2026-03-31 15:38:06 +02:00
|
|
|
|
package service
|
|
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
|
"axolotl/models"
|
|
|
|
|
|
"axolotl/store"
|
2026-03-31 15:55:47 +02:00
|
|
|
|
"fmt"
|
2026-03-31 15:38:06 +02:00
|
|
|
|
"maps"
|
|
|
|
|
|
"regexp"
|
|
|
|
|
|
"slices"
|
2026-03-31 23:10:56 +02:00
|
|
|
|
"strings"
|
2026-03-31 15:38:06 +02:00
|
|
|
|
"time"
|
|
|
|
|
|
)
|
|
|
|
|
|
|
|
|
|
|
|
type nodeServiceImpl struct {
|
|
|
|
|
|
store store.Store
|
|
|
|
|
|
userID string
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
var mentionRegex = regexp.MustCompile(`@([a-z0-9_]+)`)
|
|
|
|
|
|
|
|
|
|
|
|
func mentions(t string) []string {
|
|
|
|
|
|
seen := make(map[string]bool)
|
|
|
|
|
|
for _, m := range mentionRegex.FindAllStringSubmatch(t, -1) {
|
|
|
|
|
|
seen[m[1]] = true
|
|
|
|
|
|
}
|
|
|
|
|
|
return slices.Collect(maps.Keys(seen))
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 23:18:36 +02:00
|
|
|
|
func (s *nodeServiceImpl) User() string { return s.userID }
|
|
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// --- Permission model ---
|
|
|
|
|
|
//
|
|
|
|
|
|
// Four levels (inclusive: higher includes lower):
|
|
|
|
|
|
// 1 can_read – visible in list/show
|
|
|
|
|
|
// 2 can_create_rel – can create non-permission relations between nodes
|
|
|
|
|
|
// 3 can_write – can update/delete a node
|
|
|
|
|
|
// 4 has_ownership – sole owner; deletion cascades to owned nodes
|
|
|
|
|
|
//
|
|
|
|
|
|
// Permissions are transitive: if A has level L on B, and B has level M on C,
|
|
|
|
|
|
// then A has level min(L, M) on C. Computed by BFS from the user's own node.
|
|
|
|
|
|
// Users have self-ownership (has_ownership → self), so BFS starts at level 4.
|
|
|
|
|
|
//
|
|
|
|
|
|
// Rules for adding edge rels in Add/Update:
|
|
|
|
|
|
// Non-perm rel A → B : need can_create_rel on A, can_read on B
|
|
|
|
|
|
// Perm rel A --perm_P→ B : need perm_P on B (resource owner grants to any subject)
|
|
|
|
|
|
// Ownership A --has_ownership→ B : need has_ownership on B + can_create_rel on A
|
|
|
|
|
|
// → also removes existing ownership rels pointing to B
|
|
|
|
|
|
//
|
|
|
|
|
|
// Field/tag changes and rel removals require can_write on the node.
|
|
|
|
|
|
|
|
|
|
|
|
const (
|
|
|
|
|
|
permRead = 1
|
|
|
|
|
|
permCreateRel = 2
|
|
|
|
|
|
permWrite = 3
|
|
|
|
|
|
permOwnership = 4
|
|
|
|
|
|
)
|
2026-03-31 23:52:24 +02:00
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// isReferenceRel returns true for rels that point to "identity" nodes (users, namespaces).
|
|
|
|
|
|
// For these rels, the target only needs can_read (not can_create_rel), because users and
|
|
|
|
|
|
// namespaces are globally readable and any node can reference them.
|
|
|
|
|
|
func isReferenceRel(t models.RelType) bool {
|
|
|
|
|
|
switch t {
|
|
|
|
|
|
case models.RelAssignee, models.RelCreated, models.RelMentions, models.RelInNamespace:
|
2026-03-31 23:52:24 +02:00
|
|
|
|
return true
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
return false
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// permRelLevels maps permission rel types to their numeric level.
