mobilizon/lib/federation/activity_pub/permission.ex

defmodule Mobilizon.Federation.ActivityPub.Permission do
  @moduledoc """
  Module to check group members permissions on objects
  """

  alias Mobilizon.Actors
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Federation.ActivityPub.Types.{Entity, Ownable}
  require Logger

  @doc """
  Check that actor can access the object
  """
  @spec can_access_group_object?(Actor.t(), Entity.t()) :: boolean()
  def can_access_group_object?(%Actor{} = actor, object) do
    can_manage_group_object?(:role_needed_to_access, actor, object)
  end

  @doc """
  Check that actor can update the object
  """
  @spec can_update_group_object?(Actor.t(), Entity.t()) :: boolean()
  def can_update_group_object?(%Actor{} = actor, object) do
    can_manage_group_object?(:role_needed_to_update, actor, object)
  end

  @doc """
  Check that actor can delete the object
  """
  @spec can_delete_group_object?(Actor.t(), Entity.t()) :: boolean()
  def can_delete_group_object?(%Actor{} = actor, object) do
    can_manage_group_object?(:role_needed_to_delete, actor, object)
  end

  @spec can_manage_group_object?(
          :role_needed_to_access | :role_needed_to_update | :role_needed_to_delete,
          Actor.t(),
          any()
        ) :: boolean()
  defp can_manage_group_object?(action_function, %Actor{url: actor_url} = actor, object) do
    if Ownable.group_actor(object) != nil do
      case apply(Ownable, action_function, [object]) do
        role when role in [:member, :moderator, :administrator] ->
          activity_actor_is_group_member?(actor, object, role)

        _ ->
          case action_function do
            :role_needed_to_access ->
              Logger.warn("Actor #{actor_url} can't access #{object.url}")

            :role_needed_to_update ->
              Logger.warn("Actor #{actor_url} can't update #{object.url}")

            :role_needed_to_delete ->
              Logger.warn("Actor #{actor_url} can't delete #{object.url}")
          end

          false
      end
    else
      true
    end
  end

  @spec activity_actor_is_group_member?(Actor.t(), Entity.t(), atom()) :: boolean()
  defp activity_actor_is_group_member?(
         %Actor{id: actor_id, url: actor_url},
         object,
         role
       ) do
    case Ownable.group_actor(object) do
      %Actor{type: :Group, id: group_id, url: group_url} ->
        Logger.debug("Group object url is #{group_url}")

        case role do
          :moderator ->
            Logger.debug(
              "Checking if activity actor #{actor_url} is a moderator from group from #{object.url}"
            )

            Actors.is_moderator?(actor_id, group_id)

          :administrator ->
            Logger.debug(
              "Checking if activity actor #{actor_url} is an administrator from group from #{object.url}"
            )

            Actors.is_administrator?(actor_id, group_id)

          _ ->
            Logger.debug(
              "Checking if activity actor #{actor_url} is a member from group from #{object.url}"
            )

            Actors.is_member?(actor_id, group_id)
        end

      _ ->
        false
    end
  end
end
Add the :role_needed_to_access permission check and refactor Signed-off-by: Thomas Citharel <tcit@tcit.fr> 2021-07-23 09:42:50 +02:00			`defmodule Mobilizon.Federation.ActivityPub.Permission do`
			`@moduledoc """`
			`Module to check group members permissions on objects`
			`"""`

			`alias Mobilizon.Actors`
			`alias Mobilizon.Actors.Actor`
			`alias Mobilizon.Federation.ActivityPub.Types.{Entity, Ownable}`
			`require Logger`

			`@doc """`
			`Check that actor can access the object`
			`"""`
			`@spec can_access_group_object?(Actor.t(), Entity.t()) :: boolean()`
			`def can_access_group_object?(%Actor{} = actor, object) do`
			`can_manage_group_object?(:role_needed_to_access, actor, object)`
			`end`

			`@doc """`
			`Check that actor can update the object`
			`"""`
			`@spec can_update_group_object?(Actor.t(), Entity.t()) :: boolean()`
			`def can_update_group_object?(%Actor{} = actor, object) do`
			`can_manage_group_object?(:role_needed_to_update, actor, object)`
			`end`

			`@doc """`
			`Check that actor can delete the object`
			`"""`
			`@spec can_delete_group_object?(Actor.t(), Entity.t()) :: boolean()`
			`def can_delete_group_object?(%Actor{} = actor, object) do`
			`can_manage_group_object?(:role_needed_to_delete, actor, object)`
			`end`

			`@spec can_manage_group_object?(`
			`:role_needed_to_access \| :role_needed_to_update \| :role_needed_to_delete,`
			`Actor.t(),`
			`any()`
			`) :: boolean()`
			`defp can_manage_group_object?(action_function, %Actor{url: actor_url} = actor, object) do`
			`if Ownable.group_actor(object) != nil do`
			`case apply(Ownable, action_function, [object]) do`
			`role when role in [:member, :moderator, :administrator] ->`
			`activity_actor_is_group_member?(actor, object, role)`

			`_ ->`
			`case action_function do`
			`:role_needed_to_access ->`
			`Logger.warn("Actor #{actor_url} can't access #{object.url}")`

			`:role_needed_to_update ->`
			`Logger.warn("Actor #{actor_url} can't update #{object.url}")`

			`:role_needed_to_delete ->`
			`Logger.warn("Actor #{actor_url} can't delete #{object.url}")`
			`end`

			`false`
			`end`
			`else`
			`true`
			`end`
			`end`

			`@spec activity_actor_is_group_member?(Actor.t(), Entity.t(), atom()) :: boolean()`
			`defp activity_actor_is_group_member?(`
			`%Actor{id: actor_id, url: actor_url},`
			`object,`
			`role`
			`) do`
			`case Ownable.group_actor(object) do`
			`%Actor{type: :Group, id: group_id, url: group_url} ->`
			`Logger.debug("Group object url is #{group_url}")`

			`case role do`
			`:moderator ->`
			`Logger.debug(`
			`"Checking if activity actor #{actor_url} is a moderator from group from #{object.url}"`
			`)`

			`Actors.is_moderator?(actor_id, group_id)`

			`:administrator ->`
			`Logger.debug(`
			`"Checking if activity actor #{actor_url} is an administrator from group from #{object.url}"`
			`)`

			`Actors.is_administrator?(actor_id, group_id)`

			`_ ->`
			`Logger.debug(`
			`"Checking if activity actor #{actor_url} is a member from group from #{object.url}"`
			`)`

			`Actors.is_member?(actor_id, group_id)`
			`end`

			`_ ->`
			`false`
			`end`
			`end`
			`end`