✨ Normalize permission checks.

2025-04-01 09:31:26 -05:00 · 2021-01-21 11:19:03 +01:00 · 2021-01-21 11:19:03 +01:00 · b4ba9d4375
commit b4ba9d4375
parent 66fe0048a5
4 changed files with 72 additions and 62 deletions
--- a/backend/src/app/rpc/permissions.clj
+++ b/backend/src/app/rpc/permissions.clj
@ -0,0 +1,41 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; This Source Code Form is "Incompatible With Secondary Licenses", as
+;; defined by the Mozilla Public License, v. 2.0.
+;;
+;; Copyright (c) 2020 UXBOX Labs SL
+
+(ns app.rpc.permissions
+  "A permission checking helper factories."
+  (:require
+   [app.common.spec :as us]
+   [app.common.exceptions :as ex]
+   [clojure.spec.alpha :as s]))
+
+(defn make-edition-check-fn
+  "A simple factory for edition permission check functions."
+  [qfn]
+  (us/assert fn? qfn)
+  (fn [& args]
+    (let [rows (apply qfn args)]
+      (when (or (empty? rows)
+                (not (or (some :can-edit rows)
+                         (some :is-admin rows)
+                         (some :is-owner rows))))
+        (ex/raise :type :not-found
+                  :code :object-not-found
+                  :hint "not found")))))
+
+(defn make-read-check-fn
+  "A simple factory for read permission check functions."
+  [qfn]
+  (us/assert fn? qfn)
+  (fn [& args]
+    (let [rows (apply qfn args)]
+      (when-not (seq rows)
+        (ex/raise :type :not-found
+                  :code :object-not-found)))))
+
+
--- a/backend/src/app/rpc/queries/files.clj
+++ b/backend/src/app/rpc/queries/files.clj
@ -13,6 +13,7 @@
   [app.common.pages.migrations :as pmg]
   [app.common.spec :as us]
   [app.db :as db]
+   [app.rpc.permissions :as perms]
   [app.rpc.queries.projects :as projects]
   [app.util.services :as sv]
   [app.util.blob :as blob]
@ -59,31 +60,18 @@
    where f.id = ?
      and ppr.profile_id = ?")

-(defn check-edition-permissions!
+(defn- retrieve-file-permissions
  [conn profile-id file-id]
-  (let [rows (db/exec! conn [sql:file-permissions
-                             file-id profile-id
-                             file-id profile-id
-                             file-id profile-id])]
-    (when (empty? rows)
-      (ex/raise :type :not-found))
+  (db/exec! conn [sql:file-permissions
+                  file-id profile-id
+                  file-id profile-id
+                  file-id profile-id]))

-    (when-not (or (some :can-edit rows)
-                  (some :is-admin rows)
-                  (some :is-owner rows))
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+(def check-edition-permissions!
+  (perms/make-edition-check-fn retrieve-file-permissions))

-
-(defn check-read-permissions!
-  [conn profile-id file-id]
-  (let [rows (db/exec! conn [sql:file-permissions
-                             file-id profile-id
-                             file-id profile-id
-                             file-id profile-id])]
-    (when-not (seq rows)
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+(def check-read-permissions!
+  (perms/make-read-check-fn retrieve-file-permissions))


 ;; --- Query: Files search
@ -155,9 +143,9 @@

 (defn retrieve-file
  [conn id]
-  (let [file (db/get-by-id conn :file id)]
-    (-> (decode-row file)
-        (pmg/migrate-file))))
+  (-> (db/get-by-id conn :file id)
+      (decode-row)
+      (pmg/migrate-file)))

 (s/def ::file
  (s/keys :req-un [::profile-id ::id]))
--- a/backend/src/app/rpc/queries/projects.clj
+++ b/backend/src/app/rpc/queries/projects.clj
@ -12,6 +12,7 @@
   [app.common.exceptions :as ex]
   [app.common.spec :as us]
   [app.db :as db]
+   [app.rpc.permissions :as perms]
   [app.rpc.queries.teams :as teams]
   [app.util.services :as sv]
   [clojure.spec.alpha :as s]))
@ -34,29 +35,17 @@
    where ppr.project_id = ?
      and ppr.profile_id = ?")

-(defn check-edition-permissions!
+(defn- retrieve-project-permissions
  [conn profile-id project-id]
-  (let [rows (db/exec! conn [sql:project-permissions
-                             project-id profile-id
-                             project-id profile-id])]
-    (when (empty? rows)
-      (ex/raise :type :not-found))
-    (when-not (or (some :can-edit rows)
-                  (some :is-admin rows)
-                  (some :is-owner rows))
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+  (db/exec! conn [sql:project-permissions
+                  project-id profile-id
+                  project-id profile-id]))

-(defn check-read-permissions!
-  [conn profile-id project-id]
-  (let [rows (db/exec! conn [sql:project-permissions
-                             project-id profile-id
-                             project-id profile-id])]
-
-    (when-not (seq rows)
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+(def check-edition-permissions!
+  (perms/make-edition-check-fn retrieve-project-permissions))

+(def check-read-permissions!
+  (perms/make-read-check-fn retrieve-project-permissions))


 ;; --- Query: Projects
--- a/backend/src/app/rpc/queries/teams.clj
+++ b/backend/src/app/rpc/queries/teams.clj
@ -12,6 +12,7 @@
   [app.common.exceptions :as ex]
   [app.common.spec :as us]
   [app.db :as db]
+   [app.rpc.permissions :as perms]
   [app.rpc.queries.profile :as profile]
   [app.util.services :as sv]
   [clojure.spec.alpha :as s]))
@ -26,24 +27,15 @@
    where tpr.profile_id = ?
      and tpr.team_id = ?")

-(defn check-edition-permissions!
+(defn- retrieve-team-permissions
  [conn profile-id team-id]
-  (let [row (db/exec-one! conn [sql:team-permissions profile-id team-id])]
-    (when-not (or (:can-edit row)
-                  (:is-admin row)
-                  (:is-owner row))
-      (ex/raise :type :authorization
-                :code :not-authorized))
-    row))
+  (db/exec! conn [sql:team-permissions profile-id team-id]))

-(defn check-read-permissions!
-  [conn profile-id team-id]
-  (let [row (db/exec-one! conn [sql:team-permissions profile-id team-id])]
-    ;; when row is found this means that read permission is granted.
-    (when-not row
-      (ex/raise :type :authorization
-                :code :not-authorized))
-    row))
+(def check-edition-permissions!
+  (perms/make-edition-check-fn retrieve-team-permissions))
+
+(def check-read-permissions!
+  (perms/make-read-check-fn retrieve-team-permissions))


 ;; --- Query: Teams
@ -96,7 +88,7 @@
        result   (db/exec-one! conn [sql (:default-team-id defaults) profile-id team-id])]
    (when-not result
      (ex/raise :type :not-found
-                :code :object-does-not-exists))
+                :code :team-does-not-exist))
    result))