Channel access protection

2018-09-26 19:23:55 +02:00 · 2018-09-26 19:23:55 +02:00 · f0b6be9ae6
commit f0b6be9ae6
parent 17a3f9461e
3 changed files with 29 additions and 4 deletions
--- a/sam/repository/channel.go
+++ b/sam/repository/channel.go
@ -55,6 +55,19 @@ const (
        FROM channel_members AS cm
       WHERE true`

+	// subquery that filters out all channels that current user has access to as a member
+	// or via channel type (public chans)
+	sqlChannelAccess = ` AND c.id IN (
+				SELECT id
+                  FROM channels c
+                       LEFT OUTER JOIN channel_members AS m ON (c.id = m.rel_channel)
+                 WHERE rel_user = ?
+              UNION
+                SELECT id
+                  FROM channels c
+                 WHERE c.type = ?
+			)`
+
 	ErrChannelNotFound = repositoryError("ChannelNotFound")
 )

@ -106,6 +119,12 @@ func (r *channel) FindChannels(filter *types.ChannelFilter) ([]*types.Channel, e
 			sql += " AND c.name LIKE ?"
 			params = append(params, filter.Query+"%")
 		}
+
+		if filter.CurrentUserID > 0 {
+			sql += sqlChannelAccess
+			params = append(params, filter.CurrentUserID, types.ChannelTypePublic)
+
+		}
 	}

 	sql += " ORDER BY c.name ASC"
--- a/sam/service/channel.go
+++ b/sam/service/channel.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"fmt"

+	"github.com/crusttech/crust/internal/auth"
 	"github.com/pkg/errors"
 	"github.com/titpetric/factory"

@ -24,7 +25,7 @@ type (
 		With(ctx context.Context) ChannelService

 		FindByID(channelID uint64) (*types.Channel, error)
-		Find(filter *types.ChannelFilter) ([]*types.Channel, error)
+		Find(filter *types.ChannelFilter) (types.ChannelSet, error)
 		FindByMembership() (rval []*types.Channel, err error)

 		Create(channel *types.Channel) (*types.Channel, error)
@ -67,8 +68,9 @@ func (svc *channel) FindByID(id uint64) (ch *types.Channel, err error) {
 	return
 }

-func (svc *channel) Find(filter *types.ChannelFilter) ([]*types.Channel, error) {
-	// @todo: permission check to return only channels that channel has access to
+func (svc *channel) Find(filter *types.ChannelFilter) (types.ChannelSet, error) {
+	filter.CurrentUserID = auth.GetIdentityFromContext(svc.ctx).Identity()
+
 	if cc, err := svc.channel.FindChannels(filter); err != nil {
 		return nil, err
 	} else {
--- a/sam/types/channel.go
+++ b/sam/types/channel.go
@ -38,7 +38,11 @@ type (
 	}

 	ChannelFilter struct {
-		Query          string
+		Query string
+
+		// Only return channels accessible by this user
+		CurrentUserID uint64
+
 		IncludeMembers bool
 	}