Merge pull request #121 from documize/granular-permissions

Granular permissions

Author: HarveyKandola

README.md

@@ -1,48 +1,93 @@
 # Documize Community Edition
 
-Documize is an Integrated Document Environment (IDE) unifying documents, wiki, reporting and dashboards -- one tool to power the enterprise-wide knowledge backbone.
+## The mission
 
-![Alt text](screenshot.png "Documize")
+To bring software development inspired features to the world of documenting -- refactoring, importing, testing, linting, metrics, PRs, versioning....
 
-The mission is to bring software dev inspired features (refactoring, testing, linting, metrics, PRs) to those poor souls stuck writing docs in the dark ages.
+## What is it?
+
+Documize is an intelligent document environment (IDE) for creating, securing and sharing documents -- everything you need in one place.
+
+## Why should I care?
+
+Because maybe like us, you might be tired of:
+
+* juggling WYSIWYG editors, wiki software and various document related solutions
+* playing document related email tennis with contributions, versions and feedback
+* sharing not-so-secure folders with external participants
+
+Sound familiar? Read on.
+
+## Who is it for?
+
+Anyone who wants a single place for any kind of document.
+
+Anyone who wants to loop in external participants complete security.
+
+Anyone who wishes documentation and knowledge capture worked like agile software development.
+ 
+## What's different about Documize?
+
+Sane organization through personal, team and public spaces.
+
+Granular document access control via categories.
+
+Section based approach to document construction.
+
+Reusable templates and content blocks.
+
+Documentation related tasking and delegation.
+
+Integrations for embedding SaaS data within documents.
 
 ## Latest version
 
-v1.53.6
+v1.54.0
 
-## OS Support
+## OS support
+
+Documize runs on the following:
 
-- Windows
 - Linux
+- Windows
 - macOS
 
-## Tech stack
+## Technology stack
+
+Documize is built with the following technologies:
 
 - EmberJS (v2.15.0)
 - Go (v1.9.0)
-- MySQL (v5.7.10+) or Percona (v5.7.16-10+) or MariaDB (10.3.0+)
 
-## Documentation
+...and supports the following databases:
 
-<https://docs.documize.com>
+- MySQL (v5.7.10+)
+- Percona (v5.7.16-10+)
+- MariaDB (10.3.0+)
+
+Coming soon, PostgreSQL and Microsoft SQL Server support.
+
+## Authentication options
+
+Besides email/password login, you can also leverage the following options.
 
-## Keycloak Integration
+### Keycloak Integration
 
 Documize provides out-of-the-box integration with [Redhat Keycloak](http://www.keycloak.org) for open source identity and access management.
 
 Connect and authenticate with LDAP, Active Directory and more.
 
 <https://docs.documize.com>
 
-## Auth0 Compatible
+### Auth0 Compatible
 
 Documize is compatible with Auth0 identity as a service.
 
 [![JWT Auth for open source projects](https://cdn.auth0.com/oss/badges/a0-badge-dark.png)](https://auth0.com/?utm_source=oss&utm_medium=gp&utm_campaign=oss)
 
 Open Source Identity and Access Management
 
-## Legal
+## The legal bit at the end
 
 <https://documize.com>
 

build.sh

@@ -1,5 +1,8 @@
 #! /bin/bash
 
+# ember s apiHost=https://demo1.dev:5001
+# go run edition/community.go -port=5001 -forcesslport=5002 -cert selfcert/cert.pem -key selfcert/key.pem -salt=tsu3Acndky8cdTNx3
+
 NOW=$(date)
 echo "Build process started $NOW"
 

core/database/check.go

@@ -120,8 +120,8 @@ func Check(runtime *env.Runtime) bool {
 
 	{ // check all the required tables exist
 		var tables = []string{`account`,
-			`attachment`, `audit`, `document`,
-			`label`, `labelrole`, `organization`,
+			`attachment`, `document`,
+			`label`, `organization`,
 			`page`, `revision`, `search`, `user`}
 
 		for _, table := range tables {

core/database/endpoint.go

@@ -161,7 +161,7 @@ func setupAccount(rt *env.Runtime, completion onboardRequest, serial string) (er
 		return err
 	}
 
-	// Set up default labels for main collection.
+	// create space
 	labelID := uniqueid.Generate()
 	sql = fmt.Sprintf("insert into label (refid, orgid, label, type, userid) values (\"%s\", \"%s\", \"My Project\", 2, \"%s\")", labelID, orgID, userID)
 	_, err = runSQL(rt, sql)
@@ -170,12 +170,14 @@ func setupAccount(rt *env.Runtime, completion onboardRequest, serial string) (er
 		rt.Log.Error("insert into label failed", err)
 	}
 
-	labelRoleID := uniqueid.Generate()
-	sql = fmt.Sprintf("insert into labelrole (refid, labelid, orgid, userid, canview, canedit) values (\"%s\", \"%s\", \"%s\", \"%s\", 1, 1)", labelRoleID, labelID, orgID, userID)
-	_, err = runSQL(rt, sql)
-
-	if err != nil {
-		rt.Log.Error("insert into labelrole failed", err)
+	// assign permissions to space
+	perms := []string{"view", "manage", "own", "doc-add", "doc-edit", "doc-delete", "doc-move", "doc-copy", "doc-template"}
+	for _, p := range perms {
+		sql = fmt.Sprintf("insert into permission (orgid, who, whoid, action, scope, location, refid) values (\"%s\", 'user', \"%s\", \"%s\", 'object', 'space', \"%s\")", orgID, userID, p, labelID)
+		_, err = runSQL(rt, sql)
+		if err != nil {
+			rt.Log.Error("insert into permission failed", err)
+		}
 	}
 
 	return

core/database/scripts/autobuild/db_00016.sql

@@ -0,0 +1,143 @@
+/* community edition */
+
+-- permission records space and document level privelges, making existing labelrole table obsolete
+-- who column can be user or role
+-- whoid column contains eitehr user or role ID
+-- action column records permission type (view, edit, delete...)
+-- scope column details if action applies to object or table
+-- location column details name of table
+-- refid column details ID of item that the action applies to (only if scope=object)
+DROP TABLE IF EXISTS `permission`;
+
+CREATE TABLE IF NOT EXISTS `permission` (
+	`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+	`orgid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`who` VARCHAR(30) NOT NULL,
+	`whoid` CHAR(16) DEFAULT '' NOT NULL COLLATE utf8_bin,
+	`action` VARCHAR(30) NOT NULL,
+	`scope` VARCHAR(30) NOT NULL,
+	`location` VARCHAR(100) NOT NULL,
+	`refid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`created` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+	UNIQUE INDEX `idx_permission_id` (`id` ASC),
+	INDEX `idx_permission_orgid` (`orgid` ASC))
+DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+ENGINE = MyISAM;
+
+CREATE INDEX idx_permission_1 ON permission(orgid,who,whoid,location);
+CREATE INDEX idx_permission_2 ON permission(orgid,who,whoid,location,action);
+CREATE INDEX idx_permission_3 ON permission(orgid,location,refid);
+CREATE INDEX idx_permission_4 ON permission(orgid,who,location,action);
+
+-- category represents "folder/label/category" assignment to document (1:M)
+DROP TABLE IF EXISTS `category`;
+
+CREATE TABLE IF NOT EXISTS `category` (
+	`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+	`refid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`orgid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`labelid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`category` VARCHAR(30) NOT NULL,
+	`created` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+	`revised` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+	UNIQUE INDEX `idx_category_id` (`id` ASC),
+	INDEX `idx_category_refid` (`refid` ASC),
+	INDEX `idx_category_orgid` (`orgid` ASC))
+DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+ENGINE = MyISAM;
+
+CREATE INDEX idx_category_1 ON category(orgid,labelid);
+
+-- category member records who can see a category and the documents within
+DROP TABLE IF EXISTS `categorymember`;
+
+CREATE TABLE IF NOT EXISTS `categorymember` (
+	`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+	`refid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`orgid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`labelid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`categoryid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`documentid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`created` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+	`revised` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+	UNIQUE INDEX `idx_categorymember_id` (`id` ASC),
+	INDEX `idx_category_documentid` (`documentid`))
+    DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+ENGINE = MyISAM;
+
+CREATE INDEX idx_categorymember_1 ON categorymember(orgid,documentid);
+CREATE INDEX idx_categorymember_2 ON categorymember(orgid,labelid);
+
+-- rolee represent user groups 
+DROP TABLE IF EXISTS `role`;
+
+CREATE TABLE IF NOT EXISTS `role` (
+	`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+	`refid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`orgid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`role` VARCHAR(30) NOT NULL,
+	`created` TIMESTAMP DEFAULT CURRENT_TIMESTAMP,
+	UNIQUE INDEX `idx_category_id` (`id` ASC),
+	INDEX `idx_category_refid` (`refid` ASC),
+	INDEX `idx_category_orgid` (`orgid` ASC))
+DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+ENGINE = MyISAM;
+
+-- role member records user role membership
+DROP TABLE IF EXISTS `rolemember`;
+
+CREATE TABLE IF NOT EXISTS `rolemember` (
+	`id` INT UNSIGNED NOT NULL AUTO_INCREMENT,
+	`orgid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`roleid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	`userid` CHAR(16) NOT NULL COLLATE utf8_bin,
+	UNIQUE INDEX `idx_category_id` (`id` ASC))
+DEFAULT CHARACTER SET utf8mb4 COLLATE utf8mb4_unicode_ci
+ENGINE = MyISAM;
+
+CREATE INDEX idx_rolemember_1 ON rolemember(roleid,userid);
+CREATE INDEX idx_rolemember_2 ON rolemember(orgid,roleid,userid);
+
+-- user account can have global permssion to state if user can see all other users
+-- provides granular control for external users 
+ALTER TABLE account ADD COLUMN `users` BOOL NOT NULL DEFAULT 1 AFTER `admin`;
+
+-- migrate space/document permissions
+
+-- space own
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'own' as `action`, 'object' as scope, 'space' as location, refid
+	FROM label;
+
+-- space manage (same as owner)
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'manage' as `action`, 'object' as scope, 'space' as location, refid
+	FROM label;
+
+-- view space
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'view' as `action`, 'object' as scope, 'space' as location, labelid as refid
+	FROM labelrole WHERE canview=1;
+
+-- edit space => add/edit/delete/move/copy/template documents
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'doc-add' as `action`, 'object' as scope, 'space' as location, labelid as refid
+	FROM labelrole WHERE canedit=1;
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'doc-edit' as `action`, 'object' as scope, 'space' as location, labelid as refid
+	FROM labelrole WHERE canedit=1;
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'doc-delete' as `action`, 'object' as scope, 'space' as location, labelid as refid
+	FROM labelrole WHERE canedit=1;
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'doc-move' as `action`, 'object' as scope, 'space' as location, labelid as refid
+	FROM labelrole WHERE canedit=1;
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'doc-copy' as `action`, 'object' as scope, 'space' as location, labelid as refid
+	FROM labelrole WHERE canedit=1;
+INSERT INTO permission (orgid, who, whoid, `action`, scope, location, refid)  
+	SELECT orgid, 'user' as who, userid as whois, 'doc-template' as `action`, 'object' as scope, 'space' as location, labelid as refid
+	FROM labelrole WHERE canedit=1;
+
+-- everyone users ID changed to 0
+UPDATE permission SET whoid='0' WHERE whoid='';