Implement permissions in members controllers

2025-01-17 15:59:35 +01:00 · 2025-01-17 15:59:35 +01:00 · 8c94b2567e
commit 8c94b2567e
parent 625d777a8b
2 changed files with 272 additions and 59 deletions
--- a/controllers/members.go
+++ b/controllers/members.go
@ -27,6 +27,32 @@ type PersonValidation struct {
 }

 func Members(c *fiber.Ctx) error {
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allowedSections, err := helpers.PermissionsGetSections(
+		userid, "show_member",
+	)
+	if err != nil {
+		return err
+	}
+
+	allowedSectionsArchived, err := helpers.PermissionsGetSections(
+		userid, "show_archived_member",
+	)
+	if err != nil {
+		return err
+	}
+
+	permShow := (len(allowedSections) > 0)
+	permShowArchived := (len(allowedSectionsArchived) > 0)
+
+	if !permShow && !permShowArchived {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
 	db, err := helpers.GetDatabase()
 	if err != nil {
 		return err
@ -36,7 +62,7 @@ func Members(c *fiber.Ctx) error {
 	result := db.Order(
 		"last_name collate nocase asc, first_name collate nocase asc",
 	).Preload("Section").Find(
-		&people, "is_member = ?", true,
+		&people, "is_member = ? AND section_id IN ?", true, allowedSections,
 	)

 	if result.Error != nil && !errors.Is(result.Error, gorm.ErrRecordNotFound) {
@ -44,9 +70,11 @@ func Members(c *fiber.Ctx) error {
 	}

 	return c.Render("people", fiber.Map{
-		"PageTitle":   "Membres",
-		"MembersPage": true,
-		"People":      people,
+		"PageTitle":        "Membres",
+		"MembersPage":      true,
+		"People":           people,
+		"PermShow":         permShow,
+		"PermShowArchived": permShowArchived,
 	})
 }

@ -63,12 +91,33 @@ func MemberShow(c *fiber.Ctx) error {
 		&person, "id = ? AND is_member", id, true,
 	)

+	if result.Error != nil {
+		return result.Error
+	}
+
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}

-	if result.Error != nil {
-		return result.Error
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	persmissionName := "show_member"
+	if person.DeletedAt.Valid {
+		persmissionName = "show_archived_member"
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, persmissionName, person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}

 	title := fmt.Sprintf(
@ -91,17 +140,41 @@ func MemberShow(c *fiber.Ctx) error {
 		person.ID,
 	)

+	permEdit, _ := helpers.PermissionsGetSections(userid, "edit_member")
+	permConvert, _ := helpers.PermissionsGetSections(userid, "convert_member_to_contact")
+	permArchive, _ := helpers.PermissionsGetSections(userid, "archive_member")
+	permRestore, _ := helpers.PermissionsGetSections(userid, "restore_member")
+	permPurge, _ := helpers.PermissionsGetSections(userid, "purge_member")
+
 	return c.Render("person", fiber.Map{
 		"PageTitle":   title,
 		"Person":      person,
 		"Fields":      fields,
 		"FieldValues": fieldValues,
+		"PermEdit":    permEdit,
+		"PermConvert": permConvert,
+		"PermArchive": permArchive,
+		"PermRestore": permRestore,
+		"PermPurge":   permPurge,
 	})
 }

 func MemberAdd(c *fiber.Ctx) error {
-	var person models.Person
-	var errors []string
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allowedSections, err := helpers.PermissionsGetSections(
+		userid, "create_member",
+	)
+	if err != nil {
+		return err
+	}
+
+	if len(allowedSections) < 1 {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}

 	db, err := helpers.GetDatabase()
 	if err != nil {
@ -122,6 +195,8 @@ func MemberAdd(c *fiber.Ctx) error {
 		&fields, "person_type = ?", "member",
 	)

+	var person models.Person
+	var errors []string
 	if c.Method() == "POST" {
 		data := PersonValidation{
 			LastName:   c.FormValue("last_name"),
@ -320,12 +395,28 @@ func MemberEdit(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Find(&person, "id = ?", id)

-	if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}

-	if result.Error != nil {
-		return result.Error
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "edit_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}

 	title := fmt.Sprintf(
@ -562,12 +653,28 @@ func MemberConvert(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Find(&person, "id = ?", id)

-	if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}

-	if result.Error != nil {
-		return result.Error
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "convert_member_to_contact", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}

 	person.IsContact = true
@ -592,7 +699,34 @@ func MemberArchive(c *fiber.Ctx) error {
 		return err
 	}

-	result := db.Delete(&models.Person{}, id)
+	var person models.Person
+	result := db.Find(&person, "id = ?", id)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "archive_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	result = db.Delete(&person)
 	if result.Error != nil {
 		return result.Error
 	}
@ -611,9 +745,37 @@ func MemberRestore(c *fiber.Ctx) error {
 		return err
 	}

-	result := db.Unscoped().Model(&models.Person{}).Where(
-		"id = ?", id,
-	).Update("DeletedAt", nil)
+	var person models.Person
+	result := db.Unscoped().Find(
+		&person, "id = ? AND deleted_at IS NOT NULL", id,
+	)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "restore_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	person.DeletedAt.Valid = false
+	result = db.Save(&person)

 	if result.Error != nil {
 		return result.Error
@ -633,7 +795,36 @@ func MemberPurge(c *fiber.Ctx) error {
 		return err
 	}

-	result := db.Unscoped().Delete(
+	var person models.Person
+	result := db.Unscoped().Find(
+		&person, "id = ?", id,
+	)
+
+	if result.Error != nil {
+		return result.Error
+	}
+
+	if result.RowsAffected < 1 {
+		return fiber.NewError(fiber.StatusNotFound, "Not found")
+	}
+
+	userid, err := helpers.GetSessionUserId(c)
+	if err != nil {
+		return err
+	}
+
+	allow, err := helpers.PermissionsCheckSection(
+		userid, "purge_member", person.SectionID,
+	)
+	if err != nil {
+		return err
+	}
+
+	if !allow {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
+	}
+
+	result = db.Unscoped().Delete(
 		&models.FieldValue{}, "person_id = ?", id,
 	)