Use Permission module to check if user can have access to resource

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2021-07-23 11:34:28 +02:00
parent 0995043d04
commit c394f2cc5a
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773
3 changed files with 25 additions and 10 deletions

View file

@ -902,7 +902,6 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
type
)
when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do
# TODO: The actor that accepts the Join activity may another one that the event organizer ?
# Or maybe for groups it's the group that sends the Accept activity
with {:ok, %Activity{} = activity, %Member{role: :member} = member} <-
ActivityPub.accept(

View file

@ -12,6 +12,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
alias Mobilizon.GraphQL.API
alias Mobilizon.Federation.ActivityPub.Activity
alias Mobilizon.Federation.ActivityPub.Permission
import Mobilizon.Users.Guards, only: [is_moderator: 1]
import Mobilizon.Web.Gettext
@ -75,13 +76,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
defp find_private_event(
_parent,
%{uuid: uuid},
%{context: %{current_user: %User{id: user_id}}} = _resolution
%{context: %{current_user: %User{} = user}} = _resolution
) do
case {:has_event, Events.get_own_event_by_uuid_with_preload(uuid, user_id)} do
{:has_event, %Event{} = event} ->
{:ok, event}
%Actor{} = profile = Users.get_actor_for_user(user)
{:has_event, _} ->
case Events.get_event_by_uuid_with_preload(uuid) do
# Event attributed to group
%Event{attributed_to: %Actor{}} = event ->
if Permission.can_access_group_object?(profile, event) do
{:ok, event}
else
{:error, :event_not_found}
end
# Own event
%Event{organizer_actor: %Actor{id: actor_id}} = event ->
if actor_id == profile.id do
{:ok, event}
else
{:error, :event_not_found}
end
_ ->
{:error, :event_not_found}
end
end

View file

@ -7,7 +7,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
alias Mobilizon.{Actors, Posts, Users}
alias Mobilizon.Actors.Actor
alias Mobilizon.Federation.ActivityPub
alias Mobilizon.Federation.ActivityPub.Utils
alias Mobilizon.Federation.ActivityPub.{Permission, Utils}
alias Mobilizon.Posts.Post
alias Mobilizon.Storage.Page
alias Mobilizon.Users.User
@ -69,11 +69,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
}
} = _resolution
) do
with {:current_actor, %Actor{id: actor_id}} <-
with {:current_actor, %Actor{} = current_profile} <-
{:current_actor, Users.get_actor_for_user(user)},
{:post, %Post{attributed_to: %Actor{id: group_id}} = post} <-
{:post, %Post{attributed_to: %Actor{}} = post} <-
{:post, Posts.get_post_by_slug_with_preloads(slug)},
{:member, true} <- {:member, Actors.is_member?(actor_id, group_id)} do
{:member, true} <- {:member, Permission.can_access_group_object?(current_profile, post)} do
{:ok, post}
else
{:member, false} -> get_post(parent, %{slug: slug}, nil)