|
|
|
|
|
|
var permRelLevels = map[models.RelType]int{
|
|
|
|
|
|
models.RelCanRead: permRead,
|
|
|
|
|
|
models.RelCanCreateRel: permCreateRel,
|
|
|
|
|
|
models.RelCanWrite: permWrite,
|
|
|
|
|
|
models.RelHasOwnership: permOwnership,
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
type permContext struct {
|
|
|
|
|
|
levels map[string]int
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (pc *permContext) level(nodeID string) int { return pc.levels[nodeID] }
|
|
|
|
|
|
func (pc *permContext) canRead(nodeID string) bool { return pc.levels[nodeID] >= permRead }
|
|
|
|
|
|
func (pc *permContext) canCreateRel(nodeID string) bool { return pc.levels[nodeID] >= permCreateRel }
|
|
|
|
|
|
func (pc *permContext) canWrite(nodeID string) bool { return pc.levels[nodeID] >= permWrite }
|
|
|
|
|
|
func (pc *permContext) hasOwnership(nodeID string) bool { return pc.levels[nodeID] >= permOwnership }
|
|
|
|
|
|
|
|
|
|
|
|
// getPermContext builds a permContext by BFS from the current user's node,
|
|
|
|
|
|
// following permission rels and taking the minimum level along each path.
|
|
|
|
|
|
// User and namespace nodes are made globally readable after the BFS.
|
|
|
|
|
|
// If the user node doesn't exist yet, returns an empty permContext (no access);
|
|
|
|
|
|
// Add operations still work because unresolved targets skip the permission check.
|
|
|
|
|
|
func (s *nodeServiceImpl) getPermContext() (*permContext, error) {
|
2026-03-31 23:52:24 +02:00
|
|
|
|
userNodeID, err := s.resolveIDByNameAndType(s.store, s.userID, "user")
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
pc := &permContext{levels: make(map[string]int)}
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if userNodeID == "" {
|
2026-04-01 22:11:15 +02:00
|
|
|
|
return pc, nil // user not bootstrapped yet; Add will auto-create user node
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
type entry struct {
|
|
|
|
|
|
nodeID string
|
|
|
|
|
|
level int
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Start at the user's own node at ownership level (users have self-ownership).
|
|
|
|
|
|
queue := []entry{{userNodeID, permOwnership}}
|
|
|
|
|
|
for len(queue) > 0 {
|
|
|
|
|
|
curr := queue[0]
|
|
|
|
|
|
queue = queue[1:]
|
|
|
|
|
|
if pc.levels[curr.nodeID] >= curr.level {
|
|
|
|
|
|
continue // already reached at a higher or equal level
|
2026-04-01 12:50:45 +02:00
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
pc.levels[curr.nodeID] = curr.level
|
|
|
|
|
|
node, err := s.store.GetNode(curr.nodeID)
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
2026-04-01 22:11:15 +02:00
|
|
|
|
continue // node may have been deleted; skip
|
|
|
|
|
|
}
|
|
|
|
|
|
for relType, pLevel := range permRelLevels {
|
|
|
|
|
|
for _, tgt := range node.Relations[string(relType)] {
|
|
|
|
|
|
eff := curr.level
|
|
|
|
|
|
if pLevel < eff {
|
|
|
|
|
|
eff = pLevel
|
|
|
|
|
|
}
|
|
|
|
|
|
if eff > pc.levels[tgt] {
|
|
|
|
|
|
queue = append(queue, entry{tgt, eff})
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// User and namespace nodes are globally readable (they represent identities,
|
|
|
|
|
|
// and anyone can reference or assign to them).
|
|
|
|
|
|
for _, nodeType := range []string{"user", "namespace"} {
|
|
|
|
|
|
nodes, _ := s.store.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
|
|
|
|
|
|
for _, n := range nodes {
|
|
|
|
|
|
if pc.levels[n.ID] < permRead {
|
|
|
|
|
|
pc.levels[n.ID] = permRead
|
|
|
|
|
|
}
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
|
|
|
|
|
|
return pc, nil
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 23:10:56 +02:00
|
|
|
|
// --- Validation ---
|
|
|
|
|
|
|
|
|
|
|
|
var (
|
|
|
|
|
|
validTypes = map[string]bool{"issue": true, "note": true, "user": true, "namespace": true}
|
|
|
|
|
|
validStatuses = map[string]bool{"open": true, "done": true}
|
|
|
|
|
|
validPrios = map[string]bool{"high": true, "medium": true, "low": true}
|
|
|
|
|
|
)
|
|
|
|
|
|
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// validateRels checks that any _ -prefixed rel names are known system properties
|
|
|
|
|
|
// and that their values are valid. Users may not define custom _ -prefixed rels.
