From 646a4fbde7f1c536679fa46b87f67c20b4303116 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=20Preu=C3=9Fer?= <mail@mpreusser.de>
Date: Wed, 19 Jul 2023 22:19:46 +0200
Subject: [PATCH] added permissions to userDocument

---
 index.js                                     |  8 +++-
 src/controllers/userDocument.controller.js   | 15 ++++--
 src/controllers/userPermission.controller.js | 48 ++++++++++++++++++++
 src/controllers/userYear.controller.js       | 29 +++++++++---
 src/models/userPermission.model.js           | 21 +++++++++
 src/routes/userPermission.route.js           | 11 +++++
 6 files changed, 120 insertions(+), 12 deletions(-)
 create mode 100644 src/controllers/userPermission.controller.js
 create mode 100644 src/models/userPermission.model.js
 create mode 100644 src/routes/userPermission.route.js

diff --git a/index.js b/index.js
index 94bd8c9..d266d91 100644
--- a/index.js
+++ b/index.js
@@ -60,6 +60,7 @@ import userRouter from './src/routes/user.route.js'
 import userCriminalRecordRouter from './src/routes/userCriminalRecord.route.js'
 import userMotivation from './src/routes/userMotivation.route.js'
 import userDocumentRouter from './src/routes/userDocument.route.js'
+import userPermissionRouter from './src/routes/userPermission.route.js'
 import userYearRouter from './src/routes/userYear.route.js'
 
 import userModel from './src/models/user.model.js';
@@ -69,6 +70,7 @@ import responsibilityModel from './src/models/responsibility.model.js';
 import supporterYearModel from './src/models/supporterYear.model.js';
 import supporterDayModel from './src/models/supporterDay.model.js';
 import userDocumentModel from './src/models/userDocument.model.js';
+import userPermissionModel from './src/models/userPermission.model.js';
 
 app.use('/avatar', avatarRouter);
 app.use('/event', eventRouter);
@@ -82,6 +84,7 @@ app.use('/supporterYear', supporterYearRouter);
 app.use('/userCriminalRecord', userCriminalRecordRouter);
 app.use('/userMotivation', userMotivation);
 app.use('/userDocument', userDocumentRouter);
+app.use('/userPermission', userPermissionRouter);
 app.use('/userYear', userYearRouter);
 
 // set port, listen for requests
@@ -103,4 +106,7 @@ supporterYearModel.hasMany(supporterDayModel, {foreignKey: 'uuid'})
 supporterDayModel.hasOne(supporterYearModel, {foreignKey: 'uuid'})
 
 userModel.hasOne(userDocumentModel, {foreignKey: 'uuid'})
-userDocumentModel.hasOne(userModel, {foreignKey: 'uuid'})
\ No newline at end of file
+userDocumentModel.hasOne(userModel, {foreignKey: 'uuid'})
+
+userModel.hasMany(userPermissionModel, {foreignKey: 'uuid'})
+userPermissionModel.hasOne(userModel, {foreignKey: 'uuid'})
\ No newline at end of file
diff --git a/src/controllers/userDocument.controller.js b/src/controllers/userDocument.controller.js
index 1f861de..7007bd3 100644
--- a/src/controllers/userDocument.controller.js
+++ b/src/controllers/userDocument.controller.js
@@ -1,10 +1,13 @@
 import userDocumentModel from '../models/userDocument.model.js'
 import settingModel from '../models/setting.model.js'
+import userPermissionModel from '../models/userPermission.model.js'
 
 export async function findAll(req, res) {
+	const executingUser = req.kauth.grant.access_token.content.sub
 	const year = req.query.year || await settingModel.findByPk('currentYear')
 	const isLT = req.kauth.grant.access_token.content.groups.includes(year + '_LT')
-	if (!isLT) {
+	const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'userDocument'}})).allowed
+	if (!allowed) {
 		res.status(403).send()
 		return;
 	}
@@ -21,10 +24,12 @@ export async function findOne(req, res) {
 		res.status(400).send('bad request')
 		return;
 	}
+	const executingUser = req.kauth.grant.access_token.content.sub
+	const isSelf = executingUser === req.params.uuid
 	const year = (await settingModel.findByPk('currentYear')).value
 	const isLT = req.kauth.grant.access_token.content.groups.includes(year + '_LT')
-	const isSelf = req.kauth.grant.access_token.content.sub === req.params.uuid
-	if (!isLT && !isSelf) {
+	const allowed = isLT || isSelf || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'userDocument'}})).allowed
+	if (!allowed) {
 		res.status(403).send()
 		return;
 	}
@@ -37,9 +42,11 @@ export async function findOne(req, res) {
 }
 
