Through models (#13)

internal/allowed/assignment_candidate/assignment_candidate.go

@@ -1,18 +1,83 @@
 package assignment_candidate
 
-import "github.com/OpenSlides/openslides-permission-service/internal/allowed"
+import (
+	"github.com/OpenSlides/openslides-permission-service/internal/allowed"
+	"github.com/OpenSlides/openslides-permission-service/internal/definitions"
+)
 
-// TODO: through model...
-// TODO: assignments.can_nominate_self and assignments.can_nominate_other
-var Create = allowed.BuildCreate([]string{
+var selfCreate = allowed.BuildCreateThroughId([]string{
 	"assignment_id",
 	"user_id",
-}, "assignments.can_manage")
+}, "assignment", "assignment_id", "assignments.can_nominate_self")
+var otherCreate = allowed.BuildCreateThroughId([]string{
+	"assignment_id",
+	"user_id",
+}, "assignment", "assignment_id", "assignments.can_nominate_other")
+
+func Create(params *allowed.IsAllowedParams) (map[string]interface{}, error) {
+	userID, err := allowed.GetId(params.Data, "user_id")
+	if err != nil {
+		return nil, err
+	}
+
+	if userID == params.UserID {
+		return selfCreate(params)
+	} else {
+		return otherCreate(params)
+	}
+}
+
+var Sort = allowed.BuildModifyThroughId([]string{
+	"assignment_id",
+	"candidate_ids",
+}, "assignment_candidate", "assignment", "assignment_id", "assignments.can_manage")
+
+func Delete(params *allowed.IsAllowedParams) (map[string]interface{}, error) {
+	if err := allowed.ValidateFields(params.Data, allowed.MakeSet([]string{"id"})); err != nil {
+		return nil, err
+	}
+
+	isAllowed, err := allowed.CheckUser(params)
+	if err != nil {
+		return nil, err
+	}
+	if isAllowed {
+		return nil, nil
+	}
+
+	id, err := allowed.GetId(params.Data, "id")
+	if err != nil {
+		return nil, err
+	}
+	fqid := definitions.FqidFromCollectionAndId("assignment_candidate", id)
+	exists, err := allowed.DoesModelExists(fqid, params.DataProvider)
+	if err != nil {
+		return nil, err
+	}
+	if !exists {
+		return nil, allowed.NotAllowedf("The assignment_candidate with id %d does not exist", id)
+	}
+	userFqfield := definitions.FqfieldFromFqidAndField(fqid, "user_id")
+	assignmentCandidateUserID, err := params.DataProvider.GetInt(userFqfield)
+	if err != nil {
+		return nil, err
+	}
+
+	meetingID, err := allowed.GetMeetingIDFromModel(fqid, params.DataProvider)
+	if err != nil {
+		return nil, err
+	}
 
-// TODO: through model...
-// needs assignments.can_manage from the meeting of the assignment
-var Sort = allowed.BuildModify([]string{"assignment_id",
-	"candidate_ids"}, "assignment", "assignments.can_manage")
+	var permission string
+	if assignmentCandidateUserID == params.UserID {
+		permission = "assignments.can_nominate_self"
+	} else {
+		permission = "assignments.can_nominate_other"
+	}
 
-// TODO: assignments.can_nominate_self and assignments.can_nominate_other
-var Delete = allowed.BuildModify([]string{"id"}, "assignment", "assignments.can_manage")
+	err = allowed.CheckCommitteeMeetingPermissions(params, meetingID, permission)
+	if err != nil {
+		return nil, err
+	}
+	return nil, nil
+}

