manage user permissions

fastenhealth · Oct 6, 2024 · 8229977 · 8229977
1 parent 8d28b50
commit 8229977
Show file tree

Hide file tree

Showing 19 changed files with 471 additions and 47 deletions.
diff --git a/backend/pkg/constants.go b/backend/pkg/constants.go
@@ -10,6 +10,7 @@ type DatabaseRepositoryType string
 type InstallationVerificationStatus string
 type InstallationQuotaStatus string
 type UserRole string
+type Permission string
 
 const (
  ResourceListPageSize int = 20
@@ -54,4 +55,7 @@ const (
 
  UserRoleUser UserRole = "user"
  UserRoleAdmin UserRole = "admin"
+
+ PermissionManageSources Permission = "manage_sources"
+ PermissionRead Permission = "read"
 )
diff --git a/backend/pkg/database/gorm_common.go b/backend/pkg/database/gorm_common.go
@@ -192,6 +192,110 @@ func (gr *GormRepository) GetUsers(ctx context.Context) ([]models.User, error) {
  return sanitizedUsers, result.Error
 }
 
+func (gr *GormRepository) GetUser(ctx context.Context, userID uuid.UUID) (*models.User, error) {
+ var dbUser models.User
+ var user models.User
+ result := gr.GormClient.WithContext(ctx).First(&dbUser, userID)
+ if result.Error != nil {
+ return nil, result.Error
+ }
+
+ user.ID = dbUser.ID
+ user.FullName = dbUser.FullName
+ user.Email = dbUser.Email
+ user.Username = dbUser.Username
+ user.Role = dbUser.Role
+
+ // Populate ACLs for the user
+ var acls []models.UserPermission
+ if err := gr.GormClient.WithContext(ctx).
+ Where("user_id = ?", user.ID).
+ Find(&acls).Error; err != nil {
+ return nil, err
+ }
+ user.Permissions = make(map[string]map[string]bool)
+
+ for _, acl := range acls {
+ if _, exists := user.Permissions[acl.TargetUserID.String()]; !exists {
+ user.Permissions[acl.TargetUserID.String()] = make(map[string]bool)
+ }
+ user.Permissions[acl.TargetUserID.String()][string(acl.Permission)] = true
+ }
+
+ return &user, nil
+}
+
+func (gr *GormRepository) UpdateUserAndPermissions(ctx context.Context, user models.User) error {
+ // Lookup user from the db
+ var dbUser models.User
+ result := gr.GormClient.WithContext(ctx).First(&dbUser, user.ID)
+ if result.Error != nil {
+ return result.Error
+ }
+ // Update fields on User
+ updates := map[string]interface{}{
+ "full_name": user.FullName,
+ "username": user.Username,
+ "email": user.Email,
+ "role": user.Role,
+ }
+ result = gr.GormClient.WithContext(ctx).Model(dbUser).Updates(updates)
+ if result.Error != nil {
+ return result.Error
+ }
+ // Update User Permissions
+ var existingPermissions []models.UserPermission
+ if err := gr.GormClient.WithContext(ctx).
+ Where("user_id = ?", user.ID).
+ Find(&existingPermissions).Error; err != nil {
+ return err
+ }
+ for targetUserId, permissions := range user.Permissions {
+ for permission, value := range permissions {
+ if !value {
+ continue
+ }
+ // Check if the permission already exists
+ exists := false
+ for _, existingPermission := range existingPermissions {
+ if existingPermission.TargetUserID.String() == targetUserId && string(existingPermission.Permission) == permission {
+ exists = true
+ break
+ }
+ }
+ if !exists {
+ // Add new permission
+ p := models.UserPermission{
+ UserID: user.ID,
+ TargetUserID: uuid.Must(uuid.Parse(targetUserId)),
+ Permission: pkg.Permission(permission),
+ }
+ err := gr.GormClient.WithContext(ctx).Create(&p).Error
+ if err != nil {
+ return err
+ }
+ }
+ }
+ }
+
+ // Remove permissions that are no longer in user.Permissions
+ for _, existingPermission := range existingPermissions {
+ targetUserId := existingPermission.TargetUserID.String()
+ permission := string(existingPermission.Permission)
+
+ // Check if the permission still exists in the new user.Permissions
+ if _, exists := user.Permissions[targetUserId]; !exists || !user.Permissions[targetUserId][permission] {
+ // Permission no longer exists, so delete it
+ err := gr.GormClient.WithContext(ctx).Delete(&existingPermission).Error
+ if err != nil {
+ return err
+ }
+ }
+ }
+
+ return nil
+}
+
 //</editor-fold>
 
