fix: owner invite permission

src/api/workspace.rs

@@ -45,6 +45,7 @@ pub const COLLAB_OBJECT_ID_PATH: &str = "object_id";
 
 pub const WORKSPACE_PATTERN: &str = "/api/workspace";
 pub const WORKSPACE_MEMBER_PATTERN: &str = "/api/workspace/{workspace_id}/member";
+pub const WORKSPACE_INVITE_PATTERN: &str = "/api/workspace/{workspace_id}/invite";
 pub const COLLAB_PATTERN: &str = "/api/workspace/{workspace_id}/collab/{object_id}";
 
 pub fn workspace_scope() -> Scope {
@@ -57,6 +58,10 @@ pub fn workspace_scope() -> Scope {
       .route(web::post().to(create_workspace_handler))
       .route(web::patch().to(patch_workspace_handler))
     )
+    .service(
+      web::resource("/{workspace_id}/invite")
+        .route(web::post().to(post_workspace_invite_handler)) // invite members to workspace
+    )
     .service(
       web::resource("/invite")
         .route(web::get().to(get_workspace_invite_handler)) // show invites for user
@@ -74,11 +79,7 @@ pub fn workspace_scope() -> Scope {
         .route(web::get().to(get_workspace_members_handler))
         .route(web::post().to(create_workspace_members_handler)) // deprecated, use invite flow instead
         .route(web::put().to(update_workspace_member_handler))
-        .route(web::delete().to(remove_workspace_member_handler)),
-    )
-    .service(
-      web::resource("/{workspace_id}/invite")
-        .route(web::post().to(post_workspace_invite_handler)) // invite members to workspace
+        .route(web::delete().to(remove_workspace_member_handler))
     )
     .service(
       web::resource("/{workspace_id}/collab/{object_id}")

src/biz/workspace/access_control.rs

@@ -9,7 +9,9 @@ use sqlx::{Executor, PgPool, Postgres};
 use std::collections::hash_map::Entry;
 use std::collections::HashMap;
 
-use crate::api::workspace::{WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN};
+use crate::api::workspace::{
+  WORKSPACE_INVITE_PATTERN, WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN,
+};
 use crate::biz::casbin::access_control::Action;
 use crate::state::UserCache;
 use actix_router::{Path, ResourceDef, Url};
@@ -76,6 +78,11 @@ where
           ]
           .into(),
         ),
+        (
+          // Only the Owner can invite a user to the workspace
+          ResourceDef::new(WORKSPACE_INVITE_PATTERN),
+          [(Method::POST, AFRole::Owner)].into(),
+        ),
       ],
       access_control,
     }
@@ -120,10 +127,8 @@ where
   ) -> Result<(), AppError> {
     if self.should_skip(&method, path) {
       trace!("Skip access control for the request");
-      println!("------- Skip access control for the request");
       return Ok(());
     }
-    println!("----- Check access control for the request");
 
     // For some specific resources, we require a specific role to access them instead of the action.
     // For example, Both AFRole::Owner and AFRole::Member have the write permission to the workspace,
@@ -149,8 +154,6 @@ where
     if result {
       Ok(())
     } else {
-      println!("------------------------------ Not enough permissions");
-
       Err(AppError::NotEnoughPermissions {
         user: uid.to_string(),
         action: format!(

src/middleware/access_control_mw.rs

@@ -168,7 +168,6 @@ where
         Box::pin(async move {
           // If the workspace_id or collab_object_id is not present, skip the access control
           if workspace_id.is_none() && object_id.is_none() {
-            println!("-------- Skip access control for the request");
             return fut.await;
           }