Implement permissions in members controllers

2025-01-17 15:59:35 +01:00 · 2025-01-17 15:59:35 +01:00 · 8c94b2567e
commit 8c94b2567e
parent 625d777a8b
2 changed files with 272 additions and 59 deletions
--- a/controllers/members.go
+++ b/controllers/members.go
@ -27,6 +27,32 @@ type PersonValidation struct {
 }
 func Members(c *fiber.Ctx) error {
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allowedSections, err := helpers.PermissionsGetSections(
 		userid, "show_member",
 	)
 	if err != nil {
 		return err
 	}
 	allowedSectionsArchived, err := helpers.PermissionsGetSections(
 		userid, "show_archived_member",
 	)
 	if err != nil {
 		return err
 	}
 	permShow := (len(allowedSections) > 0)
 	permShowArchived := (len(allowedSectionsArchived) > 0)
 	if !permShow && !permShowArchived {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	db, err := helpers.GetDatabase()
 	if err != nil {
 		return err
@ -36,7 +62,7 @@ func Members(c *fiber.Ctx) error {
 	result := db.Order(
 		"last_name collate nocase asc, first_name collate nocase asc",
 	).Preload("Section").Find(
-		&people, "is_member = ?", true,
+		&people, "is_member = ? AND section_id IN ?", true, allowedSections,
 	)
 	if result.Error != nil && !errors.Is(result.Error, gorm.ErrRecordNotFound) {
@ -47,6 +73,8 @@ func Members(c *fiber.Ctx) error {
 		"PageTitle":        "Membres",
 		"MembersPage":      true,
 		"People":           people,
 		"PermShow":         permShow,
 		"PermShowArchived": permShowArchived,
 	})
 }
@ -63,12 +91,33 @@ func MemberShow(c *fiber.Ctx) error {
 		&person, "id = ? AND is_member", id, true,
 	)
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
-	if result.Error != nil {
+	userid, err := helpers.GetSessionUserId(c)
-		return result.Error
+	if err != nil {
 		return err
 	}
 	persmissionName := "show_member"
 	if person.DeletedAt.Valid {
 		persmissionName = "show_archived_member"
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, persmissionName, person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	title := fmt.Sprintf(
@ -91,17 +140,41 @@ func MemberShow(c *fiber.Ctx) error {
 		person.ID,
 	)
 	permEdit, _ := helpers.PermissionsGetSections(userid, "edit_member")
 	permConvert, _ := helpers.PermissionsGetSections(userid, "convert_member_to_contact")
 	permArchive, _ := helpers.PermissionsGetSections(userid, "archive_member")
 	permRestore, _ := helpers.PermissionsGetSections(userid, "restore_member")
 	permPurge, _ := helpers.PermissionsGetSections(userid, "purge_member")
 	return c.Render("person", fiber.Map{
 		"PageTitle":   title,
 		"Person":      person,
 		"Fields":      fields,
 		"FieldValues": fieldValues,
 		"PermEdit":    permEdit,
 		"PermConvert": permConvert,
 		"PermArchive": permArchive,
 		"PermRestore": permRestore,
 		"PermPurge":   permPurge,
 	})
 }
 func MemberAdd(c *fiber.Ctx) error {
-	var person models.Person
+	userid, err := helpers.GetSessionUserId(c)
-	var errors []string
+	if err != nil {
 		return err
 	}
 	allowedSections, err := helpers.PermissionsGetSections(
 		userid, "create_member",
 	)
 	if err != nil {
 		return err
 	}
 	if len(allowedSections) < 1 {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	db, err := helpers.GetDatabase()
 	if err != nil {
@ -122,6 +195,8 @@ func MemberAdd(c *fiber.Ctx) error {
 		&fields, "person_type = ?", "member",
 	)
 	var person models.Person
 	var errors []string
 	if c.Method() == "POST" {
 		data := PersonValidation{
 			LastName:   c.FormValue("last_name"),
@ -320,12 +395,28 @@ func MemberEdit(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Find(&person, "id = ?", id)
-	if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
-	if result.Error != nil {
+	userid, err := helpers.GetSessionUserId(c)
-		return result.Error