|
|
|
|
|
|
func validateRels(rels []RelInput) error {
|
|
|
|
|
|
for _, r := range rels {
|
|
|
|
|
|
name := string(r.Type)
|
|
|
|
|
|
if !strings.HasPrefix(name, "_") {
|
|
|
|
|
|
continue
|
|
|
|
|
|
}
|
|
|
|
|
|
if v, ok := strings.CutPrefix(name, "_type::"); ok {
|
2026-03-31 23:10:56 +02:00
|
|
|
|
if !validTypes[v] {
|
|
|
|
|
|
return fmt.Errorf("invalid type %q: must be one of issue, note, user, namespace", v)
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
} else if v, ok := strings.CutPrefix(name, "_status::"); ok {
|
2026-03-31 23:10:56 +02:00
|
|
|
|
if !validStatuses[v] {
|
|
|
|
|
|
return fmt.Errorf("invalid status %q: must be one of open, done", v)
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
} else if v, ok := strings.CutPrefix(name, "_prio::"); ok {
|
2026-03-31 23:10:56 +02:00
|
|
|
|
if !validPrios[v] {
|
|
|
|
|
|
return fmt.Errorf("invalid priority %q: must be one of high, medium, low", v)
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
} else {
|
|
|
|
|
|
return fmt.Errorf("invalid relation %q: custom _ prefix not allowed", name)
|
2026-03-31 23:10:56 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// --- Query ---
|
|
|
|
|
|
|
2026-03-31 15:38:06 +02:00
|
|
|
|
func (s *nodeServiceImpl) GetByID(id string) (*models.Node, error) {
|
2026-03-31 23:52:24 +02:00
|
|
|
|
n, err := s.store.GetNode(id)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
pc, err := s.getPermContext()
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
if !pc.canRead(id) {
|
2026-03-31 23:52:24 +02:00
|
|
|
|
return nil, fmt.Errorf("permission denied: no read access to node %s", id)
|
|
|
|
|
|
}
|
|
|
|
|
|
return n, nil
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
func (s *nodeServiceImpl) List(filter ListFilter) ([]*models.Node, error) {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
var storeFilters []*models.Rel
|
2026-03-31 15:55:47 +02:00
|
|
|
|
for _, ri := range filter.Rels {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if ri.Target == "" {
|
|
|
|
|
|
storeFilters = append(storeFilters, &models.Rel{Type: ri.Type, Target: ""})
|
|
|
|
|
|
} else {
|
|
|
|
|
|
id, ok := s.lookupRelTarget(ri.Type, ri.Target)
|
|
|
|
|
|
if !ok {
|
2026-04-01 22:11:15 +02:00
|
|
|
|
return nil, nil
|
2026-04-01 12:50:45 +02:00
|
|
|
|
}
|
|
|
|
|
|
storeFilters = append(storeFilters, &models.Rel{Type: ri.Type, Target: id})
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
nodes, err := s.store.FindNodes(storeFilters)
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
pc, err := s.getPermContext()
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
var result []*models.Node
|
|
|
|
|
|
for _, n := range nodes {
|
2026-04-01 22:11:15 +02:00
|
|
|
|
if pc.canRead(n.ID) {
|
2026-03-31 23:52:24 +02:00
|
|
|
|
result = append(result, n)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return result, nil
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// --- Lifecycle ---
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// Build tag set from tag rels (Target == ""), applying property-replacement semantics.
|
|
|
|
|
|
tmp := models.NewNode()
|
|
|
|
|
|
for _, r := range input.Rels {
|
|
|
|
|
|
if r.Target == "" {
|
|
|
|
|
|
tmp.AddTag(string(r.Type))
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-03-31 23:10:56 +02:00
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// Apply defaults.
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if tmp.GetProperty("type") == "" {
|
|
|
|
|
|
tmp.AddTag("_type::issue")
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if tmp.GetProperty("type") == "issue" && tmp.GetProperty("status") == "" {
|
|
|
|
|
|
tmp.AddTag("_status::open")
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
2026-03-31 15:55:47 +02:00
|
|
|
|
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// Validate all rels (including the resolved default tags).
|
|
|
|
|
|
tagRels := make([]RelInput, len(tmp.Tags))
|
|
|
|
|
|
for i, t := range tmp.Tags {
|
|
|
|
|
|
tagRels[i] = RelInput{Type: models.RelType(t)}
|
|
|
|
|
|
}
|
|
|
|
|
|
if err := validateRels(append(tagRels, input.Rels...)); err != nil {
|
2026-03-31 23:10:56 +02:00
|
|
|
|
return nil, err
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Permission checks for edge rels.
|
|
|
|
|
|
pc, err := s.getPermContext()
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
for _, ri := range input.Rels {
|
2026-04-01 22:11:15 +02:00
|
|
|
|
if ri.Target == "" {
|
|
|
|
|
|
continue // tag rel, no target to check
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
targetID, found := s.lookupRelTarget(ri.Type, ri.Target)
|
|
|
|
|
|
if !found {
|
|
|
|
|
|
continue // will be auto-created; skip check
|
|
|
|
|
|
}
|
|
|
|
|
|
permLevel, isPerm := permRelLevels[ri.Type]
|
|
|
|
|
|
switch {
|
|
|
|
|
|
case ri.Type == models.RelHasOwnership:
|
|
|
|
|
|
if !pc.hasOwnership(targetID) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no ownership of %q to transfer", ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
case isPerm:
|
|
|
|
|
|
if pc.level(targetID) < permLevel {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: cannot grant %s on %q", ri.Type, ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
default:
|
|
|
|
|
|
// Non-perm rel: source is the new node (creator gets ownership = can_create_rel).
|
|
|
|
|
|
// Target: reference rels (assignee/mentions/in_namespace) need can_read; others need can_create_rel.
|
|
|
|
|
|
if isReferenceRel(ri.Type) {
|
|
|
|
|
|
if !pc.canRead(targetID) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no read access to %q", ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
if !pc.canCreateRel(targetID) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no create_rel access to %q", ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 23:10:56 +02:00
|
|
|
|
hasNamespace := false
|
2026-03-31 15:55:47 +02:00
|
|
|
|
for _, ri := range input.Rels {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if ri.Type == models.RelInNamespace && ri.Target != "" {
|
2026-03-31 23:10:56 +02:00
|
|
|
|
hasNamespace = true
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
|
|
|
|
|
|
id, err := s.store.GenerateID()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
err = s.store.Transaction(func(st store.Store) error {
|
|
|
|
|
|
now := time.Now().UTC().Format(time.RFC3339)
|
2026-03-31 15:55:47 +02:00
|
|
|
|
if err := st.AddNode(id, input.Title, input.Content, input.DueDate, now, now); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// Store tag rels.
|
|
|
|
|
|
for _, t := range tmp.Tags {
|
|
|
|
|
|
if err := st.AddRel(id, t, ""); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// Mentions.
|
2026-03-31 15:55:47 +02:00
|
|
|
|
for _, m := range mentions(input.Title + " " + input.Content) {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
userID, err := s.resolveUserRef(st, m)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, string(models.RelMentions), userID); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// Edge rels.
|
|
|
|
|
|
hasCreated := false
|
|
|
|
|
|
for _, ri := range input.Rels {
|
|
|
|
|
|
if ri.Target == "" {
|
|
|
|
|
|
continue // already stored as tag
|
|
|
|
|
|
}
|
|
|
|
|
|
if ri.Type == models.RelCreated {
|
|
|
|
|
|
hasCreated = true
|
|
|
|
|
|
}
|
|
|
|
|
|
resolved, err := s.resolveRelTarget(st, ri)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
if ri.Type == models.RelHasOwnership {
|
|
|
|
|
|
// Ownership transfer: remove existing owner of the target.
|
|
|
|
|
|
existingOwners, _ := st.FindNodes([]*models.Rel{{Type: models.RelHasOwnership, Target: resolved}})
|
|
|
|
|
|
for _, owner := range existingOwners {
|
|
|
|
|
|
st.RemoveRel(owner.ID, string(models.RelHasOwnership), resolved) //nolint:errcheck
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, string(ri.Type), resolved); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// Default namespace.
|
|
|
|
|
|
if !hasNamespace {
|
|
|
|
|
|
nsID, err := s.resolveNamespaceRef(st, s.userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
if err := st.AddRel(id, string(models.RelInNamespace), nsID); err != nil {
|
|
|
|
|
|
return err
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// Default created.
|
2026-03-31 15:38:06 +02:00
|
|
|
|
if !hasCreated {
|
|
|
|
|
|
userID, err := s.resolveUserRef(st, s.userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, string(models.RelCreated), userID); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Grant creator ownership of the new node.
|
|
|
|
|
|
creatorID, err := s.resolveUserRef(st, s.userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
if err := st.AddRel(creatorID, string(models.RelHasOwnership), id); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 12:55:21 +02:00
|
|
|
|
// Namespace bootstrap: when creating a namespace node directly, apply the
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// same setup as ensureNamespace — self in_namespace and creator ownership.
