feat: add namespace-based access control with read/write permissions
This commit is contained in:
@@ -28,6 +28,88 @@ func mentions(t string) []string {
|
||||
|
||||
func (s *nodeServiceImpl) User() string { return s.userID }
|
||||
|
||||
// --- Access control ---
|
||||
|
||||
// accessContext holds namespace IDs readable/writable by the current user.
|
||||
// Nodes with no in_namespace are globally accessible (empty namespaceID always passes).
|
||||
type accessContext struct {
|
||||
readable map[string]bool
|
||||
writable map[string]bool
|
||||
}
|
||||
|
||||
func (ac *accessContext) canRead(namespaceID string) bool {
|
||||
if namespaceID == "" {
|
||||
return true
|
||||
}
|
||||
return ac.readable[namespaceID]
|
||||
}
|
||||
|
||||
func (ac *accessContext) canWrite(namespaceID string) bool {
|
||||
if namespaceID == "" {
|
||||
return true
|
||||
}
|
||||
return ac.writable[namespaceID]
|
||||
}
|
||||
|
||||
// getAccessContext builds an accessContext by reading the current user's outgoing
|
||||
// has_write_access and has_read_access edges. If the user node does not yet exist
|
||||
// (first-time bootstrap) both maps are empty.
|
||||
func (s *nodeServiceImpl) getAccessContext() (*accessContext, error) {
|
||||
ctx := &accessContext{
|
||||
readable: make(map[string]bool),
|
||||
writable: make(map[string]bool),
|
||||
}
|
||||
userNodeID, err := s.resolveIDByNameAndType(s.store, s.userID, "user")
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if userNodeID == "" {
|
||||
return ctx, nil // not yet bootstrapped; no namespace permissions
|
||||
}
|
||||
userNode, err := s.store.GetNode(userNodeID)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
rels := userNode.Relations()
|
||||
for _, nsID := range rels[string(models.RelHasWriteAccess)] {
|
||||
ctx.writable[nsID] = true
|
||||
ctx.readable[nsID] = true
|
||||
}
|
||||
for _, nsID := range rels[string(models.RelHasReadAccess)] {
|
||||
ctx.readable[nsID] = true
|
||||
}
|
||||
return ctx, nil
|
||||
}
|
||||
|
||||
// nodeNamespaceID returns the first in_namespace target of n, or "" if none.
|
||||
func (s *nodeServiceImpl) nodeNamespaceID(n *models.Node) string {
|
||||
ids := n.Relations()[string(models.RelInNamespace)]
|
||||
if len(ids) == 0 {
|
||||
return ""
|
||||
}
|
||||
return ids[0]
|
||||
}
|
||||
|
||||
// checkRelTargetWrite verifies the current user has write access to the namespace
|
||||
// of each relation target. Targets that do not yet exist are skipped (they will
|
||||
// be created during the transaction and access granted there).
|
||||
func (s *nodeServiceImpl) checkRelTargetWrite(ac *accessContext, addRels []RelInput) error {
|
||||
for _, ri := range addRels {
|
||||
targetID, found := s.lookupRelTarget(ri.Type, ri.Target)
|
||||
if !found || targetID == "" {
|
||||
continue
|
||||
}
|
||||
targetNode, err := s.store.GetNode(targetID)
|
||||
if err != nil {
|
||||
continue // let the transaction surface missing-node errors
|
||||
}
|
||||
if !ac.canWrite(s.nodeNamespaceID(targetNode)) {
|
||||
return fmt.Errorf("permission denied: no write access to namespace of %s target %q", ri.Type, ri.Target)
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// --- Validation ---
|
||||
|
||||
var (
|
||||
@@ -68,7 +150,18 @@ func tagValue(tags []string, prefix string) string {
|
||||
// --- Query ---
|
||||
|
||||
func (s *nodeServiceImpl) GetByID(id string) (*models.Node, error) {
|
||||
return s.store.GetNode(id)
|
||||
n, err := s.store.GetNode(id)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ac, err := s.getAccessContext()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !ac.canRead(s.nodeNamespaceID(n)) {
|
||||
return nil, fmt.Errorf("permission denied: no read access to node %s", id)
|
||||
}
|
||||
return n, nil
|
||||
}
|
||||
|
||||
func (s *nodeServiceImpl) List(filter ListFilter) ([]*models.Node, error) {
|
||||
@@ -80,7 +173,21 @@ func (s *nodeServiceImpl) List(filter ListFilter) ([]*models.Node, error) {
|
||||
}
|
||||
relFilters = append(relFilters, &models.Rel{Type: ri.Type, Target: id})
|
||||
}
|
||||
return s.store.FindNodes(filter.Tags, relFilters)
|
||||
nodes, err := s.store.FindNodes(filter.Tags, relFilters)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ac, err := s.getAccessContext()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var result []*models.Node
|
||||
for _, n := range nodes {
|
||||
if ac.canRead(s.nodeNamespaceID(n)) {
|
||||
result = append(result, n)
|
||||
}
|
||||
}
|
||||
return result, nil
|
||||
}
|
||||
|
||||
// --- Lifecycle ---
|
||||
@@ -105,6 +212,37 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// --- Permission check ---
|
||||
ac, err := s.getAccessContext()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
// Determine the target namespace name (explicit or default).
