Use Permission module to check if user can have access to resource

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel 2021-07-23 11:34:28 +02:00
parent 0995043d04
commit c394f2cc5a
No known key found for this signature in database
GPG key ID: A061B9DDE0CA0773
3 changed files with 25 additions and 10 deletions

View file

@ -902,7 +902,6 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
type type
) )
when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do
# TODO: The actor that accepts the Join activity may another one that the event organizer ?
# Or maybe for groups it's the group that sends the Accept activity # Or maybe for groups it's the group that sends the Accept activity
with {:ok, %Activity{} = activity, %Member{role: :member} = member} <- with {:ok, %Activity{} = activity, %Member{role: :member} = member} <-
ActivityPub.accept( ActivityPub.accept(

View file

@ -12,6 +12,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
alias Mobilizon.GraphQL.API alias Mobilizon.GraphQL.API
alias Mobilizon.Federation.ActivityPub.Activity alias Mobilizon.Federation.ActivityPub.Activity
alias Mobilizon.Federation.ActivityPub.Permission
import Mobilizon.Users.Guards, only: [is_moderator: 1] import Mobilizon.Users.Guards, only: [is_moderator: 1]
import Mobilizon.Web.Gettext import Mobilizon.Web.Gettext
@ -75,13 +76,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
defp find_private_event( defp find_private_event(
_parent, _parent,
%{uuid: uuid}, %{uuid: uuid},
%{context: %{current_user: %User{id: user_id}}} = _resolution %{context: %{current_user: %User{} = user}} = _resolution
) do ) do
case {:has_event, Events.get_own_event_by_uuid_with_preload(uuid, user_id)} do %Actor{} = profile = Users.get_actor_for_user(user)
{:has_event, %Event{} = event} ->
{:ok, event}
{:has_event, _} -> case Events.get_event_by_uuid_with_preload(uuid) do
# Event attributed to group
%Event{attributed_to: %Actor{}} = event ->
if Permission.can_access_group_object?(profile, event) do
{:ok, event}
else
{:error, :event_not_found}
end
# Own event
%Event{organizer_actor: %Actor{id: actor_id}} = event ->
if actor_id == profile.id do
{:ok, event}
else
{:error, :event_not_found}
end
_ ->
{:error, :event_not_found} {:error, :event_not_found}
end end
end end

View file

@ -7,7 +7,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
alias Mobilizon.{Actors, Posts, Users} alias Mobilizon.{Actors, Posts, Users}
alias Mobilizon.Actors.Actor alias Mobilizon.Actors.Actor
alias Mobilizon.Federation.ActivityPub alias Mobilizon.Federation.ActivityPub
alias Mobilizon.Federation.ActivityPub.Utils alias Mobilizon.Federation.ActivityPub.{Permission, Utils}
alias Mobilizon.Posts.Post alias Mobilizon.Posts.Post
alias Mobilizon.Storage.Page alias Mobilizon.Storage.Page
alias Mobilizon.Users.User alias Mobilizon.Users.User
@ -69,11 +69,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
} }
} = _resolution } = _resolution
) do ) do
with {:current_actor, %Actor{id: actor_id}} <- with {:current_actor, %Actor{} = current_profile} <-
{:current_actor, Users.get_actor_for_user(user)}, {:current_actor, Users.get_actor_for_user(user)},
{:post, %Post{attributed_to: %Actor{id: group_id}} = post} <- {:post, %Post{attributed_to: %Actor{}} = post} <-
{:post, Posts.get_post_by_slug_with_preloads(slug)}, {:post, Posts.get_post_by_slug_with_preloads(slug)},
{:member, true} <- {:member, Actors.is_member?(actor_id, group_id)} do {:member, true} <- {:member, Permission.can_access_group_object?(current_profile, post)} do
{:ok, post} {:ok, post}
else else
{:member, false} -> get_post(parent, %{slug: slug}, nil) {:member, false} -> get_post(parent, %{slug: slug}, nil)