From 65d69ef0fdec71742671103b97539a2b45a6b836 Mon Sep 17 00:00:00 2001 From: Zack Fu Zi Xiang Date: Mon, 4 Mar 2024 00:59:11 +0800 Subject: [PATCH] fix: owner invite permission --- src/api/workspace.rs | 11 ++++++----- src/biz/workspace/access_control.rs | 13 ++++++++----- src/middleware/access_control_mw.rs | 1 - 3 files changed, 14 insertions(+), 11 deletions(-) diff --git a/src/api/workspace.rs b/src/api/workspace.rs index 92ed1c0a..8cd19c8c 100644 --- a/src/api/workspace.rs +++ b/src/api/workspace.rs @@ -45,6 +45,7 @@ pub const COLLAB_OBJECT_ID_PATH: &str = "object_id"; pub const WORKSPACE_PATTERN: &str = "/api/workspace"; pub const WORKSPACE_MEMBER_PATTERN: &str = "/api/workspace/{workspace_id}/member"; +pub const WORKSPACE_INVITE_PATTERN: &str = "/api/workspace/{workspace_id}/invite"; pub const COLLAB_PATTERN: &str = "/api/workspace/{workspace_id}/collab/{object_id}"; pub fn workspace_scope() -> Scope { @@ -57,6 +58,10 @@ pub fn workspace_scope() -> Scope { .route(web::post().to(create_workspace_handler)) .route(web::patch().to(patch_workspace_handler)) ) + .service( + web::resource("/{workspace_id}/invite") + .route(web::post().to(post_workspace_invite_handler)) // invite members to workspace + ) .service( web::resource("/invite") .route(web::get().to(get_workspace_invite_handler)) // show invites for user @@ -74,11 +79,7 @@ pub fn workspace_scope() -> Scope { .route(web::get().to(get_workspace_members_handler)) .route(web::post().to(create_workspace_members_handler)) // deprecated, use invite flow instead .route(web::put().to(update_workspace_member_handler)) - .route(web::delete().to(remove_workspace_member_handler)), - ) - .service( - web::resource("/{workspace_id}/invite") - .route(web::post().to(post_workspace_invite_handler)) // invite members to workspace + .route(web::delete().to(remove_workspace_member_handler)) ) .service( web::resource("/{workspace_id}/collab/{object_id}") diff --git a/src/biz/workspace/access_control.rs b/src/biz/workspace/access_control.rs index aff2dfb0..a34e39bf 100644 --- a/src/biz/workspace/access_control.rs +++ b/src/biz/workspace/access_control.rs @@ -9,7 +9,9 @@ use sqlx::{Executor, PgPool, Postgres}; use std::collections::hash_map::Entry; use std::collections::HashMap; -use crate::api::workspace::{WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN}; +use crate::api::workspace::{ + WORKSPACE_INVITE_PATTERN, WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN, +}; use crate::biz::casbin::access_control::Action; use crate::state::UserCache; use actix_router::{Path, ResourceDef, Url}; @@ -76,6 +78,11 @@ where ] .into(), ), + ( + // Only the Owner can invite a user to the workspace + ResourceDef::new(WORKSPACE_INVITE_PATTERN), + [(Method::POST, AFRole::Owner)].into(), + ), ], access_control, } @@ -120,10 +127,8 @@ where ) -> Result<(), AppError> { if self.should_skip(&method, path) { trace!("Skip access control for the request"); - println!("------- Skip access control for the request"); return Ok(()); } - println!("----- Check access control for the request"); // For some specific resources, we require a specific role to access them instead of the action. // For example, Both AFRole::Owner and AFRole::Member have the write permission to the workspace, @@ -149,8 +154,6 @@ where if result { Ok(()) } else { - println!("------------------------------ Not enough permissions"); - Err(AppError::NotEnoughPermissions { user: uid.to_string(), action: format!( diff --git a/src/middleware/access_control_mw.rs b/src/middleware/access_control_mw.rs index 40e53724..36b5cc9c 100644 --- a/src/middleware/access_control_mw.rs +++ b/src/middleware/access_control_mw.rs @@ -168,7 +168,6 @@ where Box::pin(async move { // If the workspace_id or collab_object_id is not present, skip the access control if workspace_id.is_none() && object_id.is_none() { - println!("-------- Skip access control for the request"); return fut.await; }