fix: owner invite permission

This commit is contained in:
Zack Fu Zi Xiang 2024-03-04 00:59:11 +08:00
parent 439a59ed2d
commit 65d69ef0fd
No known key found for this signature in database
3 changed files with 14 additions and 11 deletions

View File

@ -45,6 +45,7 @@ pub const COLLAB_OBJECT_ID_PATH: &str = "object_id";
pub const WORKSPACE_PATTERN: &str = "/api/workspace"; pub const WORKSPACE_PATTERN: &str = "/api/workspace";
pub const WORKSPACE_MEMBER_PATTERN: &str = "/api/workspace/{workspace_id}/member"; pub const WORKSPACE_MEMBER_PATTERN: &str = "/api/workspace/{workspace_id}/member";
pub const WORKSPACE_INVITE_PATTERN: &str = "/api/workspace/{workspace_id}/invite";
pub const COLLAB_PATTERN: &str = "/api/workspace/{workspace_id}/collab/{object_id}"; pub const COLLAB_PATTERN: &str = "/api/workspace/{workspace_id}/collab/{object_id}";
pub fn workspace_scope() -> Scope { pub fn workspace_scope() -> Scope {
@ -57,6 +58,10 @@ pub fn workspace_scope() -> Scope {
.route(web::post().to(create_workspace_handler)) .route(web::post().to(create_workspace_handler))
.route(web::patch().to(patch_workspace_handler)) .route(web::patch().to(patch_workspace_handler))
) )
.service(
web::resource("/{workspace_id}/invite")
.route(web::post().to(post_workspace_invite_handler)) // invite members to workspace
)
.service( .service(
web::resource("/invite") web::resource("/invite")
.route(web::get().to(get_workspace_invite_handler)) // show invites for user .route(web::get().to(get_workspace_invite_handler)) // show invites for user
@ -74,11 +79,7 @@ pub fn workspace_scope() -> Scope {
.route(web::get().to(get_workspace_members_handler)) .route(web::get().to(get_workspace_members_handler))
.route(web::post().to(create_workspace_members_handler)) // deprecated, use invite flow instead .route(web::post().to(create_workspace_members_handler)) // deprecated, use invite flow instead
.route(web::put().to(update_workspace_member_handler)) .route(web::put().to(update_workspace_member_handler))
.route(web::delete().to(remove_workspace_member_handler)), .route(web::delete().to(remove_workspace_member_handler))
)
.service(
web::resource("/{workspace_id}/invite")
.route(web::post().to(post_workspace_invite_handler)) // invite members to workspace
) )
.service( .service(
web::resource("/{workspace_id}/collab/{object_id}") web::resource("/{workspace_id}/collab/{object_id}")

View File

@ -9,7 +9,9 @@ use sqlx::{Executor, PgPool, Postgres};
use std::collections::hash_map::Entry; use std::collections::hash_map::Entry;
use std::collections::HashMap; use std::collections::HashMap;
use crate::api::workspace::{WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN}; use crate::api::workspace::{
WORKSPACE_INVITE_PATTERN, WORKSPACE_MEMBER_PATTERN, WORKSPACE_PATTERN,
};
use crate::biz::casbin::access_control::Action; use crate::biz::casbin::access_control::Action;
use crate::state::UserCache; use crate::state::UserCache;
use actix_router::{Path, ResourceDef, Url}; use actix_router::{Path, ResourceDef, Url};
@ -76,6 +78,11 @@ where
] ]
.into(), .into(),
), ),
(
// Only the Owner can invite a user to the workspace
ResourceDef::new(WORKSPACE_INVITE_PATTERN),
[(Method::POST, AFRole::Owner)].into(),
),
], ],
access_control, access_control,
} }
@ -120,10 +127,8 @@ where
) -> Result<(), AppError> { ) -> Result<(), AppError> {
if self.should_skip(&method, path) { if self.should_skip(&method, path) {
trace!("Skip access control for the request"); trace!("Skip access control for the request");
println!("------- Skip access control for the request");
return Ok(()); return Ok(());
} }
println!("----- Check access control for the request");
// For some specific resources, we require a specific role to access them instead of the action. // For some specific resources, we require a specific role to access them instead of the action.
// For example, Both AFRole::Owner and AFRole::Member have the write permission to the workspace, // For example, Both AFRole::Owner and AFRole::Member have the write permission to the workspace,
@ -149,8 +154,6 @@ where
if result { if result {
Ok(()) Ok(())
} else { } else {
println!("------------------------------ Not enough permissions");
Err(AppError::NotEnoughPermissions { Err(AppError::NotEnoughPermissions {
user: uid.to_string(), user: uid.to_string(),
action: format!( action: format!(

View File

@ -168,7 +168,6 @@ where
Box::pin(async move { Box::pin(async move {
// If the workspace_id or collab_object_id is not present, skip the access control // If the workspace_id or collab_object_id is not present, skip the access control
if workspace_id.is_none() && object_id.is_none() { if workspace_id.is_none() && object_id.is_none() {
println!("-------- Skip access control for the request");
return fut.await; return fut.await;
} }