internal/allowed/assignment_candidate/assignment_candidate_test.go

@@ -0,0 +1,134 @@
+package assignment_candidate_test
+
+import (
+	"context"
+	"testing"
+
+	"github.com/OpenSlides/openslides-permission-service/internal/allowed"
+	"github.com/OpenSlides/openslides-permission-service/internal/allowed/assignment_candidate"
+	"github.com/OpenSlides/openslides-permission-service/internal/definitions"
+	"github.com/OpenSlides/openslides-permission-service/internal/tests"
+)
+
+func TestCreate(t *testing.T) {
+	t.Run("ValidPermissionSelf", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment", 1)
+		data := definitions.FqfieldData{
+			"assignment_id": []byte("1"),
+			"user_id":       []byte("1"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_self")
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsAllowed(t, assignment_candidate.Create, params)
+	})
+	t.Run("ValidPermissionOther", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment", 1)
+		data := definitions.FqfieldData{
+			"assignment_id": []byte("1"),
+			"user_id":       []byte("2"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_other")
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsAllowed(t, assignment_candidate.Create, params)
+	})
+	t.Run("InvalidPermissionSelf", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment", 1)
+		data := definitions.FqfieldData{
+			"assignment_id": []byte("1"),
+			"user_id":       []byte("1"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_other") // the wrong permission
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsNotAllowed(t, assignment_candidate.Create, params)
+	})
+	t.Run("InvalidPermissionOther", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment", 1)
+		data := definitions.FqfieldData{
+			"assignment_id": []byte("1"),
+			"user_id":       []byte("2"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_self") // the wrong permission
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsNotAllowed(t, assignment_candidate.Create, params)
+	})
+	t.Run("NoUserId", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment", 1)
+		data := definitions.FqfieldData{
+			"assignment_id": []byte("1"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_self")
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_other")
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsNotAllowed(t, assignment_candidate.Create, params)
+	})
+}
+
+func TestDelete(t *testing.T) {
+	t.Run("ValidPermissionSelf", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment_candidate", 1)
+		dp.Set("assignment_candidate/1/user_id", "1")
+		data := definitions.FqfieldData{
+			"id": []byte("1"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_self")
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsAllowed(t, assignment_candidate.Delete, params)
+	})
+	t.Run("ValidPermissionOther", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment_candidate", 1)
+		dp.Set("assignment_candidate/1/user_id", "2")
+		data := definitions.FqfieldData{
+			"id": []byte("1"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_other")
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsAllowed(t, assignment_candidate.Delete, params)
+	})
+	t.Run("InvalidPermissionSelf", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment_candidate", 1)
+		dp.Set("assignment_candidate/1/user_id", "1")
+		data := definitions.FqfieldData{
+			"id": []byte("1"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_other") // wrong permission
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsNotAllowed(t, assignment_candidate.Delete, params)
+	})
+	t.Run("InvalidPermissionOther", func(t *testing.T) {
+		dp := tests.NewTestDataProvider(context.Background())
+		dp.AddBasicModel("assignment_candidate", 1)
+		dp.Set("assignment_candidate/1/user_id", "2")
+		data := definitions.FqfieldData{
+			"id": []byte("1"),
+		}
+		dp.AddUserToMeeting(1, 1)
+		dp.AddPermissionToGroup(1, "assignments.can_nominate_self") // wrong permission
+		params := &allowed.IsAllowedParams{UserID: 1, Data: data, DataProvider: dp.GetDataprovider()}
+
+		allowed.AssertIsNotAllowed(t, assignment_candidate.Delete, params)
+	})
+}