|
2026-04-01 12:55:21 +02:00
|
|
|
|
if tmp.GetProperty("type") == "namespace" {
|
|
|
|
|
|
if !hasNamespace {
|
|
|
|
|
|
// Replace the default namespace rel (user's ns) with self-reference.
|
|
|
|
|
|
userNsID, _ := s.resolveIDByNameAndType(st, s.userID, "namespace")
|
|
|
|
|
|
if userNsID != "" {
|
|
|
|
|
|
if err := st.RemoveRel(id, string(models.RelInNamespace), userNsID); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if err := st.AddRel(id, string(models.RelInNamespace), id); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Creator already gets ownership via the block above; nothing more to do.
|
2026-04-01 12:55:21 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return nil
|
|
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.store.GetNode(id)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
func (s *nodeServiceImpl) Update(id string, input UpdateInput) (*models.Node, error) {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// Validate rels before doing any I/O.
|
|
|
|
|
|
if err := validateRels(input.AddRels); err != nil {
|
2026-03-31 23:52:24 +02:00
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// --- Permission checks ---
|
|
|
|
|
|
pc, err := s.getPermContext()
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
|
|
|
|
|
|
// Field/tag changes and rel removals require can_write on the node.
|
|
|
|
|
|
needsWrite := input.Title != nil || input.Content != nil || input.DueDate != nil
|
|
|
|
|
|
for _, ri := range input.AddRels {
|
|
|
|
|
|
if ri.Target == "" {
|
|
|
|
|
|
needsWrite = true
|
|
|
|
|
|
break
|
|
|
|
|
|
}
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
if len(input.RemoveRels) > 0 {
|
|
|
|
|
|
needsWrite = true
|
|
|
|
|
|
}
|
|
|
|
|
|
if needsWrite && !pc.canWrite(id) {
|
2026-03-31 23:52:24 +02:00
|
|
|
|
return nil, fmt.Errorf("permission denied: no write access to node %s", id)
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
|
|
|
|
|
|
// Check each edge rel being added.
|
|
|
|
|
|
for _, ri := range input.AddRels {
|
|
|
|
|
|
if ri.Target == "" {
|
|
|
|
|
|
continue // tag — handled above
|
|
|
|
|
|
}
|
|
|
|
|
|
permLevel, isPerm := permRelLevels[ri.Type]
|
|
|
|
|
|
targetID, found := s.lookupRelTarget(ri.Type, ri.Target)
|
|
|
|
|
|
switch {
|
|
|
|
|
|
case ri.Type == models.RelHasOwnership:
|
|
|
|
|
|
if !found {
|
|
|
|
|
|
return nil, fmt.Errorf("ownership target %q not found", ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
if !pc.hasOwnership(targetID) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no ownership of %q to transfer", ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
if !pc.canCreateRel(id) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no create_rel access to node %s", id)
|
|
|
|
|
|
}
|
|
|
|
|
|
case isPerm:
|
|
|
|
|
|
// Perm rel: need perm_P on target; no check on source.
|
|
|
|
|
|
if found && pc.level(targetID) < permLevel {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: insufficient permission on %q to grant %s", ri.Target, ri.Type)
|
|
|
|
|
|
}
|
|
|
|
|
|
default:
|
|
|
|
|
|
// Non-perm rel: need can_create_rel on source.
|
|
|
|
|
|
// Target: reference rels (assignee/mentions/in_namespace) need can_read; others need can_create_rel.
|
|
|
|
|
|
if !pc.canCreateRel(id) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no create_rel access to node %s", id)
|
|
|
|
|
|
}
|
|
|
|
|
|
if found {
|
|
|
|
|
|
if isReferenceRel(ri.Type) {
|
|
|
|
|
|
if !pc.canRead(targetID) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no read access to %s target %q", ri.Type, ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
} else {
|
|
|
|
|
|
if !pc.canCreateRel(targetID) {
|
|
|
|
|
|
return nil, fmt.Errorf("permission denied: no create_rel access to %s target %q", ri.Type, ri.Target)
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// Enforce blocking constraint before allowing status=done.
