Permissions contacts

2025-01-20 16:20:08 +01:00 · 2025-01-20 16:20:08 +01:00 · 187bb525b7
commit 187bb525b7
parent a98898ad03
2 changed files with 207 additions and 14 deletions
--- a/controllers/contacts.go
+++ b/controllers/contacts.go
@ -14,6 +14,32 @@ import (
 )

 func Contacts(c *fiber.Ctx) error {
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allowedSections, err := helpers.PermissionsGetSections(
+		userid, "show_contact",
+	)
+	if err != nil {
+		return err
+	}
+
+	allowedSectionsArchived, err := helpers.PermissionsGetSections(
+		userid, "show_archived_contact",
+	)
+	if err != nil {
+		return err
+	}
+
+	permShow := (len(allowedSections) > 0)
+	permShowArchived := (len(allowedSectionsArchived) > 0)
+
+	if !permShow && !permShowArchived {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
 	db, err := helpers.GetDatabase()
 	if err != nil {
 		return err
@ -23,7 +49,7 @@ func Contacts(c *fiber.Ctx) error {
 	result := db.Order(
 		"last_name collate nocase asc, first_name collate nocase asc",
 	).Preload("Section").Find(
-		&people, "is_contact = ?", true,
+		&people, "is_contact = ? AND section_id IN ?", true, allowedSections,
 	)

 	if result.Error != nil && !errors.Is(result.Error, gorm.ErrRecordNotFound) {
@ -31,9 +57,11 @@ func Contacts(c *fiber.Ctx) error {
 	}

 	return c.Render("people", fiber.Map{
-		"PageTitle":   "Contacts",
-		"MembersPage": false,
-		"People":      people,
+		"PageTitle":        "Contacts",
+		"MembersPage":      false,
+		"People":           people,
+		"PermShow":         permShow,
+		"PermShowArchived": permShowArchived,
 	})
 }

@ -58,6 +86,27 @@ func ContactShow(c *fiber.Ctx) error {
 		return result.Error
 	}

+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	persmissionName := "show_contact"
+	if person.DeletedAt.Valid {
+		persmissionName = "show_archived_contact"
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, persmissionName, person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
 	title := fmt.Sprintf(
 		"%s %s | Contact",
 		person.LastName,
@ -78,17 +127,41 @@ func ContactShow(c *fiber.Ctx) error {
 		person.ID,
 	)

+	permEdit, _ := helpers.PermissionsGetSections(userid, "edit_contact")
+	permConvert, _ := helpers.PermissionsGetSections(userid, "convert_contact_to_member")
+	permArchive, _ := helpers.PermissionsGetSections(userid, "archive_contact")
+	permRestore, _ := helpers.PermissionsGetSections(userid, "restore_contact")
+	permPurge, _ := helpers.PermissionsGetSections(userid, "purge_contact")
+
 	return c.Render("person", fiber.Map{
 		"PageTitle":   title,
 		"Person":      person,
 		"Fields":      fields,
 		"FieldValues": fieldValues,
+		"PermEdit":    permEdit,
+		"PermConvert": permConvert,
+		"PermArchive": permArchive,
+		"PermRestore": permRestore,
+		"PermPurge":   permPurge,
 	})
 }

 func ContactAdd(c *fiber.Ctx) error {
-	var person models.Person
-	var errors []string
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allowedSections, err := helpers.PermissionsGetSections(
+		userid, "create_contact",
+	)
+	if err != nil {
+		return err
+	}
+
+	if len(allowedSections) < 1 {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}

 	db, err := helpers.GetDatabase()
 	if err != nil {
@ -109,6 +182,9 @@ func ContactAdd(c *fiber.Ctx) error {
 		&fields, "person_type = ?", "contact",
 	)

+	var person models.Person
+	var errors []string
+
 	if c.Method() == "POST" {
 		data := PersonValidation{
 			LastName:   c.FormValue("last_name"),
@ -315,6 +391,22 @@ func ContactEdit(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}

+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "edit_contact", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
 	title := fmt.Sprintf(
 		"%s %s | Modifier contact",
 		person.LastName,
@ -557,6 +649,22 @@ func ContactConvert(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}

+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "convert_contact_to_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
 	person.IsContact = false
 	person.IsMember = true

@ -579,7 +687,34 @@ func ContactArchive(c *fiber.Ctx) error {
 		return err
 	}

-	result := db.Delete(&models.Person{}, id)
+	var person models.Person
+	result := db.Find(&person, "id = ? AND is_contact = ? AND deleted_at IS NULL", id, true)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "archive_contact", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	result = db.Delete(&person)
 	if result.Error != nil {
 		return result.Error
 	}
@ -598,9 +733,37 @@ func ContactRestore(c *fiber.Ctx) error {
 		return err
 	}

-	result := db.Unscoped().Model(&models.Person{}).Where(
-		"id = ?", id,
-	).Update("DeletedAt", nil)
+	var person models.Person
+	result := db.Unscoped().Find(
+		&person, "id = ? AND is_contact = ? AND deleted_at IS NOT NULL", id, true,
+	)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "restore_contact", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	person.DeletedAt.Valid = false
+	result = db.Save(&person)

 	if result.Error != nil {
 		return result.Error
@ -620,7 +783,36 @@ func ContactPurge(c *fiber.Ctx) error {
 		return err
 	}

-	result := db.Unscoped().Delete(
+	var person models.Person
+	result := db.Unscoped().Find(
+		&person, "id = ? AND is_contact = ?", id, true,
+	)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "purge_contact", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	result = db.Unscoped().Delete(
 		&models.FieldValue{}, "person_id = ?", id,
 	)

--- a/controllers/members.go
+++ b/controllers/members.go
@ -197,6 +197,7 @@ func MemberAdd(c *fiber.Ctx) error {

 	var person models.Person
 	var errors []string
+
 	if c.Method() == "POST" {
 		data := PersonValidation{
 			LastName:   c.FormValue("last_name"),
@ -700,7 +701,7 @@ func MemberArchive(c *fiber.Ctx) error {
 	}

 	var person models.Person
-	result := db.Find(&person, "id = ?", id)
+	result := db.Find(&person, "id = ? AND is_member = ? AND deleted_at IS NULL", id, true)

 	if result.Error != nil {
 		return result.Error
@ -747,7 +748,7 @@ func MemberRestore(c *fiber.Ctx) error {

 	var person models.Person
 	result := db.Unscoped().Find(
-		&person, "id = ? AND deleted_at IS NOT NULL", id,
+		&person, "id = ? AND is_member = ? AND deleted_at IS NOT NULL", id, true,
 	)

 	if result.Error != nil {
@ -797,7 +798,7 @@ func MemberPurge(c *fiber.Ctx) error {

 	var person models.Person
 	result := db.Unscoped().Find(
-		&person, "id = ?", id,
+		&person, "id = ? AND is_member = ?", id, true,
 	)

 	if result.Error != nil {