Ajout d'une query GraphQL pour vérifier les autorisations côté serveur

- Intégration des vérifications de droits sur la page de création/modification des groupes de travail
2020-09-04 11:19:24 +02:00
parent 3ef495445a
commit 9c6ebae9bc
10 changed files with 160 additions and 7 deletions
--- a/internal/graph/authorization_handler.go
+++ b/internal/graph/authorization_handler.go
@ -0,0 +1,59 @@
+package graph
+
+import (
+	"context"
+
+	"forge.cadoles.com/Cadoles/daddy/internal/model"
+	errs "github.com/pkg/errors"
+)
+
+func handleIsAuthorized(ctx context.Context, action string, obj model.AuthorizationObject) (bool, error) {
+	db, err := getDB(ctx)
+	if err != nil {
+		return false, errs.WithStack(err)
+	}
+
+	var object interface{}
+
+	switch {
+	case obj.WorkgroupID != nil:
+		repo := model.NewWorkgroupRepository(db)
+
+		workgroup, err := repo.Find(ctx, *obj.WorkgroupID)
+		if err != nil {
+			return false, errs.WithStack(err)
+		}
+
+		object = workgroup
+
+	case obj.DecisionSupportFileID != nil:
+		repo := model.NewDSFRepository(db)
+
+		dsf, err := repo.Find(ctx, *obj.DecisionSupportFileID)
+		if err != nil {
+			return false, errs.WithStack(err)
+		}
+
+		object = dsf
+
+	case obj.UserID != nil:
+		repo := model.NewUserRepository(db)
+
+		user, err := repo.Find(ctx, *obj.UserID)
+		if err != nil {
+			return false, errs.WithStack(err)
+		}
+
+		object = user
+
+	default:
+		return false, errs.WithStack(ErrInvalidInput)
+	}
+
+	authorized, err := isAuthorized(ctx, object, model.Action(action))
+	if err != nil {
+		return false, errs.WithStack(err)
+	}
+
+	return authorized, nil
+}
--- a/internal/graph/error.go
+++ b/internal/graph/error.go
@ -3,5 +3,6 @@ package graph
 import "errors"

 var (
-	ErrForbidden = errors.New("forbidden")
+	ErrForbidden    = errors.New("forbidden")
+	ErrInvalidInput = errors.New("invalid input")
 )
--- a/internal/graph/query.graphql
+++ b/internal/graph/query.graphql
@ -38,8 +38,15 @@ input DecisionSupportFileFilter {
  ids: [ID]
 }

+input AuthorizationObject {
+  workgroupId: ID
+  userId: ID
+  decisionSupportFileId: ID
+}
+
 type Query {
  userProfile: User
  workgroups(filter: WorkgroupsFilter): [Workgroup]!
  decisionSupportFiles(filter: DecisionSupportFileFilter): [DecisionSupportFile]!
+  isAuthorized(action: String!, object: AuthorizationObject!): Boolean!
 }
--- a/internal/graph/query.resolvers.go
+++ b/internal/graph/query.resolvers.go
@ -31,6 +31,10 @@ func (r *queryResolver) DecisionSupportFiles(ctx context.Context, filter *model1
 	return handleDecisionSupportFiles(ctx, filter)
 }

+func (r *queryResolver) IsAuthorized(ctx context.Context, action string, object model1.AuthorizationObject) (bool, error) {
+	return handleIsAuthorized(ctx, action, object)
+}
+
 func (r *userResolver) ID(ctx context.Context, obj *model1.User) (string, error) {
 	return strconv.FormatUint(uint64(obj.ID), 10), nil
 }
--- a/internal/model/user_repository.go
+++ b/internal/model/user_repository.go
@ -7,6 +7,7 @@ import (
 	"forge.cadoles.com/Cadoles/daddy/internal/orm"
 	"github.com/jinzhu/gorm"
 	"github.com/pkg/errors"
+	errs "github.com/pkg/errors"
 )

 type UserRepository struct {
@ -68,6 +69,17 @@ func (r *UserRepository) UpdateUserByEmail(ctx context.Context, email string, ch
 	return user, nil
 }

+func (r *UserRepository) Find(ctx context.Context, id string) (*User, error) {
+	user := &User{}
+	query := r.db.Model(user).Where("id = ?", id)
+
+	if err := query.First(&user).Error; err != nil {
+		return nil, errs.WithStack(err)
+	}
+
+	return user, nil
+}
+
 func NewUserRepository(db *gorm.DB) *UserRepository {
 	return &UserRepository{db}
 }