From b4ba9d437535bf9f23b4b4b4b64339e5f796d6b7 Mon Sep 17 00:00:00 2001
From: Andrey Antukh <niwi@niwi.nz>
Date: Thu, 21 Jan 2021 11:19:03 +0100
Subject: [PATCH] :sparkles: Normalize permission checks.

---
 backend/src/app/rpc/permissions.clj      | 41 ++++++++++++++++++++++++
 backend/src/app/rpc/queries/files.clj    | 38 ++++++++--------------
 backend/src/app/rpc/queries/projects.clj | 29 ++++++-----------
 backend/src/app/rpc/queries/teams.clj    | 26 ++++++---------
 4 files changed, 72 insertions(+), 62 deletions(-)
 create mode 100644 backend/src/app/rpc/permissions.clj

diff --git a/backend/src/app/rpc/permissions.clj b/backend/src/app/rpc/permissions.clj
new file mode 100644
index 000000000..7bf9efd04
--- /dev/null
+++ b/backend/src/app/rpc/permissions.clj
@@ -0,0 +1,41 @@
+;; This Source Code Form is subject to the terms of the Mozilla Public
+;; License, v. 2.0. If a copy of the MPL was not distributed with this
+;; file, You can obtain one at http://mozilla.org/MPL/2.0/.
+;;
+;; This Source Code Form is "Incompatible With Secondary Licenses", as
+;; defined by the Mozilla Public License, v. 2.0.
+;;
+;; Copyright (c) 2020 UXBOX Labs SL
+
+(ns app.rpc.permissions
+  "A permission checking helper factories."
+  (:require
+   [app.common.spec :as us]
+   [app.common.exceptions :as ex]
+   [clojure.spec.alpha :as s]))
+
+(defn make-edition-check-fn
+  "A simple factory for edition permission check functions."
+  [qfn]
+  (us/assert fn? qfn)
+  (fn [& args]
+    (let [rows (apply qfn args)]
+      (when (or (empty? rows)
+                (not (or (some :can-edit rows)
+                         (some :is-admin rows)
+                         (some :is-owner rows))))
+        (ex/raise :type :not-found
+                  :code :object-not-found
+                  :hint "not found")))))
+
+(defn make-read-check-fn
+  "A simple factory for read permission check functions."
+  [qfn]
+  (us/assert fn? qfn)
+  (fn [& args]
+    (let [rows (apply qfn args)]
+      (when-not (seq rows)
+        (ex/raise :type :not-found
+                  :code :object-not-found)))))
+
+
diff --git a/backend/src/app/rpc/queries/files.clj b/backend/src/app/rpc/queries/files.clj
index 0f533fdc6..721520450 100644
--- a/backend/src/app/rpc/queries/files.clj
+++ b/backend/src/app/rpc/queries/files.clj
@@ -13,6 +13,7 @@
    [app.common.pages.migrations :as pmg]
    [app.common.spec :as us]
    [app.db :as db]
+   [app.rpc.permissions :as perms]
    [app.rpc.queries.projects :as projects]
    [app.util.services :as sv]
    [app.util.blob :as blob]
@@ -59,31 +60,18 @@
     where f.id = ?
       and ppr.profile_id = ?")
 
-(defn check-edition-permissions!
+(defn- retrieve-file-permissions
   [conn profile-id file-id]
-  (let [rows (db/exec! conn [sql:file-permissions
-                             file-id profile-id
-                             file-id profile-id
-                             file-id profile-id])]
-    (when (empty? rows)
-      (ex/raise :type :not-found))
+  (db/exec! conn [sql:file-permissions
+                  file-id profile-id
+                  file-id profile-id
+                  file-id profile-id]))
 
-    (when-not (or (some :can-edit rows)
-                  (some :is-admin rows)
-                  (some :is-owner rows))
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+(def check-edition-permissions!
+  (perms/make-edition-check-fn retrieve-file-permissions))
 
-
-(defn check-read-permissions!
-  [conn profile-id file-id]
-  (let [rows (db/exec! conn [sql:file-permissions
-                             file-id profile-id
-                             file-id profile-id
-                             file-id profile-id])]
-    (when-not (seq rows)
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+(def check-read-permissions!
+  (perms/make-read-check-fn retrieve-file-permissions))
 
