|
102 | 102 | (assert-valid-member-role! nil) |
103 | 103 | (assert-valid-member-role! 1)) |
104 | 104 |
|
| 105 | +(defn has-at-least-role? [least-privilege-role user-role] |
| 106 | + (assert (contains? member-roles least-privilege-role) "Expected valid least-privilege-role") |
| 107 | + (and user-role |
| 108 | + (contains? member-roles user-role) |
| 109 | + (<= (ucoll/index-of least-privilege-role member-role-hierarchy) |
| 110 | + (ucoll/index-of user-role member-role-hierarchy)))) |
| 111 | + |
105 | 112 | (defn assert-least-privilege! [least-privilege-role user-role] |
106 | 113 | (assert (contains? member-roles least-privilege-role) "Expected valid least-privilege-role") |
107 | 114 | (ex/assert-valid! |
108 | 115 | :user-role |
109 | 116 | user-role |
110 | | - (when-not |
111 | | - (and user-role |
112 | | - (contains? member-roles user-role)) |
113 | | - [{:message "This is not a valid role" |
114 | | - :expected member-roles}])) |
| 117 | + (or (when-not user-role |
| 118 | + [{:message (format "User is missing role %s." |
| 119 | + (name least-privilege-role))}]) |
| 120 | + (when-not (contains? member-roles user-role) |
| 121 | + [{:message "This is not a valid role" |
| 122 | + :expected member-roles}]))) |
115 | 123 | (ex/assert-permitted! :allowed-member-role? user-role |
116 | | - (<= (ucoll/index-of least-privilege-role member-role-hierarchy) |
117 | | - (ucoll/index-of user-role member-role-hierarchy)))) |
| 124 | + (has-at-least-role? least-privilege-role user-role))) |
118 | 125 |
|
119 | | -(defn get-member-role [app-id user-id] |
120 | | - (keyword (:member_role (instant-app-members/get-by-app-and-user {:app-id app-id :user-id user-id})))) |
| 126 | +(defn get-app-member-role [app user-id] |
| 127 | + (keyword (:member_role (instant-app-members/get-by-app-and-user {:app-id (:id app) |
| 128 | + :user-id user-id})))) |
| 129 | + |
| 130 | +(defn get-org-member-role [app user-id] |
| 131 | + (when-let [org-id (:org_id app)] |
| 132 | + (keyword (:role (instant-org-members/get-by-org-and-user {:org-id org-id |
| 133 | + :user-id user-id}))))) |
121 | 134 |
|
122 | 135 | (defn req->app-and-user! |
123 | 136 | ([req] (req->app-and-user! :owner req)) |
124 | 137 | ([least-privilege req] |
125 | 138 | (let [app-id (ex/get-param! req [:params :app_id] uuid-util/coerce) |
126 | 139 | {app-creator-id :creator_id :as app} (app-model/get-by-id! {:id app-id}) |
127 | 140 | {user-id :id :as user} (req->auth-user! req) |
128 | | - subscription (instant-subscription-model/get-by-app-id {:app-id app-id})] |
129 | | - |
130 | | - (assert-least-privilege! |
131 | | - least-privilege |
132 | | - (cond |
133 | | - (= user-id app-creator-id) :owner |
134 | | - (stripe/pro-plan? subscription) (get-member-role app-id user-id))) |
135 | | - {:app app :user user :subscription subscription}))) |
| 141 | + app-subscription (instant-subscription-model/get-by-app-id {:app-id app-id}) |
| 142 | + org-subscription (when-let [org-id (:org_id app)] |
| 143 | + (instant-subscription-model/get-by-org-id {:org-id org-id})) |
| 144 | + app-member-role (if (= user-id app-creator-id) |
| 145 | + :owner |
| 146 | + (get-app-member-role app user-id)) |
| 147 | + good-app-role? (has-at-least-role? least-privilege app-member-role) |
| 148 | + org-member-role (get-org-member-role app user-id) |
| 149 | + good-org-role? (has-at-least-role? least-privilege org-member-role)] |
| 150 | + |
| 151 | + (cond (or (and app-member-role |
| 152 | + good-app-role? |
| 153 | + (or (= :owner app-member-role) |
| 154 | + (stripe/plan-supports-members? app-subscription) |
| 155 | + (stripe/plan-supports-members? org-subscription))) |
| 156 | + |
| 157 | + (and org-member-role |
| 158 | + good-org-role? |
| 159 | + (or (= :owner org-member-role) |
| 160 | + (stripe/plan-supports-members? org-subscription)))) |
| 161 | + ;; This is the only success case. The user has access through |
| 162 | + ;; either the app or the org. |
| 163 | + {:app app :user user} |
| 164 | + |
| 165 | + ;; Has no role |
| 166 | + (and (not app-member-role) |
| 167 | + (not org-member-role)) |
| 168 | + (ex/throw-validation-err! :user-role nil [{:message (format "User is missing role %s." |
| 169 | + (name least-privilege))}]) |
| 170 | + |
| 171 | + ;; Has a role, but not one good enough to get access |
| 172 | + (and (not good-app-role?) |
| 173 | + (not good-org-role?)) |
| 174 | + (ex/assert-permitted! :allowed-member-role? (or app-member-role org-member-role) false) |
| 175 | + |
| 176 | + ;; Has a role, but plan doesn't support members |
| 177 | + :else |
| 178 | + (ex/throw-insufficient-plan! {:capability "multiple members"}))))) |
136 | 179 |
|
137 | 180 | (defn req->app-and-user-accepting-platform-tokens! [least-privilege scope req] |
138 | 181 | (let [token (http-util/req->bearer-token! req)] |
|
796 | 839 | (ex/throw-record-not-unique! :instant-subscription)) |
797 | 840 | {customer-id :id} (instant-stripe-customer-model/get-or-create-for-org! {:org org |
798 | 841 | :user-email user-email}) |
799 | | - metadata (tool/inspect {"org-id" org-id |
800 | | - "user-id" user-id |
801 | | - "subscription-type-id" stripe/STARTUP_SUBSCRIPTION_TYPE}) |
| 842 | + metadata {"org-id" org-id |
| 843 | + "user-id" user-id |
| 844 | + "subscription-type-id" stripe/STARTUP_SUBSCRIPTION_TYPE} |
802 | 845 | description (str "Org name: " org-title) |
803 | 846 | session-params {"success_url" (str (config/stripe-success-url) "&org=" org-id) |
804 | 847 | "cancel_url" (str (config/stripe-cancel-url) "&org=" org-id) |
|
0 commit comments