From 2168628373952f0bc32079f018aa56d7fe41a465 Mon Sep 17 00:00:00 2001 From: Bastian Rihm Date: Wed, 25 Sep 2024 09:59:48 +0200 Subject: [PATCH] Allow meeting user restriction mode E for related user (#1018) --- internal/restrict/collection/meeting_user.go | 29 +++++++++++++++++-- .../restrict/collection/meeting_user_test.go | 14 +++++++++ 2 files changed, 41 insertions(+), 2 deletions(-) diff --git a/internal/restrict/collection/meeting_user.go b/internal/restrict/collection/meeting_user.go index 5759c95b..576f60c7 100644 --- a/internal/restrict/collection/meeting_user.go +++ b/internal/restrict/collection/meeting_user.go @@ -21,7 +21,10 @@ import ( // The request user has the OML can_manage_users or higher. // The request user has user.can_manage in the meeting // -// Mode E: User has the permissoin can_see_sensible_data. +// Mode E: Y can see these fields if at least one condition is true: +// +// Y has the permissoin can_see_sensible_data. +// Y is the related user. type MeetingUser struct{} // Name returns the collection name. @@ -120,5 +123,27 @@ func (m MeetingUser) modeD(ctx context.Context, ds *dsfetch.Fetch, meetingUserID } func (m MeetingUser) modeE(ctx context.Context, ds *dsfetch.Fetch, meetingUserIDs ...int) ([]int, error) { - return meetingPerm(ctx, ds, m, meetingUserIDs, perm.UserCanSeeSensitiveData) + requestUser, err := perm.RequestUserFromContext(ctx) + if err != nil { + return nil, fmt.Errorf("getting request user: %w", err) + } + + return eachMeeting(ctx, ds, m, meetingUserIDs, func(meetingID int, idsInMeeting []int) ([]int, error) { + perms, err := perm.FromContext(ctx, meetingID) + if err != nil { + return nil, fmt.Errorf("getting permission: %w", err) + } + + if perms.Has(perm.UserCanSeeSensitiveData) { + return idsInMeeting, nil + } + + return eachRelationField(ctx, ds.MeetingUser_UserID, idsInMeeting, func(userID int, ids []int) ([]int, error) { + if userID == requestUser { + return ids, nil + } + + return nil, nil + }) + }) } diff --git a/internal/restrict/collection/meeting_user_test.go b/internal/restrict/collection/meeting_user_test.go index 36251c5b..d29d5d02 100644 --- a/internal/restrict/collection/meeting_user_test.go +++ b/internal/restrict/collection/meeting_user_test.go @@ -222,6 +222,20 @@ func TestMeetingUserModeE(t *testing.T) { withElementID(20), ) + testCase( + "Without perms themselves", + t, + mode, + true, + `--- + user/1/id: 1 + meeting_user/20: + user_id: 1 + meeting_id: 5 + `, + withElementID(20), + ) + testCase( "Can see", t,