|
||||
targetNSName := s.userID
|
||||
for _, ri := range input.Rels {
|
||||
if ri.Type == models.RelInNamespace {
|
||||
targetNSName = ri.Target
|
||||
break
|
||||
}
|
||||
}
|
||||
// Check write access only when the namespace already exists; if it doesn't
|
||||
// exist yet it will be created in the transaction and access granted there.
|
||||
if nsID, found := s.lookupRelTarget(models.RelInNamespace, targetNSName); found {
|
||||
if !ac.canWrite(nsID) {
|
||||
return nil, fmt.Errorf("permission denied: no write access to namespace %q", targetNSName)
|
||||
}
|
||||
}
|
||||
// Check write access for all other relation targets.
|
||||
var nonNSRels []RelInput
|
||||
for _, ri := range input.Rels {
|
||||
if ri.Type != models.RelInNamespace {
|
||||
nonNSRels = append(nonNSRels, ri)
|
||||
}
|
||||
}
|
||||
if err := s.checkRelTargetWrite(ac, nonNSRels); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Build initial relation map from rels input.
|
||||
rels := make(map[models.RelType][]string)
|
||||
hasNamespace := false
|
||||
@@ -180,6 +318,27 @@ func (s *nodeServiceImpl) Add(input AddInput) (*models.Node, error) {
|
||||
}
|
||||
|
||||
func (s *nodeServiceImpl) Update(id string, input UpdateInput) (*models.Node, error) {
|
||||
// Validate tags before doing any I/O.
|
||||
if err := validateTags(input.AddTags); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// --- Permission check ---
|
||||
current, err := s.store.GetNode(id)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
ac, err := s.getAccessContext()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if !ac.canWrite(s.nodeNamespaceID(current)) {
|
||||
return nil, fmt.Errorf("permission denied: no write access to node %s", id)
|
||||
}
|
||||
if err := s.checkRelTargetWrite(ac, input.AddRels); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// Enforce blocking constraint before allowing status=done.
|
||||
for _, t := range input.AddTags {
|
||||
if t == "_status::done" {
|
||||
@@ -190,12 +349,7 @@ func (s *nodeServiceImpl) Update(id string, input UpdateInput) (*models.Node, er
|
||||
}
|
||||
}
|
||||
|
||||
// Validate tags being added.
|
||||
if err := validateTags(input.AddTags); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
err := s.store.Transaction(func(st store.Store) error {
|
||||
err = s.store.Transaction(func(st store.Store) error {
|
||||
current, err := st.GetNode(id)
|
||||
if err != nil {
|
||||
return err
|
||||
@@ -293,6 +447,17 @@ func (s *nodeServiceImpl) Update(id string, input UpdateInput) (*models.Node, er
|
||||
}
|
||||
|
||||
func (s *nodeServiceImpl) Delete(id string) error {
|
||||
n, err := s.store.GetNode(id)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
ac, err := s.getAccessContext()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
if !ac.canWrite(s.nodeNamespaceID(n)) {
|
||||
return fmt.Errorf("permission denied: no write access to node %s", id)
|
||||
}
|
||||
return s.store.DeleteNode(id)
|
||||
}
|
||||
|
||||
@@ -369,7 +534,7 @@ func (s *nodeServiceImpl) resolveRelTarget(st store.Store, ri RelInput) (string,
|
||||
switch ri.Type {
|
||||
case models.RelAssignee, models.RelCreated, models.RelMentions:
|
||||
return s.resolveUserRef(st, ri.Target)
|
||||
case models.RelInNamespace:
|
||||
case models.RelInNamespace, models.RelHasReadAccess, models.RelHasWriteAccess:
|
||||
return s.resolveNamespaceRef(st, ri.Target)
|
||||
default:
|
||||
return ri.Target, nil // blocks/subtask/related expect raw node IDs
|
||||
@@ -386,7 +551,7 @@ func (s *nodeServiceImpl) lookupRelTarget(relType models.RelType, target string)
|
||||
switch relType {
|
||||
case models.RelAssignee, models.RelCreated, models.RelMentions:
|
||||
nodeType = "user"
|
||||
case models.RelInNamespace:
|
||||
case models.RelInNamespace, models.RelHasReadAccess, models.RelHasWriteAccess:
|
||||
nodeType = "namespace"
|
||||
default:
|
||||
return target, true
|
||||
@@ -477,5 +642,9 @@ func (s *nodeServiceImpl) ensureNamespace(st store.Store, name string) (string,
|
||||
if err := st.AddEdge(id, userID, models.RelCreated); err != nil {
|
||||
return "", err
|
||||
}
|
||||
// Grant the creator write access to the new namespace.
|
||||
if err := st.AddEdge(userID, id, models.RelHasWriteAccess); err != nil {
|
||||
return "", err
|
||||
}
|
||||
return id, nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user