Add API routes for fine-grained permission manipulation

Signed-off-by: Yannick Bungers <git@innay.de> fix lint Signed-off-by: Yannick Bungers <git@innay.de>
2024-11-25 03:06:31 -05:00 · 2022-01-16 23:51:56 +01:00 · 2022-01-16 23:51:56 +01:00 · 647990022b
commit 647990022b
parent 20ebb41197
1 changed files with 200 additions and 0 deletions
--- a/src/api/public/notes/notes.controller.ts
+++ b/src/api/public/notes/notes.controller.ts
@ -4,6 +4,7 @@
 * SPDX-License-Identifier: AGPL-3.0-only
 */
 import {
+  BadRequestException,
  Body,
  Controller,
  Delete,
@ -17,6 +18,8 @@ import {
 import { ApiSecurity, ApiTags } from '@nestjs/swagger';

 import { TokenAuthGuard } from '../../../auth/token.strategy';
+import { NotInDBError } from '../../../errors/errors';
+import { GroupsService } from '../../../groups/groups.service';
 import { HistoryService } from '../../../history/history.service';
 import { ConsoleLoggerService } from '../../../logger/console-logger.service';
 import { MediaUploadDto } from '../../../media/media-upload.dto';
@ -35,6 +38,7 @@ import { RevisionMetadataDto } from '../../../revisions/revision-metadata.dto';
 import { RevisionDto } from '../../../revisions/revision.dto';
 import { RevisionsService } from '../../../revisions/revisions.service';
 import { User } from '../../../users/user.entity';
+import { UsersService } from '../../../users/users.service';
 import { GetNoteInterceptor } from '../../utils/get-note.interceptor';
 import { MarkdownBody } from '../../utils/markdown-body.decorator';
 import { OpenApi } from '../../utils/openapi.decorator';
@ -52,6 +56,8 @@ export class NotesController {
  constructor(
    private readonly logger: ConsoleLoggerService,
    private noteService: NotesService,
+    private userService: UsersService,
+    private groupService: GroupsService,
    private revisionsService: RevisionsService,
    private historyService: HistoryService,
    private mediaService: MediaService,
@ -222,6 +228,200 @@ export class NotesController {
    );
  }

+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.READ)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Get(':noteIdOrAlias/metadata/permissions')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Get the permissions for a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async getPermissions(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+  ): Promise<NotePermissionsDto> {
+    return await this.noteService.toNotePermissionsDto(note);
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Set the permissions for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async setUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionUser = await this.userService.getUserByUsername(username);
+      const returnedNote = await this.noteService.setUserPermission(
+        note,
+        permissionUser,
+        canEdit,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't add user to permissions. User not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/users/:userName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Remove the permission for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async removeUserPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('userName') username: string,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionUser = await this.userService.getUserByUsername(username);
+      const returnedNote = await this.noteService.removeUserPermission(
+        note,
+        permissionUser,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't remove user from permissions. User not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Set the permissions for a user on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async setGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+    @Body() canEdit: boolean,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionGroup = await this.groupService.getGroupByName(groupName);
+      const returnedNote = await this.noteService.setGroupPermission(
+        note,
+        permissionGroup,
+        canEdit,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't add group to permissions. Group not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Delete(':noteIdOrAlias/metadata/permissions/groups/:groupName')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Remove the permission for a group on a note',
+      dto: NotePermissionsDto,
+    },
+    403,
+    404,
+  )
+  async removeGroupPermission(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Param('groupName') groupName: string,
+  ): Promise<NotePermissionsDto> {
+    try {
+      const permissionGroup = await this.groupService.getGroupByName(groupName);
+      const returnedNote = await this.noteService.removeGroupPermission(
+        note,
+        permissionGroup,
+      );
+      return await this.noteService.toNotePermissionsDto(returnedNote);
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException(
+          "Can't remove group from permissions. Group not known.",
+        );
+      }
+      throw e;
+    }
+  }
+
+  @UseInterceptors(GetNoteInterceptor)
+  @Permissions(Permission.OWNER)
+  @UseGuards(TokenAuthGuard, PermissionsGuard)
+  @Put(':noteIdOrAlias/metadata/permissions/owner')
+  @OpenApi(
+    {
+      code: 200,
+      description: 'Changes the owner of the note',
+      dto: NoteDto,
+    },
+    403,
+    404,
+  )
+  async changeOwner(
+    @RequestUser() user: User,
+    @RequestNote() note: Note,
+    @Body() newOwner: string,
+  ): Promise<NoteDto> {
+    try {
+      const owner = await this.userService.getUserByUsername(newOwner);
+      return await this.noteService.toNoteDto(
+        await this.noteService.changeOwner(note, owner),
+      );
+    } catch (e) {
+      if (e instanceof NotInDBError) {
+        throw new BadRequestException("Can't set new owner. User not known.");
+      }
+      throw e;
+    }
+  }
+
  @UseInterceptors(GetNoteInterceptor)
  @Permissions(Permission.READ)
  @Get(':noteIdOrAlias/revisions')