
|
||||
for (const entityTypeId of entityTypeIds) {
|
||||
const roles = config.roles[entityTypeId];
|
||||
|
||||
for (const role in roles) {
|
||||
await tx('generated_role_names').insert({
|
||||
entity_type: entityTypeId,
|
||||
role,
|
||||
name: roles[role].name,
|
||||
description: roles[role].description,
|
||||
});
|
||||
}
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
|
||||
function throwPermissionDenied() {
|
||||
throw new interoperableErrors.PermissionDeniedError(_('Permission denied'));
|
||||
}
|
||||
|
||||
async function removeDefaultShares(tx, user) {
|
||||
const namespaceEntityType = permissions.getEntityType('namespace');
|
||||
|
||||
const roleConf = config.roles.global[user.role];
|
||||
|
||||
if (roleConf) {
|
||||
const desiredRole = roleConf.rootNamespaceRole;
|
||||
|
||||
if (roleConf.ownNamespaceRole) {
|
||||
await tx(namespaceEntityType.sharesTable).where({ user: user.id, entity: user.namespace }).del();
|
||||
}
|
||||
|
||||
if (roleConf.rootNamespaceRole) {
|
||||
await tx(namespaceEntityType.sharesTable).where({ user: user.id, entity: 1 /* Global namespace id */ }).del();
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
function enforceGlobalPermission(context, requiredOperations) {
|
||||
if (typeof requiredOperations === 'string') {
|
||||
requiredOperations = [ requiredOperations ];
|
||||
|
|
@ -333,7 +425,7 @@ async function _checkPermission(context, entityTypeId, entityId, requiredOperati
|
|||
requiredOperations = [ requiredOperations ];
|
||||
}
|
||||
|
||||
const permsQuery = await knex(entityType.permissionsTable)
|
||||
const permsQuery = knex(entityType.permissionsTable)
|
||||
.where('user', context.user.id)
|
||||
.whereIn('operation', requiredOperations);
|
||||
|
||||
|
|
@ -351,11 +443,11 @@ async function checkEntityPermission(context, entityTypeId, entityId, requiredOp
|
|||
return false;
|
||||
}
|
||||
|
||||
return await _checkEntityPermission(context, entityTypeId, entityId, requiredOperations);
|
||||
return await _checkPermission(context, entityTypeId, entityId, requiredOperations);
|
||||
}
|
||||
|
||||
async function checkTypePermission(context, entityTypeId, requiredOperations) {
|
||||
return await _checkEntityPermission(context, entityTypeId, null, requiredOperations);
|
||||
return await _checkPermission(context, entityTypeId, null, requiredOperations);
|
||||
}
|
||||
|
||||
async function enforceEntityPermission(context, entityTypeId, entityId, requiredOperations) {
|
||||
|
|
@ -374,14 +466,18 @@ async function enforceTypePermission(context, entityTypeId, requiredOperations)
|
|||
|
||||
|
||||
module.exports = {
|
||||
listDTAjax,
|
||||
listByEntityDTAjax,
|
||||
listByUserDTAjax,
|
||||
listUnassignedUsersDTAjax,
|
||||
listRolesDTAjax,
|
||||
assign,
|
||||
rebuildPermissions,
|
||||
removeDefaultShares,
|
||||
enforceEntityPermission,
|
||||
enforceTypePermission,
|
||||
checkEntityPermission,
|
||||
checkTypePermission,
|
||||
enforceGlobalPermission,
|
||||
throwPermissionDenied
|
||||
throwPermissionDenied,
|
||||
regenerateRoleNamesTable
|
||||
};
|
||||
|
|
@ -30,7 +30,7 @@ const allowedKeys = new Set(['username', 'name', 'email', 'password', 'namespace
|
|||
const ownAccountAllowedKeys = new Set(['name', 'email', 'password']);
|
||||
const allowedKeysExternal = new Set(['username', 'namespace', 'role']);
|
||||
const hashKeys = new Set(['username', 'name', 'email', 'namespace', 'role']);
|
||||
const shares = require('../../models/shares');
|
||||
const shares = require('./shares');
|
||||
|
||||
|
||||
function hash(entity) {
|
||||
|
|
@ -65,10 +65,6 @@ async function getById(context, id) {
|
|||
return await _getBy(context, 'id', id);
|
||||
}
|
||||
|
||||
async function getByIdNoPerms(id) {
|
||||
return await _getBy(null, 'id', id);
|
||||
}
|
||||
|
||||
async function serverValidate(context, data, isOwnAccount) {
|
||||
const result = {};
|
||||
|
||||
|
|
@ -120,12 +116,12 @@ async function listDTAjax(context, params) {
|
|||
context,
|
||||
[{ entityTypeId: 'namespace', requiredOperations: ['manageUsers'] }],
|
||||