|
2026-04-01 12:50:45 +02:00
|
|
|
|
for _, r := range input.AddRels {
|
|
|
|
|
|
if r.Target == "" && string(r.Type) == "_status::done" {
|
2026-03-31 23:10:56 +02:00
|
|
|
|
if err := s.checkBlockers(id); err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
break
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 23:52:24 +02:00
|
|
|
|
err = s.store.Transaction(func(st store.Store) error {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
current, err := st.GetNode(id)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
title, content, dueDate := current.Title, current.Content, current.DueDate
|
|
|
|
|
|
if input.Title != nil {
|
|
|
|
|
|
title = *input.Title
|
|
|
|
|
|
}
|
|
|
|
|
|
if input.Content != nil {
|
|
|
|
|
|
content = *input.Content
|
|
|
|
|
|
}
|
|
|
|
|
|
if input.DueDate != nil {
|
|
|
|
|
|
dueDate = *input.DueDate
|
|
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
now := time.Now().UTC().Format(time.RFC3339)
|
|
|
|
|
|
if err := st.UpdateNode(id, title, content, dueDate, now); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// Compute new tag set using the model's AddTag/RemoveTag to preserve
|
|
|
|
|
|
// property-prefix replacement semantics.
|
|
|
|
|
|
tmp := models.NewNode()
|
2026-04-01 00:13:43 +02:00
|
|
|
|
for _, t := range current.Tags {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
tmp.AddTag(t)
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
for _, r := range input.AddRels {
|
|
|
|
|
|
if r.Target == "" {
|
|
|
|
|
|
tmp.AddTag(string(r.Type))
|
|
|
|
|
|
}
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
for _, r := range input.RemoveRels {
|
|
|
|
|
|
if r.Target == "" {
|
|
|
|
|
|
tmp.RemoveTag(string(r.Type))
|
|
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 00:13:43 +02:00
|
|
|
|
currentTags, newTags := current.Tags, tmp.Tags
|
2026-03-31 15:38:06 +02:00
|
|
|
|
for _, t := range currentTags {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
if !slices.Contains(newTags, t) {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.RemoveRel(id, t, ""); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-03-31 15:55:47 +02:00
|
|
|
|
for _, t := range newTags {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
if !slices.Contains(currentTags, t) {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, t, ""); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// Sync mention edges when title or content changed.
|
|
|
|
|
|
if input.Title != nil || input.Content != nil {
|
|
|
|
|
|
if err := s.syncMentions(st, id, current, title, content); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 00:13:43 +02:00
|
|
|
|
currentRels := current.Relations
|
2026-03-31 23:10:56 +02:00
|
|
|
|
for _, ri := range input.AddRels {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if ri.Target == "" {
|
|
|
|
|
|
continue // already handled as tag
|
|
|
|
|
|
}
|
2026-03-31 15:55:47 +02:00
|
|
|
|
resolved, err := s.resolveRelTarget(st, ri)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// Single-value relations replace the previous target.
|
|
|
|
|
|
if ri.Type == models.RelAssignee || ri.Type == models.RelInNamespace {
|
|
|
|
|
|
for _, oldTgt := range currentRels[string(ri.Type)] {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.RemoveRel(id, string(ri.Type), oldTgt); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Ownership transfer: enforce single-owner constraint.
|
|
|
|
|
|
if ri.Type == models.RelHasOwnership {
|
|
|
|
|
|
existingOwners, _ := st.FindNodes([]*models.Rel{{Type: models.RelHasOwnership, Target: resolved}})
|
|
|
|
|
|
for _, owner := range existingOwners {
|
|
|
|
|
|
st.RemoveRel(owner.ID, string(models.RelHasOwnership), resolved) //nolint:errcheck
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, string(ri.Type), resolved); err != nil {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
2026-03-31 15:55:47 +02:00
|
|
|
|
|
|
|
|
|
|
for _, ri := range input.RemoveRels {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if ri.Target == "" {
|
|
|
|
|
|
continue // already handled as tag
|
|
|
|
|
|
}
|
2026-03-31 15:55:47 +02:00
|
|
|
|
resolved, err := s.resolveRelTarget(st, ri)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.RemoveRel(id, string(ri.Type), resolved); err != nil {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
return err
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
|
})
|
2026-03-31 15:55:47 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.store.GetNode(id)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) Delete(id string) error {
|
2026-04-01 22:11:15 +02:00
|
|
|
|
pc, err := s.getPermContext()
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
if !pc.canWrite(id) {
|
|
|
|
|
|
return fmt.Errorf("permission denied: no write access to node %s", id)
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.store.Transaction(func(st store.Store) error {
|
|
|
|
|
|
return s.cascadeDelete(st, id, make(map[string]bool))
|
|
|
|
|
|
})
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// cascadeDelete deletes id and all nodes it owns (recursively).
|
|
|
|
|
|
// visited prevents infinite loops from ownership cycles.