 
 ;; --- Query: Files search
@@ -155,9 +143,9 @@
 
 (defn retrieve-file
   [conn id]
-  (let [file (db/get-by-id conn :file id)]
-    (-> (decode-row file)
-        (pmg/migrate-file))))
+  (-> (db/get-by-id conn :file id)
+      (decode-row)
+      (pmg/migrate-file)))
 
 (s/def ::file
   (s/keys :req-un [::profile-id ::id]))
diff --git a/backend/src/app/rpc/queries/projects.clj b/backend/src/app/rpc/queries/projects.clj
index 1bbd8bc19..c6f56dcc7 100644
--- a/backend/src/app/rpc/queries/projects.clj
+++ b/backend/src/app/rpc/queries/projects.clj
@@ -12,6 +12,7 @@
    [app.common.exceptions :as ex]
    [app.common.spec :as us]
    [app.db :as db]
+   [app.rpc.permissions :as perms]
    [app.rpc.queries.teams :as teams]
    [app.util.services :as sv]
    [clojure.spec.alpha :as s]))
@@ -34,29 +35,17 @@
     where ppr.project_id = ?
       and ppr.profile_id = ?")
 
-(defn check-edition-permissions!
+(defn- retrieve-project-permissions
   [conn profile-id project-id]
-  (let [rows (db/exec! conn [sql:project-permissions
-                             project-id profile-id
-                             project-id profile-id])]
-    (when (empty? rows)
-      (ex/raise :type :not-found))
-    (when-not (or (some :can-edit rows)
-                  (some :is-admin rows)
-                  (some :is-owner rows))
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+  (db/exec! conn [sql:project-permissions
+                  project-id profile-id
+                  project-id profile-id]))
 
-(defn check-read-permissions!
-  [conn profile-id project-id]
-  (let [rows (db/exec! conn [sql:project-permissions
-                             project-id profile-id
-                             project-id profile-id])]
-
-    (when-not (seq rows)
-      (ex/raise :type :authorization
-                :code :not-authorized))))
+(def check-edition-permissions!
+  (perms/make-edition-check-fn retrieve-project-permissions))
 
+(def check-read-permissions!
+  (perms/make-read-check-fn retrieve-project-permissions))
 
 
 ;; --- Query: Projects
diff --git a/backend/src/app/rpc/queries/teams.clj b/backend/src/app/rpc/queries/teams.clj
index 7840dfa71..a414f8d7a 100644
--- a/backend/src/app/rpc/queries/teams.clj
+++ b/backend/src/app/rpc/queries/teams.clj
@@ -12,6 +12,7 @@
    [app.common.exceptions :as ex]
    [app.common.spec :as us]
    [app.db :as db]
+   [app.rpc.permissions :as perms]
    [app.rpc.queries.profile :as profile]
    [app.util.services :as sv]
    [clojure.spec.alpha :as s]))
@@ -26,24 +27,15 @@
     where tpr.profile_id = ?
       and tpr.team_id = ?")
 
-(defn check-edition-permissions!
+(defn- retrieve-team-permissions
   [conn profile-id team-id]
-  (let [row (db/exec-one! conn [sql:team-permissions profile-id team-id])]
-    (when-not (or (:can-edit row)
-                  (:is-admin row)
-                  (:is-owner row))
-      (ex/raise :type :authorization
-                :code :not-authorized))
-    row))
+  (db/exec! conn [sql:team-permissions profile-id team-id]))
 
-(defn check-read-permissions!
-  [conn profile-id team-id]
-  (let [row (db/exec-one! conn [sql:team-permissions profile-id team-id])]
-    ;; when row is found this means that read permission is granted.
-    (when-not row
-      (ex/raise :type :authorization
-                :code :not-authorized))
-    row))
+(def check-edition-permissions!
+  (perms/make-edition-check-fn retrieve-team-permissions))
+
+(def check-read-permissions!
+  (perms/make-read-check-fn retrieve-team-permissions))
 
 
 ;; --- Query: Teams
@@ -96,7 +88,7 @@
         result   (db/exec-one! conn [sql (:default-team-id defaults) profile-id team-id])]
     (when-not result
       (ex/raise :type :not-found
-                :code :object-does-not-exists))
+                :code :team-does-not-exist))
     result))