From 8c94b2567eb05e003bfcc69eedf73234ac04b18f Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?William=20Bouzour=C3=A8ne?= <william@bouzourene.ch>
Date: Fri, 17 Jan 2025 15:59:35 +0100
Subject: [PATCH] Implement permissions in members controllers

---
 controllers/members.go | 229 +++++++++++++++++++++++++++++++++++++----
 views/person.html      | 102 +++++++++++-------
 2 files changed, 272 insertions(+), 59 deletions(-)

diff --git a/controllers/members.go b/controllers/members.go
index c822791..2ce85e3 100644
--- a/controllers/members.go
+++ b/controllers/members.go
@@ -27,6 +27,32 @@ type PersonValidation struct {
 }
 
 func Members(c *fiber.Ctx) error {
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allowedSections, err := helpers.PermissionsGetSections(
+		userid, "show_member",
+	)
+	if err != nil {
+		return err
+	}
+
+	allowedSectionsArchived, err := helpers.PermissionsGetSections(
+		userid, "show_archived_member",
+	)
+	if err != nil {
+		return err
+	}
+
+	permShow := (len(allowedSections) > 0)
+	permShowArchived := (len(allowedSectionsArchived) > 0)
+
+	if !permShow && !permShowArchived {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
 	db, err := helpers.GetDatabase()
 	if err != nil {
 		return err
@@ -36,7 +62,7 @@ func Members(c *fiber.Ctx) error {
 	result := db.Order(
 		"last_name collate nocase asc, first_name collate nocase asc",
 	).Preload("Section").Find(
-		&people, "is_member = ?", true,
+		&people, "is_member = ? AND section_id IN ?", true, allowedSections,
 	)
 
 	if result.Error != nil && !errors.Is(result.Error, gorm.ErrRecordNotFound) {
@@ -44,9 +70,11 @@ func Members(c *fiber.Ctx) error {
 	}
 
 	return c.Render("people", fiber.Map{
-		"PageTitle":   "Membres",
-		"MembersPage": true,
-		"People":      people,
+		"PageTitle":        "Membres",
+		"MembersPage":      true,
+		"People":           people,
+		"PermShow":         permShow,
+		"PermShowArchived": permShowArchived,
 	})
 }
 
@@ -63,12 +91,33 @@ func MemberShow(c *fiber.Ctx) error {
 		&person, "id = ? AND is_member", id, true,
 	)
 
+	if result.Error != nil {
+		return result.Error
+	}
+
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 
-	if result.Error != nil {
-		return result.Error
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	persmissionName := "show_member"
+	if person.DeletedAt.Valid {
+		persmissionName = "show_archived_member"
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, persmissionName, person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 
 	title := fmt.Sprintf(
@@ -91,17 +140,41 @@ func MemberShow(c *fiber.Ctx) error {
 		person.ID,
 	)
 
+	permEdit, _ := helpers.PermissionsGetSections(userid, "edit_member")
+	permConvert, _ := helpers.PermissionsGetSections(userid, "convert_member_to_contact")
+	permArchive, _ := helpers.PermissionsGetSections(userid, "archive_member")
+	permRestore, _ := helpers.PermissionsGetSections(userid, "restore_member")
+	permPurge, _ := helpers.PermissionsGetSections(userid, "purge_member")
+
 	return c.Render("person", fiber.Map{
 		"PageTitle":   title,
 		"Person":      person,
 		"Fields":      fields,
 		"FieldValues": fieldValues,
+		"PermEdit":    permEdit,
+		"PermConvert": permConvert,
+		"PermArchive": permArchive,
+		"PermRestore": permRestore,
+		"PermPurge":   permPurge,
 	})
 }
 
 func MemberAdd(c *fiber.Ctx) error {
-	var person models.Person
-	var errors []string
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allowedSections, err := helpers.PermissionsGetSections(
+		userid, "create_member",
+	)
+	if err != nil {
+		return err
+	}
+
+	if len(allowedSections) < 1 {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
 
 	db, err := helpers.GetDatabase()
 	if err != nil {
@@ -122,6 +195,8 @@ func MemberAdd(c *fiber.Ctx) error {
 		&fields, "person_type = ?", "member",
 	)
 
+	var person models.Person
+	var errors []string
 	if c.Method() == "POST" {
 		data := PersonValidation{
 			LastName:   c.FormValue("last_name"),
@@ -320,12 +395,28 @@ func MemberEdit(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Find(&person, "id = ?", id)
 
-	if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 
-	if result.Error != nil {
-		return result.Error
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "edit_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 
 	title := fmt.Sprintf(
@@ -562,12 +653,28 @@ func MemberConvert(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Find(&person, "id = ?", id)
 
-	if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 
-	if result.Error != nil {
-		return result.Error
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "convert_member_to_contact", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 
 	person.IsContact = true
@@ -592,7 +699,34 @@ func MemberArchive(c *fiber.Ctx) error {
 		return err
 	}
 