|
|
|
|
|
|
func (s *nodeServiceImpl) cascadeDelete(st store.Store, id string, visited map[string]bool) error {
|
|
|
|
|
|
if visited[id] {
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
visited[id] = true
|
|
|
|
|
|
node, err := st.GetNode(id)
|
2026-03-31 23:52:24 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Capture owned node IDs before deleting (DeleteNode cascades the rels).
|
|
|
|
|
|
ownedIDs := make([]string, len(node.Relations[string(models.RelHasOwnership)]))
|
|
|
|
|
|
copy(ownedIDs, node.Relations[string(models.RelHasOwnership)])
|
|
|
|
|
|
if err := st.DeleteNode(id); err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
for _, ownedID := range ownedIDs {
|
|
|
|
|
|
if ownedID == id {
|
|
|
|
|
|
continue // skip self-ownership
|
|
|
|
|
|
}
|
|
|
|
|
|
s.cascadeDelete(st, ownedID, visited) //nolint:errcheck — node may already be gone
|
2026-03-31 23:52:24 +02:00
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
return nil
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// --- User management ---
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) AddUser(name string) (*models.Node, error) {
|
|
|
|
|
|
var id string
|
|
|
|
|
|
err := s.store.Transaction(func(st store.Store) error {
|
|
|
|
|
|
var err error
|
|
|
|
|
|
id, err = s.ensureUser(st, name)
|
|
|
|
|
|
return err
|
|
|
|
|
|
})
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return nil, err
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.store.GetNode(id)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) ListUsers() ([]*models.Node, error) {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
return s.store.FindNodes([]*models.Rel{{Type: "_type::user", Target: ""}})
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// --- Internal helpers ---
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) checkBlockers(id string) error {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
blockers, err := s.store.FindNodes([]*models.Rel{{Type: models.RelBlocks, Target: id}})
|
2026-03-31 15:55:47 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
var blocking []string
|
2026-03-31 22:36:49 +02:00
|
|
|
|
for _, b := range blockers {
|
|
|
|
|
|
if b.GetProperty("status") == "open" {
|
|
|
|
|
|
blocking = append(blocking, b.ID)
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
if len(blocking) > 0 {
|
|
|
|
|
|
return fmt.Errorf("cannot close: blocked by %v", blocking)
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) syncMentions(st store.Store, id string, current *models.Node, newTitle, newContent string) error {
|
|
|
|
|
|
existingMentionIDs := make(map[string]bool)
|
2026-04-01 00:13:43 +02:00
|
|
|
|
for _, uid := range current.Relations[string(models.RelMentions)] {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
existingMentionIDs[uid] = true
|
|
|
|
|
|
}
|
|
|
|
|
|
mentionedUserIDs := make(map[string]bool)
|
|
|
|
|
|
for _, m := range mentions(newTitle + " " + newContent) {
|
|
|
|
|
|
userID, err := s.resolveUserRef(st, m)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
mentionedUserIDs[userID] = true
|
|
|
|
|
|
if !existingMentionIDs[userID] {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, string(models.RelMentions), userID); err != nil {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
for uid := range existingMentionIDs {
|
|
|
|
|
|
if !mentionedUserIDs[uid] {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.RemoveRel(id, string(models.RelMentions), uid); err != nil {
|
2026-03-31 15:55:47 +02:00
|
|
|
|
return err
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
// resolveRelTarget resolves a RelInput target to a node ID, auto-creating users
|
|
|
|
|
|
// and namespaces as needed. Use only inside a transaction.
|
|
|
|
|
|
func (s *nodeServiceImpl) resolveRelTarget(st store.Store, ri RelInput) (string, error) {
|
|
|
|
|
|
switch ri.Type {
|
|
|
|
|
|
case models.RelAssignee, models.RelCreated, models.RelMentions:
|
|
|
|
|
|
return s.resolveUserRef(st, ri.Target)
|
2026-04-01 22:11:15 +02:00
|
|
|
|
case models.RelInNamespace:
|
2026-03-31 15:55:47 +02:00
|
|
|
|
return s.resolveNamespaceRef(st, ri.Target)
|
|
|
|
|
|
default:
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Permission rels and all other edge rels expect raw node IDs.
|
|
|
|
|
|
return ri.Target, nil
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
}
|
|
|
|
|
|
|
2026-03-31 15:55:47 +02:00
|
|
|
|
// lookupRelTarget resolves a filter target to a node ID without creating anything.
