DeforaNetworks/corteza
DeforaNetworks/corteza
3
0
Fork 0
Code

Channel access protection

Browse Source
This commit is contained in:
Denis Arh 2018-09-26 19:23:55 +02:00
parent 17a3f9461e
commit f0b6be9ae6
3 changed files with 29 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

19
sam/repository/channel.go
View File

@ -55,6 +55,19 @@ const (
FROM channel_members AS cm FROM channel_members AS cm
WHERE true` WHERE true`
// subquery that filters out all channels that current user has access to as a member
// or via channel type (public chans)
sqlChannelAccess = ` AND c.id IN (
SELECT id
FROM channels c
LEFT OUTER JOIN channel_members AS m ON (c.id = m.rel_channel)
WHERE rel_user = ?
UNION
SELECT id
FROM channels c
WHERE c.type = ?
)`
ErrChannelNotFound = repositoryError("ChannelNotFound") ErrChannelNotFound = repositoryError("ChannelNotFound")
) )
@ -106,6 +119,12 @@ func (r *channel) FindChannels(filter *types.ChannelFilter) ([]*types.Channel, e
sql += " AND c.name LIKE ?" sql += " AND c.name LIKE ?"
params = append(params, filter.Query+"%") params = append(params, filter.Query+"%")
} }
if filter.CurrentUserID > 0 {
sql += sqlChannelAccess
params = append(params, filter.CurrentUserID, types.ChannelTypePublic)
}
} }
sql += " ORDER BY c.name ASC" sql += " ORDER BY c.name ASC"

8
sam/service/channel.go
View File

@ -4,6 +4,7 @@ import (
"context" "context"
"fmt" "fmt"
"github.com/crusttech/crust/internal/auth"
"github.com/pkg/errors" "github.com/pkg/errors"
"github.com/titpetric/factory" "github.com/titpetric/factory"
@ -24,7 +25,7 @@ type (
With(ctx context.Context) ChannelService With(ctx context.Context) ChannelService
FindByID(channelID uint64) (*types.Channel, error) FindByID(channelID uint64) (*types.Channel, error)
Find(filter *types.ChannelFilter) ([]*types.Channel, error) Find(filter *types.ChannelFilter) (types.ChannelSet, error)
FindByMembership() (rval []*types.Channel, err error) FindByMembership() (rval []*types.Channel, err error)
Create(channel *types.Channel) (*types.Channel, error) Create(channel *types.Channel) (*types.Channel, error)
@ -67,8 +68,9 @@ func (svc *channel) FindByID(id uint64) (ch *types.Channel, err error) {
return return
} }
func (svc *channel) Find(filter *types.ChannelFilter) ([]*types.Channel, error) { func (svc *channel) Find(filter *types.ChannelFilter) (types.ChannelSet, error) {
// @todo: permission check to return only channels that channel has access to filter.CurrentUserID = auth.GetIdentityFromContext(svc.ctx).Identity()
if cc, err := svc.channel.FindChannels(filter); err != nil { if cc, err := svc.channel.FindChannels(filter); err != nil {
return nil, err return nil, err
} else { } else {

6
sam/types/channel.go
View File

@ -38,7 +38,11 @@ type (
} }
ChannelFilter struct { ChannelFilter struct {
Query string Query string
// Only return channels accessible by this user
CurrentUserID uint64
IncludeMembers bool IncludeMembers bool
} }