 ////////////////////////////////////////////////////////////////////////////////////////////////////////////////////

diff --git a/backend/pkg/database/gorm_repository_migrations.go b/backend/pkg/database/gorm_repository_migrations.go
@@ -11,6 +11,7 @@ import (
  _20240114103850 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240114103850"
  _20240208112210 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240208112210"
  _20240813222836 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240813222836"
+ _20240827214347 "github.com/fastenhealth/fasten-onprem/backend/pkg/database/migrations/20240827214347"
  "github.com/fastenhealth/fasten-onprem/backend/pkg/models"
  databaseModel "github.com/fastenhealth/fasten-onprem/backend/pkg/models/database"
  sourceCatalog "github.com/fastenhealth/fasten-sources/catalog"
@@ -225,6 +226,20 @@ func (gr *GormRepository) Migrate() error {
  return nil
  },
  },
+ {
+ ID: "20240827214347", // add UserPermission model
+ Migrate: func(tx *gorm.DB) error {
+
+ err := tx.AutoMigrate(
+ &_20240827214347.UserPermission{},
+ )
+ if err != nil {
+ return err
+ }
+
+ return nil
+ },
+ },
  })
 
  // run when database is empty

diff --git a/backend/pkg/database/interface.go b/backend/pkg/database/interface.go
@@ -20,6 +20,8 @@ type DatabaseRepository interface {
  GetCurrentUser(ctx context.Context) (*models.User, error)
  DeleteCurrentUser(ctx context.Context) error
  GetUsers(ctx context.Context) ([]models.User, error)
+ GetUser(ctx context.Context, userId uuid.UUID) (*models.User, error)
+ UpdateUserAndPermissions(ctx context.Context, user models.User) error
 
  GetSummary(ctx context.Context) (*models.Summary, error)
 

diff --git a/backend/pkg/database/migrations/20240827214347/user_permission.go b/backend/pkg/database/migrations/20240827214347/user_permission.go
@@ -0,0 +1,20 @@
+package _20240827214347
+
+import (
+ "github.com/fastenhealth/fasten-onprem/backend/pkg/models"
+ "github.com/google/uuid"
+)
+
+type Permission string
+
+const (
+ PermissionManageSources Permission = "manage_sources"
+ PermissionRead Permission = "read"
+)
+
+type UserPermission struct {
+ models.ModelBase
+ UserID uuid.UUID `json:"user_id" gorm:"type:uuid"`
+ TargetUserID uuid.UUID `json:"target_user_id" gorm:"type:uuid"`
+ Permission Permission `json:"permission"`
+}
diff --git a/backend/pkg/database/mock/mock_database.go b/backend/pkg/database/mock/mock_database.go
diff --git a/backend/pkg/models/user.go b/backend/pkg/models/user.go
@@ -4,21 +4,19 @@ import (
  "fmt"
  "strings"
 
- "golang.org/x/crypto/bcrypt"
-
  "github.com/fastenhealth/fasten-onprem/backend/pkg"
+ "golang.org/x/crypto/bcrypt"
 )
 
 type User struct {
  ModelBase
- FullName string `json:"full_name"`
- Username string `json:"username" gorm:"unique"`
- Password string `json:"password"`
-
- //additional optional metadata that Fasten stores with users
- Picture string `json:"picture"`
- Email string `json:"email"`
- Role pkg.UserRole `json:"role"`
+ FullName string `json:"full_name"`
+ Username string `json:"username" gorm:"unique"`
+ Password string `json:"password"`
+ Picture string `json:"picture"`
+ Email string `json:"email"`
+ Role pkg.UserRole `json:"role"`
+ Permissions map[string]map[string]bool `json:"permissions" gorm:"-:all"`
 }
 
 func (user *User) HashPassword(password string) error {

diff --git a/backend/pkg/models/user_permission.go b/backend/pkg/models/user_permission.go
@@ -0,0 +1,13 @@
+package models
+
+import (
+ "github.com/fastenhealth/fasten-onprem/backend/pkg"
+ "github.com/google/uuid"
+)
+
+type UserPermission struct {
+ ModelBase
+ UserID uuid.UUID `json:"user_id" gorm:"type:uuid"`
+ TargetUserID uuid.UUID `json:"target_user_id" gorm:"type:uuid"`
+ Permission pkg.Permission `json:"permission"`
+}
diff --git a/backend/pkg/web/handler/users.go b/backend/pkg/web/handler/users.go
@@ -8,6 +8,7 @@ import (
  "github.com/fastenhealth/fasten-onprem/backend/pkg/database"
  "github.com/fastenhealth/fasten-onprem/backend/pkg/models"
  "github.com/gin-gonic/gin"
+ "github.com/google/uuid"
  "gorm.io/gorm"
 )
 