+	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "edit_member", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	title := fmt.Sprintf(
@ -562,12 +653,28 @@ func MemberConvert(c *fiber.Ctx) error {
 	var person models.Person
 	result := db.Find(&person, "id = ?", id)
-	if errors.Is(result.Error, gorm.ErrRecordNotFound) {
+	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
-	if result.Error != nil {
+	userid, err := helpers.GetSessionUserId(c)
-		return result.Error
+	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "convert_member_to_contact", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	person.IsContact = true
@ -592,7 +699,34 @@ func MemberArchive(c *fiber.Ctx) error {
 		return err
 	}
-	result := db.Delete(&models.Person{}, id)
+	var person models.Person
 	result := db.Find(&person, "id = ?", id)
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "archive_member", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	result = db.Delete(&person)
 	if result.Error != nil {
 		return result.Error
 	}
@ -611,9 +745,37 @@ func MemberRestore(c *fiber.Ctx) error {
 		return err
 	}
-	result := db.Unscoped().Model(&models.Person{}).Where(
+	var person models.Person
-		"id = ?", id,
+	result := db.Unscoped().Find(
-	).Update("DeletedAt", nil)
+		&person, "id = ? AND deleted_at IS NOT NULL", id,
 	)
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "restore_member", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	person.DeletedAt.Valid = false
 	result = db.Save(&person)
 	if result.Error != nil {
 		return result.Error
@ -633,7 +795,36 @@ func MemberPurge(c *fiber.Ctx) error {
 		return err
 	}
-	result := db.Unscoped().Delete(
+	var person models.Person
 	result := db.Unscoped().Find(
 		&person, "id = ?", id,
 	)
 	if result.Error != nil {
 		return result.Error
 	}
 	if result.RowsAffected < 1 {
 		return fiber.NewError(fiber.StatusNotFound, "Not found")
 	}
 	userid, err := helpers.GetSessionUserId(c)
 	if err != nil {
 		return err
 	}
 	allow, err := helpers.PermissionsCheckSection(
 		userid, "purge_member", person.SectionID,
 	)
 	if err != nil {
 		return err
 	}
 	if !allow {
 		return fiber.NewError(fiber.StatusForbidden, "Forbidden")
 	}
 	result = db.Unscoped().Delete(
 		&models.FieldValue{}, "person_id = ?", id,
 	)
--- a/views/person.html
+++ b/views/person.html
@ -260,13 +260,19 @@
 	<div class="my-5">
 		{% if Person.IsMember %}
 			<div class="row">
 				<div class="col-md-6">
 					{% if !Person.DeletedAt.Valid %}
 						{% if PermEdit %}
 							<a class="btn btn-md btn-primary" href="/members/{{ Person.ID }}/edit">
 								<i class="bi-pencil-square"></i>
 								Modifier
 							</a>
 						{% endif %}
 						{% if PermConvert %}
 							<form
 								action="/members/{{ Person.ID }}/convert"
 								method="post"
@ -278,9 +284,12 @@
 								</button>
 							</form>
 						{% endif %}
 					{% endif %}
 				</div>
 				<div class="col-md-6 text-md-end mt-2 mt-md-0">
 					{% if Person.DeletedAt.Valid %}
 						{% if PermRestore %}
 							<form
 								action="/members/{{ Person.ID }}/restore"
 								method="post"
@ -291,7 +300,11 @@
 									Restaurer
 								</button>
 							</form>
 						{% endif %}
 					{% else %}
 						{% if PermArchive %}
 							<form
 								action="/members/{{ Person.ID }}/archive"
 								method="post"
@ -303,6 +316,10 @@
 								</button>
 							</form>
 						{% endif %}
 					{% endif %}
 					{% if PermPurge %}					
 						<form
 							action="/members/{{ Person.ID }}/purge"
 							method="post"
@ -313,9 +330,13 @@
 								Supprimer
 							</button>
 						</form>
 					{% endif %}
 				</div>
 			</div>
 		{% else %}
 			<div class="row">
 				<div class="col-md-6">
 					{% if !Person.DeletedAt.Valid %}					
@ -371,6 +392,7 @@
 					</form>
 				</div>
 			</div>
 		{% endif %}
 	</div>