Refactor user permissions and retrieves PAT

Signed-off-by: bcmmbaga <bethuelmbaga12@gmail.com>
2024-12-14 02:41:34 +01:00 · 2024-09-24 22:57:04 +03:00 · 2024-09-24 22:57:04 +03:00 · d14b855670
commit d14b855670
parent eab85644cd
3 changed files with 29 additions and 39 deletions
--- a/management/server/group.go
+++ b/management/server/group.go
@ -37,7 +37,7 @@ func (am *DefaultAccountManager) CheckGroupPermissions(ctx context.Context, acco
 		return err
 	}
-	if !user.HasAdminPower() && !user.IsServiceUser && settings.RegularUsersViewBlocked {
+	if (!user.IsAdminOrServiceUser() && settings.RegularUsersViewBlocked) || user.AccountID != accountID {
 		return status.Errorf(status.PermissionDenied, "groups are blocked for users")
 	}
--- a/management/server/policy.go
+++ b/management/server/policy.go
@ -320,7 +320,7 @@ func (am *DefaultAccountManager) GetPolicy(ctx context.Context, accountID, polic
 		return nil, err
 	}
-	if (!user.HasAdminPower() && !user.IsServiceUser) || user.AccountID != accountID {
+	if !user.IsAdminOrServiceUser() || user.AccountID != accountID {
 		return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view policies")
 	}
@ -391,7 +391,7 @@ func (am *DefaultAccountManager) ListPolicies(ctx context.Context, accountID, us
 		return nil, err
 	}
-	if (!user.HasAdminPower() && !user.IsServiceUser) || user.AccountID != accountID {
+	if !user.IsAdminOrServiceUser() || user.AccountID != accountID {
 		return nil, status.Errorf(status.PermissionDenied, "only users with admin power are allowed to view policies")
 	}
--- a/management/server/user.go
+++ b/management/server/user.go
@ -94,6 +94,11 @@ func (u *User) HasAdminPower() bool {
 	return u.Role == UserRoleAdmin || u.Role == UserRoleOwner
 }
 // IsAdminOrServiceUser checks if the user has admin power or is a service user.
 func (u *User) IsAdminOrServiceUser() bool {
 	return u.HasAdminPower() || u.IsServiceUser
 }
 // ToUserInfo converts a User object to a UserInfo object.
 func (u *User) ToUserInfo(userData *idp.UserData, settings *Settings) (*UserInfo, error) {
 	autoGroups := u.AutoGroups
@ -638,63 +643,48 @@ func (am *DefaultAccountManager) DeletePAT(ctx context.Context, accountID string
 // GetPAT returns a specific PAT from a user
 func (am *DefaultAccountManager) GetPAT(ctx context.Context, accountID string, initiatorUserID string, targetUserID string, tokenID string) (*PersonalAccessToken, error) {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
+	initiatorUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, initiatorUserID)
 	defer unlock()
 	account, err := am.Store.GetAccount(ctx, accountID)
 	if err != nil {
-		return nil, status.Errorf(status.NotFound, "account not found: %s", err)
+		return nil, err
 	}
-	targetUser, ok := account.Users[targetUserID]
+	targetUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, targetUserID)
-	if !ok {
+	if err != nil {
-		return nil, status.Errorf(status.NotFound, "user not found")
+		return nil, err
 	}
-	executingUser, ok := account.Users[initiatorUserID]
+	if (initiatorUserID != targetUserID && !initiatorUser.IsAdminOrServiceUser()) || initiatorUser.AccountID != accountID {
-	if !ok {
+		return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this user")
 		return nil, status.Errorf(status.NotFound, "user not found")
 	}
-	if !(initiatorUserID == targetUserID || (executingUser.HasAdminPower() && targetUser.IsServiceUser)) {
+	for _, pat := range targetUser.PATsG {
-		return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this userser")
+		if pat.ID == tokenID {
 			return pat.Copy(), nil
 		}
 	}
-	pat := targetUser.PATs[tokenID]
+	return nil, status.Errorf(status.NotFound, "PAT not found")
 	if pat == nil {
 		return nil, status.Errorf(status.NotFound, "PAT not found")
 	}
 	return pat, nil
 }
 // GetAllPATs returns all PATs for a user
 func (am *DefaultAccountManager) GetAllPATs(ctx context.Context, accountID string, initiatorUserID string, targetUserID string) ([]*PersonalAccessToken, error) {
-	unlock := am.Store.AcquireWriteLockByUID(ctx, accountID)
+	initiatorUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, initiatorUserID)
 	defer unlock()
 	account, err := am.Store.GetAccount(ctx, accountID)
 	if err != nil {
-		return nil, status.Errorf(status.NotFound, "account not found: %s", err)
+		return nil, err
 	}
-	targetUser, ok := account.Users[targetUserID]
+	targetUser, err := am.Store.GetUserByUserID(ctx, LockingStrengthShare, targetUserID)
-	if !ok {
+	if err != nil {
-		return nil, status.Errorf(status.NotFound, "user not found")
+		return nil, err
 	}
-	executingUser, ok := account.Users[initiatorUserID]
+	if (initiatorUserID != targetUserID && !initiatorUser.IsAdminOrServiceUser()) || initiatorUser.AccountID != accountID {
 	if !ok {
 		return nil, status.Errorf(status.NotFound, "user not found")
 	}
 	if !(initiatorUserID == targetUserID || (executingUser.HasAdminPower() && targetUser.IsServiceUser)) {
 		return nil, status.Errorf(status.PermissionDenied, "no permission to get PAT for this user")
 	}
-	var pats []*PersonalAccessToken
+	pats := make([]*PersonalAccessToken, 0, len(targetUser.PATsG))
-	for _, pat := range targetUser.PATs {
+	for _, pat := range targetUser.PATsG {
-		pats = append(pats, pat)
+		pats = append(pats, pat.Copy())
 	}
 	return pats, nil