fix flash messages, write permission checks

7 years ago · 436ff0a617
parent fb6fb63a5a
commit 436ff0a617
5 changed files with 64 additions and 32 deletions
--- a/src/wanijo/framework/neo4j.clj
+++ b/src/wanijo/framework/neo4j.clj
@ -56,3 +56,8 @@
  (time-format/unparse
   (time-format/formatters :basic-date-time)
   (time-local/local-now)))
+
+(defn bool [value]
+  (if value
+    (.asBoolean value)
+    false))
--- a/src/wanijo/framework/view.clj
+++ b/src/wanijo/framework/view.clj
@ -16,12 +16,19 @@
  (hform/submit-button {:class "delete-btn"}
                       "☒ Delete!"))

+(defn flash-error [content]
+  [:section.flash--error
+   [:h2.flash__heading--error "Warning"]
+   content])
+
 (defn layout!
-  [& {:keys [content title session]
+  [& {:keys [content title session request]
      :or {content []
           title nil
-           session {}}}]
-  (let [ident (:ident session)
+           request {}
+           session nil}}]
+  (let [session (or session (:session request))
+        ident (:ident session)
        authed? (some? ident)
        devmode? (:devmode session)]
    (html5
@ -60,12 +67,9 @@
           [:ul
            (for [schema (:other-schemas session)]
              [:li (:name schema)])]])]
-       (into [:main] content)
-;;       [:aside (when authed? "aside")]
+       (into [:main
+              (for [msg (:flash request)]
+                (flash-error msg))]
+             content)
       [:footer
        [:small "Ilo pali e ijo"]]]])))
-
-(defn flash-error [content]
-  [:section.flash--error
-   [:h2.flash__heading--error "Warning"]
-   content])
--- a/src/wanijo/schema/domain.clj
+++ b/src/wanijo/schema/domain.clj
@ -85,9 +85,25 @@
   first
   :uuid))

-(defn can-user-modify? [schema-uuid user-uuid]
-  (let [creator (find-schema-creator! schema-uuid)]
-    (= creator user-uuid)))
+(neo4j/defquery
+  schema-permissions
+  "MATCH (s:schema {uuid:{schema_uuid}})
+   RETURN
+     EXISTS((:user {uuid:{user_uuid}})
+            -[:permission {type:{type}}]-
+            (s)) AS user_has_permission,
+     NOT EXISTS((:user)
+                -[:permission {type:{type}}]-
+                (s)) AS is_public")
+
+(defn has-user-write-permissions? [schema-uuid user-uuid]
+  (let [permissions (first (neo4j/exec-query! schema-permissions
+                                              {:schema_uuid schema-uuid
+                                               :user_uuid user-uuid
+                                               :type "write"}))
+        public? (neo4j/bool (:is_public permissions))
+        user? (neo4j/bool (:user_has_permission permissions))]
+    (or public? user?)))

 (neo4j/defquery
  delete
--- a/src/wanijo/schema/routes.clj
+++ b/src/wanijo/schema/routes.clj
@ -1,5 +1,5 @@
 (ns wanijo.schema.routes
-  (:require [compojure.core :refer [defroutes GET POST DELETE]]
+  (:require [compojure.core :refer [defroutes GET POST DELETE] :as comp]
            [ring.util.response :as resp]
            [formulare.core :as form]
            [wanijo.framework.view :as view]
@ -19,11 +19,8 @@
    (view-schema/overview! req)))

 (defn delete-schema! [uuid session]
-  (if (domain/can-user-modify? uuid (:uuid session))
-    (do
-      (domain/delete! uuid)
-      (resp/redirect (path :schema-overview)))
-    {:status 403}))
+  (domain/delete! uuid)
+  (resp/redirect (path :schema-overview)))

 (defn view! [uuid req]
  (view-schema/show-schema!
@ -65,7 +62,18 @@
        (resp/redirect (path :schema-show (:params req))))
      (view! uuid req))))

+(defn wrap-allowed-to-write [handler]
+  (fn [req]
+    (let [uuid (get-in req [:params :uuid])
+          user (get-in req [:session :uuid])]
+      (if (domain/has-user-write-permissions? uuid user)
+        (handler req)
+        (assoc
+         (resp/redirect (path :schema-show (:params req)))
+         :flash ["No write permission for schema"])))))
+
 (defroutes routes
+  (GET "/403" [] {:status 403 :body "NE"})
  (GET (register! :schema-overview "/schema")
       []
       view-schema/overview!)
@ -75,15 +83,14 @@
  (POST (register! :schema-new "/schema/new")
        []
        new!)
-  (POST (register! :schema-edit "/schema/edit")
-        []
-        edit!)
-  (POST (register! :schema-assign-users "/schema/assign/users")
-        []
-        assign-users!)
-  (POST (register! :schema-assign-schemas "/schema/assign/schemas")
-        []
-        assign-schemas!)
-  (DELETE (register! :schema-delete "/schema/:uuid")
-          [uuid :as req]
-          (delete-schema! uuid (:session req))))
+  (wrap-allowed-to-write
+   (comp/routes
+    (POST (register! :schema-edit "/schema/edit") []
+          edit!)
+    (POST (register! :schema-assign-users "/schema/assign/users") []
+          assign-users!)
+    (POST (register! :schema-assign-schemas "/schema/assign/schemas") []
+          assign-schemas!)
+    (DELETE (register! :schema-delete "/schema/:uuid")
+            [uuid :as req]
+            (delete-schema! uuid (:session req))))))
--- a/src/wanijo/schema/view.clj
+++ b/src/wanijo/schema/view.clj
@ -75,7 +75,7 @@

 (defn show-schema! [schema attrs assign-form conn-form req]
  (view/layout!
-   :session (:session req)
+   :request req
   :content
   [[:h1 "Schema "
     [:span.schema-title__name (:name schema)]]