internal/allowed/group/group_test.go

@@ -63,7 +63,7 @@ func TestCreate(t *testing.T) {
 func TestSetPermission(t *testing.T) {
 	t.Run("ValidPermission", func(t *testing.T) {
 		dp := tests.NewTestDataProvider(context.Background())
-		allowed.AddBasicModel("group", dp)
+		dp.AddBasicModel("group", 1)
 		data := definitions.FqfieldData{
 			"id":         []byte("1"),
 			"permission": []byte(`"motions.can_manage"`),
@@ -76,7 +76,7 @@ func TestSetPermission(t *testing.T) {
 	})
 	t.Run("EmptyPermission", func(t *testing.T) {
 		dp := tests.NewTestDataProvider(context.Background())
-		allowed.AddBasicModel("group", dp)
+		dp.AddBasicModel("group", 1)
 		data := definitions.FqfieldData{
 			"id": []byte("1"),
 		}
@@ -88,7 +88,7 @@ func TestSetPermission(t *testing.T) {
 	})
 	t.Run("InvalidPermission", func(t *testing.T) {
 		dp := tests.NewTestDataProvider(context.Background())
-		allowed.AddBasicModel("group", dp)
+		dp.AddBasicModel("group", 1)
 		data := definitions.FqfieldData{
 			"id":         []byte("1"),
 			"permission": []byte("agenda.not_valid"),
@@ -101,7 +101,7 @@ func TestSetPermission(t *testing.T) {
 	})
 	t.Run("InvalidJson", func(t *testing.T) {
 		dp := tests.NewTestDataProvider(context.Background())
-		allowed.AddBasicModel("group", dp)
+		dp.AddBasicModel("group", 1)
 		data := definitions.FqfieldData{
 			"id":          []byte("1"),
 			"permissions": []byte(`{"key": 123}`),

internal/allowed/helpers.go

@@ -40,19 +40,15 @@ func DoesUserExists(userID int, dp dataprovider.DataProvider) (bool, error) {
 		return true, nil
 	}
 
-	exists, err := DoesModelExists("user", userID, dp)
+	exists, err := DoesModelExists(definitions.FqidFromCollectionAndId("user", userID), dp)
 	if err != nil {
 		err = fmt.Errorf("DoesUserExists: %w", err)
 	}
 	return exists, err
 }
 
-func DoesModelExists(collection string, id int, dp dataprovider.DataProvider) (bool, error) {
-	if id <= 0 {
-		return false, nil
-	}
-
-	fqfield := collection + "/" + strconv.Itoa(id) + "/id"
+func DoesModelExists(fqid definitions.Fqid, dp dataprovider.DataProvider) (bool, error) {
+	fqfield := definitions.FqfieldFromFqidAndField(fqid, "id")
 	exists, err := dp.Exists(fqfield)
 	if err != nil {
 		err = fmt.Errorf("DoesModelExists: %w", err)
@@ -224,20 +220,36 @@ func (p *Permissions) HasAllPerms(permissions ...string) (bool, string) {
 }
 
 // GetInt does ...
-func GetInt(data definitions.FqfieldData, property definitions.Field) (int, error) {
+func GetId(data definitions.FqfieldData, property definitions.Field) (definitions.Id, error) {
 	if val, ok := data[property]; ok {
 		var value int
-		err := json.Unmarshal([]byte(val), &value)
-
-		if nil != err {
+		if err := json.Unmarshal([]byte(val), &value); nil != err {
 			return 0, NotAllowedf("'%s' is not an int", property)
 		}
+		if err := definitions.IsValidId(value); err != nil {
+			return 0, NotAllowed(err.Error())
+		}
 		return value, nil
 	}
 
 	return 0, NotAllowedf("'%s' is not in data", property)
 }
 
+func GetFqid(data definitions.FqfieldData, property definitions.Field) (definitions.Fqid, error) {
+	if val, ok := data[property]; ok {
+		var value string
+		if err := json.Unmarshal([]byte(val), &value); nil != err {
+			return "", NotAllowedf("'%s' is not a string", property)
+		}
+		if err := definitions.IsValidFqid(value); err != nil {
+			return "", NotAllowed(err.Error())
+		}
+		return value, nil
+	}
+
+	return "", NotAllowedf("'%s' is not in data", property)
+}
+
 // GetMeetingIDFromModel does ...
 func GetMeetingIDFromModel(FQID definitions.Fqid, dp dataprovider.DataProvider) (int, error) {
 	id, err := dp.GetInt(FQID + "/meeting_id")