Fix repo permission filtering

compose/service/chart.go

@@ -102,7 +102,7 @@ func (svc chart) checkPermissions(c *types.Chart, err error) (*types.Chart, erro
 }
 
 func (svc chart) Find(filter types.ChartFilter) (set types.ChartSet, f types.ChartFilter, err error) {
-	f.IsReadable = svc.ac.FilterReadableCharts(svc.ctx)
+	filter.IsReadable = svc.ac.FilterReadableCharts(svc.ctx)
 
 	set, f, err = svc.chartRepo.Find(filter)
 	if err != nil {

compose/service/module.go

@@ -125,17 +125,13 @@ func (svc module) loader(m *types.Module, err error) (*types.Module, error) {
 }
 
 func (svc module) Find(filter types.ModuleFilter) (set types.ModuleSet, f types.ModuleFilter, err error) {
-	f.IsReadable = svc.ac.FilterReadableModules(svc.ctx)
+	filter.IsReadable = svc.ac.FilterReadableModules(svc.ctx)
 
 	set, f, err = svc.moduleRepo.Find(filter)
 	if err != nil {
 		return
 	}
 
-	set, _ = set.Filter(func(m *types.Module) (bool, error) {
-		return svc.ac.CanReadModule(svc.ctx, m), nil
-	})
-
 	// Preload all fields and update all modules
 	var ff types.ModuleFieldSet
 	if ff, err = svc.moduleRepo.FindFields(set.IDs()...); err != nil {

compose/service/namespace.go

@@ -97,7 +97,7 @@ func (svc namespace) checkPermissions(p *types.Namespace, err error) (*types.Nam
 }
 
 func (svc namespace) Find(filter types.NamespaceFilter) (set types.NamespaceSet, f types.NamespaceFilter, err error) {
-	f.IsReadable = svc.ac.FilterReadableNamespaces(svc.ctx)
+	filter.IsReadable = svc.ac.FilterReadableNamespaces(svc.ctx)
 
 	set, f, err = svc.namespaceRepo.Find(filter)
 	if err != nil {

compose/service/page.go

@@ -133,7 +133,7 @@ func (svc page) FindBySelfID(namespaceID, parentID uint64) (pp types.PageSet, f
 }
 
 func (svc page) Find(filter types.PageFilter) (set types.PageSet, f types.PageFilter, err error) {
-	f.IsReadable = svc.ac.FilterReadablePages(svc.ctx)
+	filter.IsReadable = svc.ac.FilterReadablePages(svc.ctx)
 
 	if filter.NamespaceID == 0 {
 		return nil, f, ErrNamespaceRequired.withStack()

system/repository/application.go

@@ -100,6 +100,10 @@ func (r *application) Find(filter types.ApplicationFilter) (set types.Applicatio
 
 	query := r.query()
 
+	if f.IsReadable != nil {
+		query = query.Where(f.IsReadable)
+	}
+
 	var orderBy []string
 	if orderBy, err = rh.ParseOrder(f.Sort, r.columns()...); err != nil {
 		return

tests/compose/chart_test.go

@@ -78,6 +78,26 @@ func TestChartList(t *testing.T) {
 		End()
 }
 
+func TestChartList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+
+	h.allow(types.NamespacePermissionResource.AppendWildcard(), "read")
+	ns := h.repoMakeNamespace("some-namespace")
+
+	h.repoMakeChart(ns, "chart")
+	f := h.repoMakeChart(ns, "chart_forbiden")
+
+	h.deny(types.ChartPermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get(fmt.Sprintf("/namespace/%d/chart/", ns.ID)).
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(`$.response.set[? @.name=="chart_forbiden"]`)).
+		End()
+}
+
 func TestChartCreateForbidden(t *testing.T) {
 	h := newHelper(t)
 

tests/compose/module_test.go

@@ -107,6 +107,26 @@ func TestModuleListQuery(t *testing.T) {
 		End()
 }
 
+func TestModuleList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+
+	h.allow(types.NamespacePermissionResource.AppendWildcard(), "read")
+	ns := h.repoMakeNamespace("some-namespace")
+
+	h.repoMakeModule(ns, "module")
+	f := h.repoMakeModule(ns, "module_forbiden")
+
+	h.deny(types.ModulePermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get(fmt.Sprintf("/namespace/%d/module/", ns.ID)).
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(`$.response.set[? @.name=="module_forbiden"]`)).
+		End()
+}
+
 func TestModuleCreateForbidden(t *testing.T) {
 	h := newHelper(t)
 