|
|
|
|
|
|
// Returns ("", false) when the target doesn't exist.
|
|
|
|
|
|
func (s *nodeServiceImpl) lookupRelTarget(relType models.RelType, target string) (string, bool) {
|
|
|
|
|
|
if exists, _ := s.store.NodeExists(target); exists {
|
|
|
|
|
|
return target, true
|
|
|
|
|
|
}
|
|
|
|
|
|
var nodeType string
|
|
|
|
|
|
switch relType {
|
|
|
|
|
|
case models.RelAssignee, models.RelCreated, models.RelMentions:
|
|
|
|
|
|
nodeType = "user"
|
2026-04-01 22:11:15 +02:00
|
|
|
|
case models.RelInNamespace:
|
2026-03-31 15:55:47 +02:00
|
|
|
|
nodeType = "namespace"
|
|
|
|
|
|
default:
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Permission rels and other edge rels use raw node IDs.
|
|
|
|
|
|
return "", false
|
2026-03-31 15:55:47 +02:00
|
|
|
|
}
|
|
|
|
|
|
id, err := s.resolveIDByNameAndType(s.store, target, nodeType)
|
|
|
|
|
|
if err != nil || id == "" {
|
|
|
|
|
|
return "", false
|
|
|
|
|
|
}
|
|
|
|
|
|
return id, true
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2026-04-01 12:50:45 +02:00
|
|
|
|
// resolveIDByNameAndType finds a node by title and _type property without creating it.
|
2026-03-31 15:38:06 +02:00
|
|
|
|
func (s *nodeServiceImpl) resolveIDByNameAndType(st store.Store, title, nodeType string) (string, error) {
|
2026-04-01 12:50:45 +02:00
|
|
|
|
nodes, err := st.FindNodes([]*models.Rel{{Type: models.RelType("_type::" + nodeType), Target: ""}})
|
2026-03-31 15:38:06 +02:00
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
for _, n := range nodes {
|
|
|
|
|
|
if n.Title == title {
|
|
|
|
|
|
return n.ID, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
return "", nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) resolveUserRef(st store.Store, ref string) (string, error) {
|
|
|
|
|
|
if exists, _ := st.NodeExists(ref); exists {
|
|
|
|
|
|
return ref, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.ensureUser(st, ref)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) ensureUser(st store.Store, username string) (string, error) {
|
|
|
|
|
|
userID, err := s.resolveIDByNameAndType(st, username, "user")
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
if userID != "" {
|
|
|
|
|
|
return userID, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
id, err := st.GenerateID()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
now := time.Now().UTC().Format(time.RFC3339)
|
|
|
|
|
|
if err := st.AddNode(id, username, "", "", now, now); err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, "_type::user", ""); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Users have self-ownership by default.
|
|
|
|
|
|
if err := st.AddRel(id, string(models.RelHasOwnership), id); err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return id, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) resolveNamespaceRef(st store.Store, ref string) (string, error) {
|
|
|
|
|
|
if exists, _ := st.NodeExists(ref); exists {
|
|
|
|
|
|
return ref, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
return s.ensureNamespace(st, ref)
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
func (s *nodeServiceImpl) ensureNamespace(st store.Store, name string) (string, error) {
|
|
|
|
|
|
nsID, err := s.resolveIDByNameAndType(st, name, "namespace")
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
if nsID != "" {
|
|
|
|
|
|
return nsID, nil
|
|
|
|
|
|
}
|
|
|
|
|
|
id, err := st.GenerateID()
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
now := time.Now().UTC().Format(time.RFC3339)
|
|
|
|
|
|
if err := st.AddNode(id, name, "", "", now, now); err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, "_type::namespace", ""); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, string(models.RelInNamespace), id); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
|
|
|
|
|
userID, err := s.resolveUserRef(st, s.userID)
|
|
|
|
|
|
if err != nil {
|
|
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-04-01 12:50:45 +02:00
|
|
|
|
if err := st.AddRel(id, string(models.RelCreated), userID); err != nil {
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-04-01 22:11:15 +02:00
|
|
|
|
// Creator owns the namespace.
|
|
|
|
|
|
if err := st.AddRel(userID, string(models.RelHasOwnership), id); err != nil {
|
2026-03-31 23:52:24 +02:00
|
|
|
|
return "", err
|
|
|
|
|
|
}
|
2026-03-31 15:38:06 +02:00
|
|
|
|
return id, nil
|
|
|
|
|
|
}
|