@@ -54,3 +55,43 @@ func CreateUser(c *gin.Context) {
 
  c.JSON(http.StatusOK, gin.H{"success": true, "data": newUser})
 }
+
+func GetUser(c *gin.Context) {
+ if !IsAdmin(c) {
+ c.JSON(http.StatusUnauthorized, gin.H{"success": false, "error": "Unauthorized"})
+ return
+ }
+
+ databaseRepo := c.MustGet(pkg.ContextKeyTypeDatabase).(database.DatabaseRepository)
+
+ user, err := databaseRepo.GetUser(c, uuid.MustParse(c.Param("userId")))
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"success": false, "error": err.Error()})
+ return
+ }
+
+ c.JSON(200, gin.H{"success": true, "data": user})
+}
+
+func UpdateUser(c *gin.Context) {
+ if !IsAdmin(c) {
+ c.JSON(http.StatusUnauthorized, gin.H{"success": false, "error": "Unauthorized"})
+ return
+ }
+
+ databaseRepo := c.MustGet(pkg.ContextKeyTypeDatabase).(database.DatabaseRepository)
+
+ var user models.User
+ if err := c.ShouldBindJSON(&user); err != nil {
+ c.JSON(http.StatusBadRequest, gin.H{"success": false, "error": err.Error()})
+ return
+ }
+
+ err := databaseRepo.UpdateUserAndPermissions(c, user)
+ if err != nil {
+ c.JSON(http.StatusInternalServerError, gin.H{"success": false, "error": err.Error()})
+ return
+ }
+
+ c.JSON(200, gin.H{"success": true, "data": user})
+}
diff --git a/backend/pkg/web/server.go b/backend/pkg/web/server.go
@@ -128,6 +128,8 @@ func (ae *AppEngine) Setup() (*gin.RouterGroup, *gin.Engine) {
 
  secure.GET("/users", handler.GetUsers)
  secure.POST("/users", handler.CreateUser)
+ secure.GET("/users/:userId", handler.GetUser)
+ secure.POST("/users/:userId", handler.UpdateUser)
 
  //server-side-events handler (only supported on mac/linux)
  // TODO: causes deadlock on Windows

diff --git a/frontend/src/app/app-routing.module.ts b/frontend/src/app/app-routing.module.ts
@@ -21,6 +21,7 @@ import { ResourceCreatorComponent } from './pages/resource-creator/resource-crea
 import { ResourceDetailComponent } from './pages/resource-detail/resource-detail.component';
 import { SourceDetailComponent } from './pages/source-detail/source-detail.component';
 import { UserCreateComponent } from './pages/user-create/user-create.component';
+import { UserEditComponent } from "./pages/user-edit/user-edit.component";
 import { UserListComponent } from './pages/user-list/user-list.component';
 
 const routes: Routes = [
@@ -55,6 +56,7 @@ const routes: Routes = [
 
  { path: 'users', component: UserListComponent, canActivate: [ IsAuthenticatedAuthGuard, IsAdminAuthGuard ] },
  { path: 'users/new', component: UserCreateComponent, canActivate: [ IsAuthenticatedAuthGuard, IsAdminAuthGuard ] },
+ { path: 'users/:user_id', component: UserEditComponent, canActivate: [ IsAuthenticatedAuthGuard, IsAdminAuthGuard ] },
 
  // { path: 'general-pages', loadChildren: () => import('./general-pages/general-pages.module').then(m => m.GeneralPagesModule) },
  // { path: 'ui-elements', loadChildren: () => import('./ui-elements/ui-elements.module').then(m => m.UiElementsModule) },

diff --git a/frontend/src/app/models/fasten/user.ts b/frontend/src/app/models/fasten/user.ts
@@ -1,8 +1,18 @@
+export const POSSIBLE_PERMISSIONS = [
+ { name: 'Manage Sources', value: 'manage_sources' },
+ { name: 'Read', value: 'read' },
+]
+
 export class User {
- user_id?: number
+ id?: string
  full_name?: string
  username?: string
  email?: string
  password?: string
  role?: string
+ permissions?: {
+ [targetUserId: string]: {
+ [key in typeof POSSIBLE_PERMISSIONS[number]['value']]: boolean;
+ }
+ }
 }