permission based on id, user_id, role and others

LibreCat · Nov 6, 2017 · 4b4adb1 · 4b4adb1
1 parent 804aa9e
commit 4b4adb1
Show file tree

Hide file tree

Showing 3 changed files with 93 additions and 25 deletions.
diff --git a/lib/LibreCat/App/Catalogue/Controller/Permission.pm b/lib/LibreCat/App/Catalogue/Controller/Permission.pm
@@ -4,19 +4,37 @@ use Catmandu::Sane;
 use Catmandu;
 use Catmandu::Util qw(:is);
 use LibreCat::App::Helper;
-use Dancer qw(:syntax);
 use Carp;
 use Exporter qw/import/;
 
 use Moo;
 
+=head2 can_edit( $self, $id, $opts )
+
+=over 4
+
+=item id
+
+Publication identifier
+
+=item opts
+
+Hash reference containing "user_id" and "role". Both must be a string
+
+=back
+
+=cut
 sub can_edit {
-    my ( $self, $pub, %opts ) = @_;
+    my ( $self, $id, $opts ) = @_;
+
+    is_string( $id ) or return;
+    is_hash_ref( $opts ) or return;
 
-    my $user = delete $opts{user};
-    my $role = delete $opts{role};
+    my $user_id     = $opts->{user_id};
+    my $role        = $opts->{role};
 
-    return 0 unless defined( $user ) && defined( $pub );
+    my $pub = h->main_publication->get( $id ) or return;
+    my $user = h->get_person( $user_id ) or return;
 
     #no restrictions for super_admin
     return 1 if $role eq "super_admin";
@@ -97,24 +115,78 @@ sub can_edit {
     #cannot edit
     return 0;
 }
+=head2 can_delete( $self, $id, $opts )
+
+=over 4
+
+=item id
+
+Publication identifier
+
+=item opts
+
+Hash reference containing "user_id" and "role". Both must be a string
+
+=back
+
+=cut
 
 sub can_delete {
-    my ($self, $pub, %opts) = @_;
-    return is_string( $opts{role} ) && $opts{role} eq "super_admin" ? 1 : 0;
+    my ($self, $id, $opts) = @_;
+    return is_hash_ref($opts) && is_string( $opts->{role} ) && $opts->{role} eq "super_admin" ? 1 : 0;
 }
+=head2 can_delete_file( $self, $id, $opts )
+
+=over 4
+
+=item id
+
+Publication identifier
+
+=item opts
+
+Hash reference containing "user_id" and "role". Both must be a string
+
+=back
+
+=cut
 
 sub can_delete_file {
-    my ($self, $pub, %opts) = @_;
+    my ($self, $id, $opts) = @_;
     return 0;
 }
+=head2 can_download( $self, $id, $opts )
+
+=over 4
+
+=item id
 
+Publication identifier
+
+=item opts
+
+Hash reference containing:
+
+    * user_id (string)
+    * role (string)
+    * file_id (string)
+    * ip (string)
+
+=back
+
+=cut
 sub can_download {
-    my ( $self, $pub, %opts ) = @_;
+    my ( $self, $id, $opts ) = @_;
+
+    is_string( $id ) or return (0,"");
+    is_hash_ref( $opts ) or return (0,"");
+
+    my $pub = h->main_publication->get( $id ) or return (0,"");
 
-    my $file_id = delete $opts{file_id};
-    my $user    = delete $opts{user};
-    my $role    = delete $opts{role};
-    my $ip      = delete $opts{ip};
+    my $file_id = $opts->{file_id};
+    my $user_id = $opts->{user_id};
+    my $role    = $opts->{role};
+    my $ip      = $opts->{ip};
 
     my $ip_range = h->config->{ip_range};
     my $access;
@@ -146,7 +218,7 @@ sub can_download {
         # closed documents can be downloaded by user
         #if and only if the user can edit the record
         return (
-            $self->can_edit( $pub, user => $user, role =>  $role ),
+            $self->can_edit( $id,{ user_id => $user_id, role =>  $role }),
             $file_name
         );
     }

diff --git a/lib/LibreCat/App/Catalogue/Route/publication.pm b/lib/LibreCat/App/Catalogue/Route/publication.pm
@@ -115,10 +115,9 @@ Checks if the user has permission the see/edit this record.
     get '/edit/:id' => sub {
 
         my $rec = h->main_publication->get( param("id") ) or pass;
-        my $user = h->get_person(session->{user_id});
 
         unless (
-            p->can_edit( $rec, user => $user, role => session->{role} )
+            p->can_edit( $rec->{_id},{ user_id => session("user_id"), role => session("role") })
         ) {
             access_denied_hook();
             status '403';
@@ -157,11 +156,10 @@ Checks if the user has the rights to update this record.
         h->log->debug("Params:" . to_dumper($p));
 
         my $rec = h->main_publication->get( $p->{_id} ) or pass;
-        my $user = h->get_person(session->{user_id});
 
         unless (
             $p->{new_record} or
-            p->can_edit($rec, user => $user, role => session->{role} )
+            p->can_edit( $rec->{_id},{ user_id => session("user_id"), role => session("role") })
         ) {
             access_denied_hook();
             status '403';
@@ -182,7 +180,7 @@ Checks if the user has the rights to update this record.
             $p->{status} = 'returned';
         }
 
-        $p->{user_id} = session->{user_id};
+        $p->{user_id} = session("user_id");
 
         # Use config/hooks.yml to register functions
         # that should run before/after updating publications
@@ -207,17 +205,16 @@ Checks if the user has the rights to edit this record.
     get '/return/:id' => sub {
 
         my $rec = h->main_publication->get( param("id") ) or pass;
-        my $user = h->get_person(session->{user_id});
 
         unless (
-            p->can_edit( $rec, user => $user, role => session->{role} )
+            p->can_edit( $rec->{_id},{ user_id => session("user_id"), role => session("role") })
         ) {
             access_denied_hook();
             status '403';
             forward '/access_denied';
         }
 
-        $rec->{user_id} = session->{user_id};
+        $rec->{user_id} = session("user_id");
 
         # Use config/hooks.yml to register functions
         # that should run before/after returning publications
@@ -339,10 +336,9 @@ Publishes private records, returns to the list.
     get '/publish/:id' => sub {
 
         my $rec = h->main_publication->get( param("id") ) or pass;
-        my $user = h->get_person(session->{user_id});
 
         unless (
-            p->can_edit( $rec, user => $user , role => session->{role} )
+            p->can_edit( $rec->{_id},{ user_id => session("user_id") , role => session("role") })
         ) {
             access_denied_hook();
             status '403';

diff --git a/views/publication/record.tt b/views/publication/record.tt
@@ -257,7 +257,7 @@
         <div class="hidden-sm hidden-md hidden-lg"><hr></div>
 
         <!-- Edit -->
-        [% IF session.user AND session.role AND p.can_edit(_id, session.user, session.role) %]
+        [% IF p.can_edit( _id, user_id = session.user_id, role = session.role ) %]
         <h3 id="edit">[% h.loc("frontdoor.editing_options") %]</h3>
         <a href="[% uri_base %]/librecat/record/edit/[% _id %]"><span class="fa fa-edit"></span> &nbsp;Edit this record</a><br />
         [% IF status != "public" AND _id AND (!type.match("^bi") OR session.role == "super_admin") AND (type != "research_data" OR session.role == "super_admin") %]