-	result := db.Delete(&models.Person{}, id)
+	var person models.Person
+	result := db.Find(&person, "id = ?", id)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "archive_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	result = db.Delete(&person)
 	if result.Error != nil {
 		return result.Error
 	}
@@ -611,9 +745,37 @@ func MemberRestore(c *fiber.Ctx) error {
 		return err
 	}
 
-	result := db.Unscoped().Model(&models.Person{}).Where(
-		"id = ?", id,
-	).Update("DeletedAt", nil)
+	var person models.Person
+	result := db.Unscoped().Find(
+		&person, "id = ? AND deleted_at IS NOT NULL", id,
+	)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "restore_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	person.DeletedAt.Valid = false
+	result = db.Save(&person)
 
 	if result.Error != nil {
 		return result.Error
@@ -633,7 +795,36 @@ func MemberPurge(c *fiber.Ctx) error {
 		return err
 	}
 
-	result := db.Unscoped().Delete(
+	var person models.Person
+	result := db.Unscoped().Find(
+		&person, "id = ?", id,
+	)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "purge_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	result = db.Unscoped().Delete(
 		&models.FieldValue{}, "person_id = ?", id,
 	)
 
diff --git a/views/person.html b/views/person.html
index 3135695..f63136e 100644
--- a/views/person.html
+++ b/views/person.html
@@ -260,62 +260,83 @@
 
 	<div class="my-5">
 		{% if Person.IsMember %}
+
 			<div class="row">
 				<div class="col-md-6">
-					{% if !Person.DeletedAt.Valid %}					
-					<a class="btn btn-md btn-primary" href="/members/{{ Person.ID }}/edit">
-						<i class="bi-pencil-square"></i>
-						Modifier
-					</a>
-					<form
-						action="/members/{{ Person.ID }}/convert"
-						method="post"
-						class="d-inline p-0"
-					>
-						<button class="btn btn-md btn-secondary areyousure" type="submit">
-							<i class="bi-arrow-repeat"></i>
-							Convertir en contact
-						</button>
-					</form>
+					{% if !Person.DeletedAt.Valid %}
+
+						{% if PermEdit %}
+							<a class="btn btn-md btn-primary" href="/members/{{ Person.ID }}/edit">
+								<i class="bi-pencil-square"></i>
+								Modifier
+							</a>
+						{% endif %}
+
+						{% if PermConvert %}
+							<form
+								action="/members/{{ Person.ID }}/convert"
+								method="post"
+								class="d-inline p-0"
+							>
+								<button class="btn btn-md btn-secondary areyousure" type="submit">
+									<i class="bi-arrow-repeat"></i>
+									Convertir en contact
+								</button>
+							</form>
+						{% endif %}
 					{% endif %}
 				</div>
 				<div class="col-md-6 text-md-end mt-2 mt-md-0">
 					{% if Person.DeletedAt.Valid %}
+
+						{% if PermRestore %}
+							<form
+								action="/members/{{ Person.ID }}/restore"
+								method="post"
+								class="d-inline p-0"
+							>
+								<button class="btn btn-md btn-secondary areyousure" type="submit">
+									<i class="bi-person-check"></i>
+									Restaurer
+								</button>
+							</form>
+						{% endif %}
+
+					{% else %}
+
+						{% if PermArchive %}
+							<form
+								action="/members/{{ Person.ID }}/archive"
+								method="post"
+								class="d-inline p-0"
+							>
+								<button class="btn btn-md btn-secondary areyousure" type="submit">
+									<i class="bi-person-slash"></i>
+									Archiver
+								</button>
+							</form>
+						{% endif %}
+
+					{% endif %}
+
+					{% if PermPurge %}					
 						<form
-							action="/members/{{ Person.ID }}/restore"
+							action="/members/{{ Person.ID }}/purge"
 							method="post"
 							class="d-inline p-0"
 						>
-							<button class="btn btn-md btn-secondary areyousure" type="submit">
-								<i class="bi-person-check"></i>
-								Restaurer
-							</button>
-						</form>
-					{% else %}					
-						<form
-							action="/members/{{ Person.ID }}/archive"
-							method="post"
-							class="d-inline p-0"
-						>
-							<button class="btn btn-md btn-secondary areyousure" type="submit">
-								<i class="bi-person-slash"></i>
-								Archiver
+							<button class="btn btn-md btn-danger areyousure" type="submit">
+								<i class="bi-trash3"></i>
+								Supprimer
 							</button>
 						</form>
 					{% endif %}
-					<form
-						action="/members/{{ Person.ID }}/purge"
-						method="post"
-						class="d-inline p-0"
-					>
-						<button class="btn btn-md btn-danger areyousure" type="submit">
-							<i class="bi-trash3"></i>
-							Supprimer
-						</button>
-					</form>
+
 				</div>
 			</div>
+
 		{% else %}
+
 			<div class="row">
 				<div class="col-md-6">
 					{% if !Person.DeletedAt.Valid %}					
@@ -371,6 +392,7 @@
 					</form>
 				</div>
 			</div>
+
 		{% endif %}
 	</div>