tests/compose/namespace_test.go

@@ -72,6 +72,23 @@ func TestNamespaceList(t *testing.T) {
 		End()
 }
 
+func TestNamespaceList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+
+	h.repoMakeNamespace("namespace")
+	f := h.repoMakeNamespace("namespace_forbiden")
+
+	h.deny(types.NamespacePermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get("/namespace/").
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(`$.response.set[? @.name=="namespace_forbiden"]`)).
+		End()
+}
+
 func TestNamespaceCreateForbidden(t *testing.T) {
 	h := newHelper(t)
 

tests/compose/page_test.go

@@ -87,6 +87,26 @@ func TestPageList(t *testing.T) {
 		End()
 }
 
+func TestPageList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+
+	h.allow(types.NamespacePermissionResource.AppendWildcard(), "read")
+	ns := h.repoMakeNamespace("some-namespace")
+
+	h.repoMakePage(ns, "page")
+	f := h.repoMakePage(ns, "page_forbiden")
+
+	h.deny(types.PagePermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get(fmt.Sprintf("/namespace/%d/page/", ns.ID)).
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(`$.response.set[? @.title=="page_forbiden"]`)).
+		End()
+}
+
 func TestPageCreateForbidden(t *testing.T) {
 	h := newHelper(t)
 

tests/system/application_test.go

@@ -55,6 +55,23 @@ func TestApplicationList(t *testing.T) {
 		End()
 }
 
+func TestApplicationList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+
+	h.repoMakeApplication("app")
+	f := h.repoMakeApplication("app_forbiden")
+
+	h.deny(types.ApplicationPermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get("/application/").
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(`$.response.set[? @.name=="app_forbiden"]`)).
+		End()
+}
+
 func TestApplicationCreateForbidden(t *testing.T) {
 	h := newHelper(t)
 

tests/system/automation_script_test.go

@@ -59,6 +59,24 @@ func TestAutomationScriptList(t *testing.T) {
 		End()
 }
 
+func TestAutomationScriptList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+
+	h.svcMakeAutomationScript("scr" + rs())
+	ff := "scr_forbiden" + rs()
+	f := h.svcMakeAutomationScript(ff)
+
+	h.deny(types.AutomationScriptPermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get("/automation/script/").
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(fmt.Sprintf(`$.response.set[? @.name=="%s"]`, ff))).
+		End()
+}
+
 func TestAutomationScriptCreateForbidden(t *testing.T) {
 	h := newHelper(t)
 

tests/system/role_test.go

@@ -68,6 +68,23 @@ func TestRoleList(t *testing.T) {
 		End()
 }
 
+func TestRoleList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+
+	h.repoMakeRole("role")
+	f := h.repoMakeRole("role_forbiden")
+
+	h.deny(types.RolePermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get("/roles/").
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(`$.response.set[? @.name=="role_forbiden"]`)).
+		End()
+}
+
 func TestRoleCreateForbidden(t *testing.T) {
 	h := newHelper(t)
 

tests/system/user_test.go

@@ -80,6 +80,24 @@ func TestUserListAll(t *testing.T) {
 	h.a.GreaterOrEqual(int(aux.Response.Filter.Count), seedCount)
 }
 
+func TestUserList_filterForbiden(t *testing.T) {
+	h := newHelper(t)
+	h.allow(types.UserPermissionResource.AppendWildcard(), "read")
+
+	h.repoMakeUser("usr")
+	f := h.repoMakeUser("usr_forbiden")
+
+	h.deny(types.UserPermissionResource.AppendID(f.ID), "read")
+
+	h.apiInit().
+		Get("/users/").
+		Expect(t).
+		Status(http.StatusOK).
+		Assert(helpers.AssertNoErrors).
+		Assert(jsonpath.NotPresent(`$.response.set[? @.email=="usr_forbiden"]`)).
+		End()
+}
+
 func TestUserListQuery(t *testing.T) {
 	h := newHelper(t)