Permissions contacts

2025-01-20 16:20:08 +01:00 · 2025-01-20 16:20:08 +01:00 · 7af59fb935
commit 7af59fb935
parent 19b2b7db68
2 changed files with 207 additions and 14 deletions
--- a/controllers/contacts.go
+++ b/controllers/contacts.go
@ -14,6 +14,32 @@ import (
 )
 func Contacts(c *fiber.Ctx) error {
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allowedSections, err := helpers.PermissionsGetSections(
 		userid, "show_contact",
 	)
 	if err != nil {
 		return err
 	}
 	allowedSectionsArchived, err := helpers.PermissionsGetSections(
 		userid, "show_archived_contact",
 	)
 	if err != nil {
 		return err
 	}
 	permShow := (len(allowedSections) > 0)
 	permShowArchived := (len(allowedSectionsArchived) > 0)
 	if !permShow && !permShowArchived {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	db, err := helpers.GetDatabase()
 	if err != nil {
 		return err
@ -23,7 +49,7 @@ func Contacts(c *fiber.Ctx) error {
 	result := db.Order(
 		"last_name collate nocase asc, first_name collate nocase asc",
 	).Preload("Section").Find(
-		&people, "is_contact = ?", true,
+		&people, "is_contact = ? AND section_id IN ?", true, allowedSections,
 	)
 	if result.Error != nil && !errors.Is(result.Error, gorm.ErrRecordNotFound) {
@ -34,6 +60,8 @@ func Contacts(c *fiber.Ctx) error {
 		"PageTitle":        "Contacts",
 		"MembersPage":      false,
 		"People":           people,
 		"PermShow":         permShow,
 		"PermShowArchived": permShowArchived,
 	})
 }
@ -58,6 +86,27 @@ func ContactShow(c *fiber.Ctx) error {
 		return result.Error
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	persmissionName := "show_contact"
 	if person.DeletedAt.Valid {
 		persmissionName = "show_archived_contact"
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, persmissionName, person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	title := fmt.Sprintf(
 		"%s %s | Contact",
 		person.LastName,
@ -78,17 +127,41 @@ func ContactShow(c *fiber.Ctx) error {
 		person.ID,
 	)
 	permEdit, _ := helpers.PermissionsGetSections(userid, "edit_contact")
 	permConvert, _ := helpers.PermissionsGetSections(userid, "convert_contact_to_member")
 	permArchive, _ := helpers.PermissionsGetSections(userid, "archive_contact")
 	permRestore, _ := helpers.PermissionsGetSections(userid, "restore_contact")
 	permPurge, _ := helpers.PermissionsGetSections(userid, "purge_contact")
 	return c.Render("person", fiber.Map{
 		"PageTitle":   title,
 		"Person":      person,
 		"Fields":      fields,
 		"FieldValues": fieldValues,
 		"PermEdit":    permEdit,
 		"PermConvert": permConvert,
 		"PermArchive": permArchive,
 		"PermRestore": permRestore,
 		"PermPurge":   permPurge,
 	})
 }
 func ContactAdd(c *fiber.Ctx) error {
-	var person models.Person
+	userid, err := helpers.GetSessionUserId(c)
-	var errors []string
+	if err != nil {
 		return err
 	}
 	allowedSections, err := helpers.PermissionsGetSections(
 		userid, "create_contact",
 	)
 	if err != nil {
 		return err
 	}
 	if len(allowedSections) < 1 {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	db, err := helpers.GetDatabase()
 	if err != nil {
@ -109,6 +182,9 @@ func ContactAdd(c *fiber.Ctx) error {
 		&fields, "person_type = ?", "contact",
 	)
 	var person models.Person
 	var errors []string
 	if c.Method() == "POST" {
 		data := PersonValidation{
 			LastName:   c.FormValue("last_name"),
@ -315,6 +391,22 @@ func ContactEdit(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "edit_contact", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	title := fmt.Sprintf(
 		"%s %s | Modifier contact",
 		person.LastName,
@ -557,6 +649,22 @@ func ContactConvert(c *fiber.Ctx) error {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "convert_contact_to_member", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	person.IsContact = false
 	person.IsMember = true
@ -579,7 +687,34 @@ func ContactArchive(c *fiber.Ctx) error {
 		return err
 	}
-	result := db.Delete(&models.Person{}, id)
+	var person models.Person
 	result := db.Find(&person, "id = ? AND is_contact = ? AND deleted_at IS NULL", id, true)
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "archive_contact", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	result = db.Delete(&person)
 	if result.Error != nil {
 		return result.Error
 	}
@ -598,9 +733,37 @@ func ContactRestore(c *fiber.Ctx) error {
 		return err
 	}
-	result := db.Unscoped().Model(&models.Person{}).Where(
+	var person models.Person
-		"id = ?", id,
+	result := db.Unscoped().Find(
-	).Update("DeletedAt", nil)
+		&person, "id = ? AND is_contact = ? AND deleted_at IS NOT NULL", id, true,
 	)
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "restore_contact", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	person.DeletedAt.Valid = false
 	result = db.Save(&person)
 	if result.Error != nil {
 		return result.Error
@ -620,7 +783,36 @@ func ContactPurge(c *fiber.Ctx) error {
 		return err
 	}
-	result := db.Unscoped().Delete(
+	var person models.Person
 	result := db.Unscoped().Find(
 		&person, "id = ? AND is_contact = ?", id, true,
 	)
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "purge_contact", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	result = db.Unscoped().Delete(
 		&models.FieldValue{}, "person_id = ?", id,
 	)
--- a/controllers/members.go
+++ b/controllers/members.go
@ -197,6 +197,7 @@ func MemberAdd(c *fiber.Ctx) error {
 	var person models.Person
 	var errors []string
 	if c.Method() == "POST" {
 		data := PersonValidation{
 			LastName:   c.FormValue("last_name"),
@ -700,7 +701,7 @@ func MemberArchive(c *fiber.Ctx) error {
 	}
 	var person models.Person
-	result := db.Find(&person, "id = ?", id)
+	result := db.Find(&person, "id = ? AND is_member = ? AND deleted_at IS NULL", id, true)
 	if result.Error != nil {
 		return result.Error
@ -747,7 +748,7 @@ func MemberRestore(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Unscoped().Find(
-		&person, "id = ? AND deleted_at IS NOT NULL", id,
+		&person, "id = ? AND is_member = ? AND deleted_at IS NOT NULL", id, true,
 	)
 	if result.Error != nil {
@ -797,7 +798,7 @@ func MemberPurge(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Unscoped().Find(
-		&person, "id = ?", id,
+		&person, "id = ? AND is_member = ?", id, true,
 	)
 	if result.Error != nil {