fix: owner invite permission
This commit is contained in:
parent
439a59ed2d
commit
65d69ef0fd
|
|
@ -45,6 +45,7 @@ pub const COLLAB_OBJECT_ID_PATH: &str = "object_id";
|
||||||
|
|
||||||
pub const WORKSPACE_PATTERN: &str = "/api/workspace";
|
pub const WORKSPACE_PATTERN: &str = "/api/workspace";
|
||||||
pub const WORKSPACE_MEMBER_PATTERN: &str = "/api/workspace/{workspace_id}/member";
|
pub const WORKSPACE_MEMBER_PATTERN: &str = "/api/workspace/{workspace_id}/member";
|
||||||
|
pub const WORKSPACE_INVITE_PATTERN: &str = "/api/workspace/{workspace_id}/invite";
|
||||||
pub const COLLAB_PATTERN: &str = "/api/workspace/{workspace_id}/collab/{object_id}";
|
pub const COLLAB_PATTERN: &str = "/api/workspace/{workspace_id}/collab/{object_id}";
|
||||||
|
|
||||||
pub fn workspace_scope() -> Scope {
|
pub fn workspace_scope() -> Scope {
|
||||||
|
|
@ -57,6 +58,10 @@ pub fn workspace_scope() -> Scope {
|
||||||
.route(web::post().to(create_workspace_handler))
|
.route(web::post().to(create_workspace_handler))
|
||||||
.route(web::patch().to(patch_workspace_handler))
|
.route(web::patch().to(patch_workspace_handler))
|
||||||
)
|
)
|
||||||
|
.service(
|
||||||
|
web::resource("/{workspace_id}/invite")
|
||||||
|
.route(web::post().to(post_workspace_invite_handler)) // invite members to workspace
|
||||||
|
)
|
||||||
.service(
|
.service(
|
||||||
web::resource("/invite")
|
web::resource("/invite")
|
||||||
.route(web::get().to(get_workspace_invite_handler)) // show invites for user
|
.route(web::get().to(get_workspace_invite_handler)) // show invites for user
|
||||||
|
|
@ -74,11 +79,7 @@ pub fn workspace_scope() -> Scope {
|
||||||
.route(web::get().to(get_workspace_members_handler))
|
.route(web::get().to(get_workspace_members_handler))
|
||||||
.route(web::post().to(create_workspace_members_handler)) // deprecated, use invite flow instead
|
.route(web::post().to(create_workspace_members_handler)) // deprecated, use invite flow instead
|
||||||
.route(web::put().to(update_workspace_member_handler))
|
.route(web::put().to(update_workspace_member_handler))
|
||||||
.route(web::delete().to(remove_workspace_member_handler)),
|
.route(web::delete().to(remove_workspace_member_handler))
|
||||||
)
|
|
||||||
.service(
|
|
||||||
web::resource("/{workspace_id}/invite")
|
|
||||||
.route(web::post().to(post_workspace_invite_handler)) // invite members to workspace
|
|
||||||
)
|
)
|
||||||
.service(
|
.service(
|
||||||
web::resource("/{workspace_id}/collab/{object_id}")
|
web::resource("/{workspace_id}/collab/{object_id}")
|
||||||
|
|
|
||||||
|
|
@ -9,7 +9,9 @@ use sqlx::{Executor, PgPool, Postgres};
|
||||||
use std::collections::hash_map::Entry;
|
use std::collections::hash_map::Entry;
|
||||||
use std::collections::HashMap;
|
use std::collections::HashMap;
|
||||||
|
|
||||||
use crate::api::workspace::{WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN};
|
use crate::api::workspace::{
|
||||||
|
WORKSPACE_INVITE_PATTERN, WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN,
|
||||||
|
};
|
||||||
use crate::biz::casbin::access_control::Action;
|
use crate::biz::casbin::access_control::Action;
|
||||||
use crate::state::UserCache;
|
use crate::state::UserCache;
|
||||||
use actix_router::{Path, ResourceDef, Url};
|
use actix_router::{Path, ResourceDef, Url};
|
||||||
|
|
@ -76,6 +78,11 @@ where
|
||||||
]
|
]
|
||||||
.into(),
|
.into(),
|
||||||
),
|
),
|
||||||
|
(
|
||||||
|
// Only the Owner can invite a user to the workspace
|
||||||
|
ResourceDef::new(WORKSPACE_INVITE_PATTERN),
|
||||||
|
[(Method::POST, AFRole::Owner)].into(),
|
||||||
|
),
|
||||||
],
|
],
|
||||||
access_control,
|
access_control,
|
||||||
}
|
}
|
||||||
|
|
@ -120,10 +127,8 @@ where
|
||||||
) -> Result<(), AppError> {
|
) -> Result<(), AppError> {
|
||||||
if self.should_skip(&method, path) {
|
if self.should_skip(&method, path) {
|
||||||
trace!("Skip access control for the request");
|
trace!("Skip access control for the request");
|
||||||
println!("------- Skip access control for the request");
|
|
||||||
return Ok(());
|
return Ok(());
|
||||||
}
|
}
|
||||||
println!("----- Check access control for the request");
|
|
||||||
|
|
||||||
// For some specific resources, we require a specific role to access them instead of the action.
|
// For some specific resources, we require a specific role to access them instead of the action.
|
||||||
// For example, Both AFRole::Owner and AFRole::Member have the write permission to the workspace,
|
// For example, Both AFRole::Owner and AFRole::Member have the write permission to the workspace,
|
||||||
|
|
@ -149,8 +154,6 @@ where
|
||||||
if result {
|
if result {
|
||||||
Ok(())
|
Ok(())
|
||||||
} else {
|
} else {
|
||||||
println!("------------------------------ Not enough permissions");
|
|
||||||
|
|
||||||
Err(AppError::NotEnoughPermissions {
|
Err(AppError::NotEnoughPermissions {
|
||||||
user: uid.to_string(),
|
user: uid.to_string(),
|
||||||
action: format!(
|
action: format!(
|
||||||
|
|
|
||||||
|
|
@ -168,7 +168,6 @@ where
|
||||||
Box::pin(async move {
|
Box::pin(async move {
|
||||||
// If the workspace_id or collab_object_id is not present, skip the access control
|
// If the workspace_id or collab_object_id is not present, skip the access control
|
||||||
if workspace_id.is_none() && object_id.is_none() {
|
if workspace_id.is_none() && object_id.is_none() {
|
||||||
println!("-------- Skip access control for the request");
|
|
||||||
return fut.await;
|
return fut.await;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue