feat: Check edit permissions (#48)

* chore(dev): Make S3 mock retain files on exit

I just missed doing this in the PR which migrates to S3. :)

* feat(frontend): Use daisyUI alert component

Makes the `Alert` component use the daisyUI `alert` component. For some
reason the code didn't use it previously. Switching since I think it's
more pretty and looks more consistent.

* feat: Check edit permissions

Adds checks to the backend making sure that the user is allowed to edit
content, and new UI to the frontend which informs the user if they're
not allowed to edit a given slide group.

* feat: Don't show edit buttons when not owner

Hides any buttons for editing slide groups from the slide group options
components when the user isn't allowed to edit it. Previously trying to
interact with them under this condition would have just resulted in an
error. This makes the behavior consistent with when a group is archived.

I also moved the alert boxes to be above the slide group name, and made
it so that the alert that the user can't edit the group isn't shown if
the group is also archived.

Author: laxsjo

compose.yml

@@ -51,6 +51,7 @@ services:
     environment:
       - COM_ADOBE_TESTING_S3MOCK_STORE_INITIAL_BUCKETS=meta-tv
       - COM_ADOBE_TESTING_S3MOCK_STORE_REGION=eu-west-1
+      - COM_ADOBE_TESTING_S3MOCK_STORE_RETAIN_FILES_ON_EXIT=true
     ports:
       - 9090:9090
   nyckeln:

crates/backend/src/auth/mod.rs

@@ -1,4 +1,5 @@
 use chrono::{DateTime, Utc};
+use common::dtos::{LangDto, UserInfoDto};
 use oidc::OidcClient;
 use rocket::{
     http::{Cookie, CookieJar, SameSite, Status},
@@ -7,7 +8,7 @@ use rocket::{
 };
 use serde::{Deserialize, Serialize};
 
-use crate::error::AppError;
+use crate::{auth::hive::HiveClient, error::AppError};
 
 pub mod hive;
 pub mod oidc;
@@ -23,6 +24,24 @@ pub struct Session {
     pub expiration: DateTime<Utc>,
 }
 
+impl Session {
+    pub async fn populate(&self, hive_client: &HiveClient) -> reqwest::Result<UserInfoDto> {
+        let memberships = if self.is_admin {
+            hive_client.tagged_groups(LangDto::Sv).await?
+        } else {
+            hive_client
+                .tagged_memberships(&self.username, LangDto::Sv)
+                .await?
+        };
+
+        Ok(UserInfoDto {
+            username: self.username.clone(),
+            is_admin: self.is_admin,
+            memberships,
+        })
+    }
+}
+
 #[rocket::async_trait]
 impl<'r> FromRequest<'r> for Session {
     type Error = String;

crates/backend/src/error.rs

@@ -16,6 +16,8 @@ use crate::auth::oidc::OidcAuthenticationError;
 pub enum AppError {
     #[error("you must login to perform this action")]
     Unauthenticated,
+    #[error("you don't have permission to perform this action")]
+    Unauthorized,
     #[error("uploaded file exceeds maximum allowed size (max is {0} bytes)")]
     FileTooBig(u64),
     #[error("screen not found")]
@@ -58,6 +60,7 @@ impl AppError {
     pub fn status(&self) -> Status {
         match self {
             AppError::Unauthenticated => Status::Unauthorized,
+            AppError::Unauthorized => Status::Forbidden,
             AppError::FileTooBig(_) => Status::PayloadTooLarge,
             AppError::ScreenNotFound => Status::NotFound,
             AppError::SlideGroupNotFound => Status::NotFound,

crates/backend/src/lib.rs

@@ -138,7 +138,6 @@ pub(crate) fn rocket() -> Rocket<Build> {
                 routes::auth::logout,
                 routes::auth::oidc_callback,
                 routes::auth::user_info,
-                routes::auth::user_memberships,
             ],
         )
         .register("/auth", catchers![routes::auth::not_logged_in])

crates/backend/src/routes/auth.rs

@@ -1,4 +1,4 @@
-use common::dtos::{SessionDto, TaggedGroupDto};
+use common::dtos::UserInfoDto;
 use rocket::{
     http::{uri::Host, CookieJar},
     response::Redirect,
@@ -58,29 +58,27 @@ pub async fn logout(jar: &CookieJar<'_>) -> Redirect {
     Redirect::to("/")
 }
 
-#[rocket::get("/user")]
-pub async fn user_info(session: Session) -> Json<SessionDto> {
-    Json(SessionDto {
-        username: session.username,
-        is_admin: session.is_admin,
-    })
-}
-
-/// Get the groups which the logged in user is a part of.
-#[get("/user/memberships?<lang>")]
-pub async fn user_memberships(
+/// Get the username and groups of the logged in user, as well as if they're an admin.
+#[rocket::get("/user?<lang>")]
+pub async fn user_info(
     lang: Option<Lang>,
-    session: auth::Session,
+    session: Session,
     hive_client: &State<HiveClient>,
-) -> Result<Json<Vec<TaggedGroupDto>>, AppError> {
-    Ok(Json(if session.is_admin {
+) -> Result<Json<UserInfoDto>, AppError> {
+    let memberships = if session.is_admin {
         hive_client
             .tagged_groups(lang.unwrap_or_default().into())
             .await?
     } else {
         hive_client
             .tagged_memberships(&session.username, lang.unwrap_or_default().into())
             .await?
+    };
+
+    Ok(Json(UserInfoDto {
+        username: session.username,
+        is_admin: session.is_admin,
+        memberships,
     }))
 }
 
@@ -91,7 +89,7 @@ pub async fn not_logged_in() -> AppError {
 
 #[cfg(test)]
 mod tests {
-    use common::dtos::SessionDto;
+    use common::dtos::UserInfoDto;
     use rocket::http::Status;
 
     use crate::test_utils::TestClient;
@@ -105,9 +103,10 @@ mod tests {
         assert_eq!(response.status(), Status::Ok);
         assert_eq!(
             response.into_json(),
-            Some(SessionDto {
+            Some(UserInfoDto {
                 username: "johndoe".to_string(),
-                is_admin: false
+                is_admin: false,
+                memberships: Vec::new(),
             })
         );
     }
@@ -121,9 +120,10 @@ mod tests {
         assert_eq!(response.status(), Status::Ok);
         assert_eq!(
             response.into_json(),
-            Some(SessionDto {
+            Some(UserInfoDto {
                 username: "janedoe".to_string(),
-                is_admin: true
+                is_admin: true,
+                memberships: Vec::new(),
             })
         );
     }

crates/backend/src/routes/content.rs

@@ -6,7 +6,13 @@ use sea_orm::{
 };
 use sea_orm_rocket::Connection;
 
-use crate::{auth::Session, error::AppError, files::Files, pool::Db};
+use crate::{
+    auth::{hive::HiveClient, Session},
+    error::AppError,
+    files::Files,
+    pool::Db,
+    routes::slide_group,
+};
 
 use super::{build_created_response, CreatedResponse};
 
@@ -18,7 +24,8 @@ pub(crate) struct Upload<'r> {
 
 #[post("/content", data = "<upload>")]
 pub async fn create_content(
-    _session: Session, // for access control only
+    session: Session,
+    hive_client: &State<HiveClient>,
     conn: Connection<'_, Db>,
     files: &State<Files>,
     mut upload: Form<Upload<'_>>,
@@ -32,17 +39,27 @@ pub async fn create_content(
         .await?
         .ok_or_else(|| AppError::ScreenNotFound)?;
 
-    // ensure slide exists and is not archived (deleted)
-    entity::slide::Entity::find_by_id(upload.data.slide)
+    // ensure slide exists and is not archived (deleted), and that the user owns the associated
+    // slide group.
+    let slide_group_id = entity::slide::Entity::find_by_id(upload.data.slide)
         .join(
             JoinType::LeftJoin,
             entity::slide::Relation::SlideGroup.def(),
         )
         .filter(entity::slide::Column::ArchiveDate.is_null())
         .filter(entity::slide_group::Column::ArchiveDate.is_null())
+        .select_only()
+        .column(entity::slide::Column::Group)
+        .into_tuple::<i32>()
         .one(&txn)
         .await?
         .ok_or_else(|| AppError::SlideNotFound)?;
+    slide_group::check_slide_group_ownership(
+        &session.populate(hive_client).await?,
+        &txn,
+        slide_group_id,
+    )
+    .await?;
 
     // archive (delete) content already on this screen (if any)
     entity::content::Entity::update_many()

crates/backend/src/routes/slide.rs

@@ -1,47 +1,68 @@
 use common::dtos::{CreateSlideDto, MoveSlidesDto};
-use rocket::{http::Status, serde::json::Json};
+use rocket::{http::Status, serde::json::Json, State};
 use sea_orm::{ActiveModelTrait, EntityTrait, Set, TransactionTrait};
 use sea_orm_rocket::Connection;
 
-use crate::{auth::Session, error::AppError, pool::Db};
+use crate::{
+    auth::{hive::HiveClient, Session},
+    error::AppError,
+    pool::Db,
+    routes::slide_group,
+};
 
 use super::{build_created_response, CreatedResponse};
 
 #[post("/slide", data = "<slide>")]
 pub async fn create_slide(
-    _session: Session, // for access control only
+    session: Session,
+    hive_client: &State<HiveClient>,
     conn: Connection<'_, Db>,
     slide: Json<CreateSlideDto>,
 ) -> Result<CreatedResponse, AppError> {
     let db = conn.into_inner();
+    let txn = db.begin().await?;
+
+    slide_group::check_slide_group_ownership(
+        &session.populate(hive_client).await?,
+        &txn,
+        slide.slide_group,
+    )
+    .await?;
 
     let res = entity::slide::ActiveModel {
         position: Set(slide.position),
         group: Set(slide.slide_group),
         ..Default::default()
     }
-    .insert(db)
+    .insert(&txn)
     .await?;
 
+    txn.commit().await?;
+
     // NOTE: non-existent route
     Ok(build_created_response("/api/slide", res.id))
 }
 
 #[post("/slide/bulk-move", data = "<positions>")]
 pub async fn bulk_move_slides(
-    _session: Session, // for access control only
+    session: Session,
+    hive_client: &State<HiveClient>,
     conn: Connection<'_, Db>,
     positions: Json<MoveSlidesDto>,
 ) -> Result<Status, AppError> {
     let db = conn.into_inner();
     let txn = db.begin().await?;
 
+    let user_info = session.populate(hive_client).await?;
+
     for (&slide_id, &new_position) in &positions.new_positions {
         let slide = entity::slide::Entity::find_by_id(slide_id)
             .one(&txn)
             .await?
             .ok_or(AppError::SlideNotFound)?;
 
+        slide_group::check_slide_group_ownership(&user_info, &txn, slide.group).await?;
+
         if slide.archive_date.is_some() {
             return Err(AppError::SlideArchived);
         }
@@ -64,9 +85,10 @@ pub async fn bulk_move_slides(
 
 #[delete("/slide/<id>")]
 pub async fn delete_slide(
-    _session: Session,
-    id: i32,
+    session: Session,
+    hive_client: &State<HiveClient>,
     conn: Connection<'_, Db>,
+    id: i32,
 ) -> Result<Status, AppError> {
     let db = conn.into_inner();
     let txn = db.begin().await?;
@@ -78,6 +100,13 @@ pub async fn delete_slide(
         .await?
         .ok_or(AppError::SlideNotFound)?;
 
+    slide_group::check_slide_group_ownership(
+        &session.populate(hive_client).await?,
+        &txn,
+        slide.group,
+    )
+    .await?;
+
     if slide.archive_date.is_some() {
         return Err(AppError::SlideArchived);
     }