 export async function createOrUpdate(req, res) {
+	const executingUser = req.kauth.grant.access_token.content.sub
 	const year = (await settingModel.findByPk('currentYear')).value
 	const isLT = req.kauth.grant.access_token.content.groups.includes(year + '_LT')
-	if (!isLT) {
+	const allowed = isLT || (await userPermissionModel.findOne({where: { uuid: executingUser, permission: 'userDocument'}})).allowed
+	if (!allowed) {
 		res.status(403).send()
 		return;
 	}
diff --git a/src/controllers/userPermission.controller.js b/src/controllers/userPermission.controller.js
new file mode 100644
index 0000000..7573778
--- /dev/null
+++ b/src/controllers/userPermission.controller.js
@@ -0,0 +1,48 @@
+import userPermissionModel from '../models/userPermission.model.js'
+import settingModel from '../models/setting.model.js'
+
+export async function findAll(req, res) {
+	try {
+		const userPermission = await userPermissionModel.findAll({where: req.query})
+		res.status(200).send(userPermission)
+	} catch(e) {
+		res.status(400).send()
+	}
+}
+
+export async function findOne(req, res) {
+	if (!req.params || !req.params.uuid || !req.params.permission ) {
+		res.status(400).send('bad request')
+		return;
+	}
+	const userPermission = await userPermissionModel.findOne({where: {permission: req.params.permission, uuid: req.params.uuid}})
+	if (userPermission) {
+		res.status(200).send(userPermission)
+	} else {
+		res.status(404).send('not found')
+	}
+}
+
+export async function createOrUpdate(req, res) {
+	const year = (await settingModel.findByPk('currentYear')).value
+	const isLT = req.kauth.grant.access_token.content.groups.includes(year + '_LT')
+	if (!isLT) {
+		res.status(403).send()
+		return;
+	}
+	if (!req.params || !req.params.uuid || !req.params.permission ) {
+		res.status(400).send('bad request')
+		return;
+	}
+	const userPermission = await userPermissionModel.findOne({where: {permission: req.params.permission, uuid: req.params.uuid}})
+	if (userPermission) {
+		userPermissionModel.update(req.body);
+		res.status(200).send(userPermission)
+	} else {
+		var data = req.body
+		data.permission = req.params.permission
+		data.uuid = req.params.uuid
+		userPermissionModel.create(data)
+		res.status(200).send(userPermission)
+	}
+}
\ No newline at end of file
diff --git a/src/controllers/userYear.controller.js b/src/controllers/userYear.controller.js
index 9e98e82..1e5d3c9 100644
--- a/src/controllers/userYear.controller.js
+++ b/src/controllers/userYear.controller.js
@@ -4,12 +4,14 @@ import keycloak from '../config/keycloak.js';
 import settingModel from "../models/setting.model.js";
 import userModel from "../models/user.model.js";
 import userDocumentModel from "../models/userDocument.model.js";
+import userPermissionModel from "../models/userPermission.model.js";
 import { addToTeamMailinglist, sendMailToUser } from "./mail.controller.js";
 
 export async function findAll(req, res) {
-	const year = req.query.year || await settingModel.findByPk('currentYear')
+	const year = req.query.year || (await settingModel.findByPk('currentYear')).value
 	const isLT = req.kauth.grant.access_token.content.groups.includes(year + '_LT')
-	if (!isLT) {
+	const permissions = await userPermissionModel.findAll({where: {uuid: req.kauth.grant.access_token.content.sub}})
+	if (!isLT && req.query.status !== '4') {
 		res.status(403).send()
 		return;
 	}
@@ -19,12 +21,25 @@ export async function findAll(req, res) {
 		data['include'].push({
 			model: userModel
 		})
+		if (!isLT) {
+			let attributes = [];
+			for (const key in userModel.rawAttributes) {
+				if (userModel.rawAttributes[key]['public']) {
+					attributes.push(key)
+				}
+			};
+			if (attributes.length > 0) {
+				data['include'][0]['attributes'] = attributes
+			}
+		}
 	}
-	if (typeof req.query.documentBundle !== 'undefined') {
-		userYearModel.belongsTo(userDocumentModel, {foreignKey: 'uuid', targetKey: 'uuid'})
-		data['include'].push({
-			model: userDocumentModel
-		})
+	if (isLT || permissions.find(permission => permission.permission === 'userDocument')?.allowed) {
+		if (typeof req.query.documentBundle !== 'undefined') {
+			userYearModel.belongsTo(userDocumentModel, {foreignKey: 'uuid', targetKey: 'uuid'})
+			data['include'].push({
+				model: userDocumentModel
+			})
+		}
 	}
 	delete req.query.userBundle
 	delete req.query.documentBundle
diff --git a/src/models/userPermission.model.js b/src/models/userPermission.model.js
new file mode 100644
index 0000000..7a7ab50
--- /dev/null
+++ b/src/models/userPermission.model.js
@@ -0,0 +1,21 @@
+import { DataTypes } from 'sequelize';
+import sequelize from './db.model.js';
+
+export default sequelize.define('UserPermission', {
+  uuid: {
+    type: DataTypes.UUID,
+    primaryKey: true,
+    references: {
+        model: 'Users',
+        key: 'uuid'
+    }
+  },
+  permission: {
+    type: DataTypes.STRING,
+    primaryKey: true
+  },
+  allowed: {
+    type: DataTypes.BOOLEAN,
+    defaultValue: false
+  }
+});
\ No newline at end of file
diff --git a/src/routes/userPermission.route.js b/src/routes/userPermission.route.js
new file mode 100644
index 0000000..213776b
--- /dev/null
+++ b/src/routes/userPermission.route.js
@@ -0,0 +1,11 @@
+import { Router } from 'express';
+import keycloak from '../config/keycloak.js';
+import { findAll, findOne, createOrUpdate } from '../controllers/userPermission.controller.js'
+
+var router = new Router();
+
+    router.get('/', keycloak.protect(), findAll);
+    router.get('/:uuid/:permission', keycloak.protect(), findOne);
+    router.post('/:uuid/:permission', keycloak.protect(), createOrUpdate);
+
+export default router
\ No newline at end of file