mobilizon/lib/federation/activity_pub/permission.ex
Thomas Citharel 0995043d04
Add the :role_needed_to_access permission check and refactor
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-08-01 10:51:17 +02:00

103 lines
3.1 KiB
Elixir

defmodule Mobilizon.Federation.ActivityPub.Permission do
@moduledoc """
Module to check group members permissions on objects
"""
alias Mobilizon.Actors
alias Mobilizon.Actors.Actor
alias Mobilizon.Federation.ActivityPub.Types.{Entity, Ownable}
require Logger
@doc """
Check that actor can access the object
"""
@spec can_access_group_object?(Actor.t(), Entity.t()) :: boolean()
def can_access_group_object?(%Actor{} = actor, object) do
can_manage_group_object?(:role_needed_to_access, actor, object)
end
@doc """
Check that actor can update the object
"""
@spec can_update_group_object?(Actor.t(), Entity.t()) :: boolean()
def can_update_group_object?(%Actor{} = actor, object) do
can_manage_group_object?(:role_needed_to_update, actor, object)
end
@doc """
Check that actor can delete the object
"""
@spec can_delete_group_object?(Actor.t(), Entity.t()) :: boolean()
def can_delete_group_object?(%Actor{} = actor, object) do
can_manage_group_object?(:role_needed_to_delete, actor, object)
end
@spec can_manage_group_object?(
:role_needed_to_access | :role_needed_to_update | :role_needed_to_delete,
Actor.t(),
any()
) :: boolean()
defp can_manage_group_object?(action_function, %Actor{url: actor_url} = actor, object) do
if Ownable.group_actor(object) != nil do
case apply(Ownable, action_function, [object]) do
role when role in [:member, :moderator, :administrator] ->
activity_actor_is_group_member?(actor, object, role)
_ ->
case action_function do
:role_needed_to_access ->
Logger.warn("Actor #{actor_url} can't access #{object.url}")
:role_needed_to_update ->
Logger.warn("Actor #{actor_url} can't update #{object.url}")
:role_needed_to_delete ->
Logger.warn("Actor #{actor_url} can't delete #{object.url}")
end
false
end
else
true
end
end
@spec activity_actor_is_group_member?(Actor.t(), Entity.t(), atom()) :: boolean()
defp activity_actor_is_group_member?(
%Actor{id: actor_id, url: actor_url},
object,
role
) do
case Ownable.group_actor(object) do
%Actor{type: :Group, id: group_id, url: group_url} ->
Logger.debug("Group object url is #{group_url}")
case role do
:moderator ->
Logger.debug(
"Checking if activity actor #{actor_url} is a moderator from group from #{object.url}"
)
Actors.is_moderator?(actor_id, group_id)
:administrator ->
Logger.debug(
"Checking if activity actor #{actor_url} is an administrator from group from #{object.url}"
)
Actors.is_administrator?(actor_id, group_id)
_ ->
Logger.debug(
"Checking if activity actor #{actor_url} is a member from group from #{object.url}"
)
Actors.is_member?(actor_id, group_id)
end
_ ->
false
end
end
end