From 7af59fb935846697b705acfbca6f6008d76fbd9c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?William=20Bouzour=C3=A8ne?= Date: Mon, 20 Jan 2025 16:20:08 +0100 Subject: [PATCH] Permissions contacts --- controllers/contacts.go | 214 +++++++++++++++++++++++++++++++++++++--- controllers/members.go | 7 +- 2 files changed, 207 insertions(+), 14 deletions(-) diff --git a/controllers/contacts.go b/controllers/contacts.go index 9ba18fe..6dedf8b 100644 --- a/controllers/contacts.go +++ b/controllers/contacts.go @@ -14,6 +14,32 @@ import ( ) func Contacts(c *fiber.Ctx) error { + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + allowedSections, err := helpers.PermissionsGetSections( + userid, "show_contact", + ) + if err != nil { + return err + } + + allowedSectionsArchived, err := helpers.PermissionsGetSections( + userid, "show_archived_contact", + ) + if err != nil { + return err + } + + permShow := (len(allowedSections) > 0) + permShowArchived := (len(allowedSectionsArchived) > 0) + + if !permShow && !permShowArchived { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } + db, err := helpers.GetDatabase() if err != nil { return err @@ -23,7 +49,7 @@ func Contacts(c *fiber.Ctx) error { result := db.Order( "last_name collate nocase asc, first_name collate nocase asc", ).Preload("Section").Find( - &people, "is_contact = ?", true, + &people, "is_contact = ? AND section_id IN ?", true, allowedSections, ) if result.Error != nil && !errors.Is(result.Error, gorm.ErrRecordNotFound) { @@ -31,9 +57,11 @@ func Contacts(c *fiber.Ctx) error { } return c.Render("people", fiber.Map{ - "PageTitle": "Contacts", - "MembersPage": false, - "People": people, + "PageTitle": "Contacts", + "MembersPage": false, + "People": people, + "PermShow": permShow, + "PermShowArchived": permShowArchived, }) } @@ -58,6 +86,27 @@ func ContactShow(c *fiber.Ctx) error { return result.Error } + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + persmissionName := "show_contact" + if person.DeletedAt.Valid { + persmissionName = "show_archived_contact" + } + + allow, err := helpers.PermissionsCheckSection( + userid, persmissionName, person.SectionID, + ) + if err != nil { + return err + } + + if !allow { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } + title := fmt.Sprintf( "%s %s | Contact", person.LastName, @@ -78,17 +127,41 @@ func ContactShow(c *fiber.Ctx) error { person.ID, ) + permEdit, _ := helpers.PermissionsGetSections(userid, "edit_contact") + permConvert, _ := helpers.PermissionsGetSections(userid, "convert_contact_to_member") + permArchive, _ := helpers.PermissionsGetSections(userid, "archive_contact") + permRestore, _ := helpers.PermissionsGetSections(userid, "restore_contact") + permPurge, _ := helpers.PermissionsGetSections(userid, "purge_contact") + return c.Render("person", fiber.Map{ "PageTitle": title, "Person": person, "Fields": fields, "FieldValues": fieldValues, + "PermEdit": permEdit, + "PermConvert": permConvert, + "PermArchive": permArchive, + "PermRestore": permRestore, + "PermPurge": permPurge, }) } func ContactAdd(c *fiber.Ctx) error { - var person models.Person - var errors []string + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + allowedSections, err := helpers.PermissionsGetSections( + userid, "create_contact", + ) + if err != nil { + return err + } + + if len(allowedSections) < 1 { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } db, err := helpers.GetDatabase() if err != nil { @@ -109,6 +182,9 @@ func ContactAdd(c *fiber.Ctx) error { &fields, "person_type = ?", "contact", ) + var person models.Person + var errors []string + if c.Method() == "POST" { data := PersonValidation{ LastName: c.FormValue("last_name"), @@ -315,6 +391,22 @@ func ContactEdit(c *fiber.Ctx) error { return fiber.NewError(fiber.StatusNotFound, "Not found") } + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + allow, err := helpers.PermissionsCheckSection( + userid, "edit_contact", person.SectionID, + ) + if err != nil { + return err + } + + if !allow { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } + title := fmt.Sprintf( "%s %s | Modifier contact", person.LastName, @@ -557,6 +649,22 @@ func ContactConvert(c *fiber.Ctx) error { return fiber.NewError(fiber.StatusNotFound, "Not found") } + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + allow, err := helpers.PermissionsCheckSection( + userid, "convert_contact_to_member", person.SectionID, + ) + if err != nil { + return err + } + + if !allow { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } + person.IsContact = false person.IsMember = true @@ -579,7 +687,34 @@ func ContactArchive(c *fiber.Ctx) error { return err } - result := db.Delete(&models.Person{}, id) + var person models.Person + result := db.Find(&person, "id = ? AND is_contact = ? AND deleted_at IS NULL", id, true) + + if result.Error != nil { + return result.Error + } + + if result.RowsAffected < 1 { + return fiber.NewError(fiber.StatusNotFound, "Not found") + } + + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + allow, err := helpers.PermissionsCheckSection( + userid, "archive_contact", person.SectionID, + ) + if err != nil { + return err + } + + if !allow { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } + + result = db.Delete(&person) if result.Error != nil { return result.Error } @@ -598,9 +733,37 @@ func ContactRestore(c *fiber.Ctx) error { return err } - result := db.Unscoped().Model(&models.Person{}).Where( - "id = ?", id, - ).Update("DeletedAt", nil) + var person models.Person + result := db.Unscoped().Find( + &person, "id = ? AND is_contact = ? AND deleted_at IS NOT NULL", id, true, + ) + + if result.Error != nil { + return result.Error + } + + if result.RowsAffected < 1 { + return fiber.NewError(fiber.StatusNotFound, "Not found") + } + + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + allow, err := helpers.PermissionsCheckSection( + userid, "restore_contact", person.SectionID, + ) + if err != nil { + return err + } + + if !allow { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } + + person.DeletedAt.Valid = false + result = db.Save(&person) if result.Error != nil { return result.Error @@ -620,7 +783,36 @@ func ContactPurge(c *fiber.Ctx) error { return err } - result := db.Unscoped().Delete( + var person models.Person + result := db.Unscoped().Find( + &person, "id = ? AND is_contact = ?", id, true, + ) + + if result.Error != nil { + return result.Error + } + + if result.RowsAffected < 1 { + return fiber.NewError(fiber.StatusNotFound, "Not found") + } + + userid, err := helpers.GetSessionUserId(c) + if err != nil { + return err + } + + allow, err := helpers.PermissionsCheckSection( + userid, "purge_contact", person.SectionID, + ) + if err != nil { + return err + } + + if !allow { + return fiber.NewError(fiber.StatusForbidden, "Forbidden") + } + + result = db.Unscoped().Delete( &models.FieldValue{}, "person_id = ?", id, ) diff --git a/controllers/members.go b/controllers/members.go index 2ce85e3..72993c3 100644 --- a/controllers/members.go +++ b/controllers/members.go @@ -197,6 +197,7 @@ func MemberAdd(c *fiber.Ctx) error { var person models.Person var errors []string + if c.Method() == "POST" { data := PersonValidation{ LastName: c.FormValue("last_name"), @@ -700,7 +701,7 @@ func MemberArchive(c *fiber.Ctx) error { } var person models.Person - result := db.Find(&person, "id = ?", id) + result := db.Find(&person, "id = ? AND is_member = ? AND deleted_at IS NULL", id, true) if result.Error != nil { return result.Error @@ -747,7 +748,7 @@ func MemberRestore(c *fiber.Ctx) error { var person models.Person result := db.Unscoped().Find( - &person, "id = ? AND deleted_at IS NOT NULL", id, + &person, "id = ? AND is_member = ? AND deleted_at IS NOT NULL", id, true, ) if result.Error != nil { @@ -797,7 +798,7 @@ func MemberPurge(c *fiber.Ctx) error { var person models.Person result := db.Unscoped().Find( - &person, "id = ?", id, + &person, "id = ? AND is_member = ?", id, true, ) if result.Error != nil {