params,
|
||||
builder => builder.from('users').innerJoin('namespaces', 'namespaces.id', 'users.namespace'),
|
||||
['users.id', 'users.username', 'users.name', 'namespaces.name', 'users.role'],
|
||||
data => {
|
||||
const role = data[4];
|
||||
data[4] = config.roles.global[role] ? config.roles.global[role].name : role;
|
||||
}
|
||||
builder => builder
|
||||
.from('users')
|
||||
.innerJoin('namespaces', 'namespaces.id', 'users.namespace')
|
||||
.innerJoin('generated_role_names', 'generated_role_names.role', 'users.role')
|
||||
.where('generated_role_names.entity_type', 'global'),
|
||||
[ 'users.id', 'users.username', 'users.name', 'namespaces.name', 'generated_role_names.name' ]
|
||||
);
|
||||
}
|
||||
|
||||
|
|
@ -172,28 +168,39 @@ async function _validateAndPreprocess(tx, user, isCreate, isOwnAccount) {
|
|||
}
|
||||
}
|
||||
|
||||
async function create(user) {
|
||||
await shares.enforceEntityPermission(context, 'namespace', user.namespace, 'manageUsers');
|
||||
async function create(context, user) {
|
||||
if (context) { // Is also called internally from ldap handling in passport
|
||||
await shares.enforceEntityPermission(context, 'namespace', user.namespace, 'manageUsers');
|
||||
}
|
||||
|
||||
await knex.transaction(async tx => {
|
||||
if (passport.isAuthMethodLocal) {
|
||||
await _validateAndPreprocess(tx, user, true);
|
||||
|
||||
const userId = await tx('users').insert(filterObject(user, allowedKeys));
|
||||
|
||||
await shares.rebuildPermissions(tx, { userId });
|
||||
|
||||
return userId;
|
||||
|
||||
} else {
|
||||
const filteredUser = filterObject(user, allowedKeysExternal);
|
||||
enforce(user.role in config.roles.global, 'Unknown role');
|
||||
|
||||
await namespaceHelpers.validateEntity(tx, user);
|
||||
const userId = await knex('users').insert(filteredUser);
|
||||
|
||||
const userId = await tx('users').insert(filteredUser);
|
||||
|
||||
await shares.rebuildPermissions(tx, { userId });
|
||||
|
||||
return userId;
|
||||
}
|
||||
});
|
||||
}
|
||||
|
||||
async function updateWithConsistencyCheck(user, isOwnAccount) {
|
||||
async function updateWithConsistencyCheck(context, user, isOwnAccount) {
|
||||
await knex.transaction(async tx => {
|
||||
const existing = await tx('users').where('id', user.id).first();
|
||||
const existing = await tx('users').where(['id', 'namespace', 'role'], user.id).first();
|
||||
if (!existing) {
|
||||
shares.throwPermissionDenied();
|
||||
}
|
||||
|
|
@ -218,7 +225,6 @@ async function updateWithConsistencyCheck(user, isOwnAccount) {
|
|||
}
|
||||
|
||||
await tx('users').where('id', user.id).update(filterObject(user, isOwnAccount ? ownAccountAllowedKeys : allowedKeys));
|
||||
|
||||
} else {
|
||||
enforce(isOwnAccount, 'Local user management is required');
|
||||
enforce(user.role in config.roles.global, 'Unknown role');
|
||||
|
|
@ -226,6 +232,15 @@ async function updateWithConsistencyCheck(user, isOwnAccount) {
|
|||
|
||||
await tx('users').where('id', user.id).update(filterObject(user, allowedKeysExternal));
|
||||
}
|
||||
|
||||
// Removes the default shares based on the user role and rebuilds permissions.
|
||||
// rebuildPermissions adds the default shares based on the user role, which will reflect the changes
|
||||
// done to the user.
|
||||
if (existing.namespace !== user.namespace || existing.role !== user.role) {
|
||||
await shares.removeDefaultShares(tx, existing);
|
||||
}
|
||||
|
||||
await shares.rebuildPermissions(tx, { userId: user.id });
|
||||
});
|
||||
}
|
||||
|
||||
|
|
@ -241,7 +256,7 @@ async function remove(context, userId) {
|
|||
|
||||
await shares.enforceEntityPermission(context, 'namespace', existing.namespace, 'manageUsers');
|
||||
|
||||
await knex('users').where('id', userId).del();
|
||||
await tx('users').where('id', userId).del();
|
||||
});
|
||||
}
|
||||
|
||||
|
|
@ -366,7 +381,6 @@ module.exports = {
|
|||
create,
|
||||
hash,
|
||||
getById,
|
||||
getByIdNoPerms,
|
||||
serverValidate,
|
||||
getByAccessToken,
|
||||
getByUsername,
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue