backend: extend access token

SafeHavenMaps · Jul 1, 2024 · 831729b · 831729b
1 parent 530f411
commit 831729b
Show file tree

Hide file tree

Showing 4 changed files with 84 additions and 16 deletions.
diff --git a/backend/migrations/20240701212445_extend_permissions.sql b/backend/migrations/20240701212445_extend_permissions.sql
@@ -0,0 +1,2 @@
+UPDATE access_tokens
+SET permissions = permissions || '{"can_list_entities": true, "can_access_entity": true, "can_add_entity": true, "can_add_comment": true}'::jsonb;
diff --git a/backend/src/api/map.rs b/backend/src/api/map.rs
@@ -120,8 +120,12 @@ pub async fn viewer_view_request(
 ) -> Result<AppJson<EntitiesAndClusters>, AppError> {
     tracing::trace!("Received view request {}", request);
 
+    if !token.perms.can_list_entities {
+        return Err(AppError::Forbidden);
+    }
+
     if !is_token_allowed_for_family(&token, &request.family_id) {
-        return Err(AppError::Unauthorized);
+        return Err(AppError::Forbidden);
     }
 
     let dyn_config = app_state.dyn_config.read().await;
@@ -206,8 +210,12 @@ async fn viewer_search_request(
 ) -> Result<AppJson<ViewerCachedEntitiesWithPagination>, AppError> {
     tracing::trace!("Received search request {}", request);
 
+    if !token.perms.can_list_entities {
+        return Err(AppError::Forbidden);
+    }
+
     if !is_token_allowed_for_family(&token, &request.family_id) {
-        return Err(AppError::Unauthorized);
+        return Err(AppError::Forbidden);
     }
 
     // Check if some of the constraints are forbidden
@@ -245,14 +253,14 @@ async fn viewer_search_request(
 #[derive(Serialize, Deserialize, ToSchema, Debug)]
 pub struct PublicNewEntityRequest {
     entity: PublicNewEntity,
-    comment: PublicNewComment,
+    comment: Option<PublicNewComment>,
     hcaptcha_token: Option<String>,
 }
 
 #[derive(Serialize, Deserialize, ToSchema, Debug)]
 pub struct PublicNewEntityResponse {
     entity: PublicEntity,
-    comment: PublicComment,
+    comment: Option<PublicComment>,
 }
 
 async fn check_captcha(state: AppState, response: Option<String>) -> Result<(), AppError> {
@@ -299,16 +307,26 @@ async fn check_captcha(state: AppState, response: Option<String>) -> Result<(),
 async fn viewer_new_entity(
     DbConn(mut conn): DbConn,
     State(state): State<AppState>,
+    token: MapUserTokenClaims,
     Json(request): Json<PublicNewEntityRequest>,
 ) -> Result<AppJson<PublicNewEntityResponse>, AppError> {
+    if !token.perms.can_add_entity {
+        return Err(AppError::Forbidden);
+    }
+
+    if !token.perms.can_add_comment && request.comment.is_some() {
+        return Err(AppError::Forbidden);
+    }
+
     check_captcha(state, request.hcaptcha_token).await?;
 
     let db_entity = PublicEntity::new(request.entity, &mut conn).await?;
+    let mut db_comment = None;
 
-    let mut new_comment = request.comment;
-    new_comment.entity_id = db_entity.id;
-
-    let db_comment = PublicComment::new(new_comment, &mut conn).await?;
+    if let Some(mut comment) = request.comment {
+        comment.entity_id = db_entity.id;
+        db_comment = Some(PublicComment::new(comment, &mut conn).await?);
+    }
 
     Ok(AppJson(PublicNewEntityResponse {
         entity: db_entity,
@@ -334,8 +352,19 @@ pub struct NewCommentRequest {
 async fn viewer_new_comment(
     DbConn(mut conn): DbConn,
     State(state): State<AppState>,
+    token: MapUserTokenClaims,
     Json(request): Json<NewCommentRequest>,
 ) -> Result<AppJson<PublicComment>, AppError> {
+    if !token.perms.can_add_comment {
+        return Err(AppError::Forbidden);
+    }
+
+    let target_entity = PublicEntity::get(request.comment.entity_id, &mut conn).await?;
+
+    if !is_token_allowed_for_family(&token, &target_entity.family_id) {
+        return Err(AppError::Forbidden);
+    }
+
     check_captcha(state, request.hcaptcha_token).await?;
     let db_comment = PublicComment::new(request.comment, &mut conn).await?;
     Ok(AppJson(db_comment))
@@ -371,8 +400,16 @@ async fn viewer_fetch_entity(
     Path(id): Path<Uuid>,
     Json(request): Json<FetchEntityRequest>,
 ) -> Result<AppJson<FetchedEntity>, AppError> {
+    if !token.perms.can_access_entity {
+        return Err(AppError::Forbidden);
+    }
+
     let entity = PublicEntity::get(id, &mut conn).await?;
 
+    if !is_token_allowed_for_family(&token, &entity.family_id) {
+        return Err(AppError::Forbidden);
+    }
+
     let can_read_entity = (token.perms.families_policy.allow_all
         || token
             .perms
@@ -463,7 +500,7 @@ async fn viewer_fetch_entity(
         .collect();
 
     if !can_read_entity && filtered_children.is_empty() {
-        return Err(AppError::Unauthorized);
+        return Err(AppError::Forbidden);
     }
 
     let comments = match token.perms.can_access_comments {

diff --git a/backend/src/models/access_token.rs b/backend/src/models/access_token.rs
@@ -11,7 +11,12 @@ pub struct Permissions {
     pub categories_policy: PermissionPolicy,
     pub tags_policy: PermissionPolicy,
     pub geographic_restrictions: Option<MultiPolygon>,
+
+    pub can_list_entities: bool,
+    pub can_access_entity: bool,
     pub can_access_comments: bool,
+    pub can_add_entity: bool,
+    pub can_add_comment: bool,
 }
 
 #[derive(Serialize, Deserialize, ToSchema, Clone, Debug)]

diff --git a/frontend/openapi.json b/frontend/openapi.json
@@ -4002,12 +4002,28 @@
           "families_policy",
           "categories_policy",
           "tags_policy",
-          "can_access_comments"
+          "can_list_entities",
+          "can_access_entity",
+          "can_access_comments",
+          "can_add_entity",
+          "can_add_comment"
         ],
         "properties": {
           "can_access_comments": {
             "type": "boolean"
           },
+          "can_access_entity": {
+            "type": "boolean"
+          },
+          "can_add_comment": {
+            "type": "boolean"
+          },
+          "can_add_entity": {
+            "type": "boolean"
+          },
+          "can_list_entities": {
+            "type": "boolean"
+          },
           "categories_policy": {
             "$ref": "#/components/schemas/PermissionPolicy"
           },
@@ -4201,12 +4217,16 @@
       "PublicNewEntityRequest": {
         "type": "object",
         "required": [
-          "entity",
-          "comment"
+          "entity"
         ],
         "properties": {
           "comment": {
-            "$ref": "#/components/schemas/PublicNewComment"
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/PublicNewComment"
+              }
+            ],
+            "nullable": true
           },
           "entity": {
             "$ref": "#/components/schemas/PublicNewEntity"
@@ -4220,12 +4240,16 @@
       "PublicNewEntityResponse": {
         "type": "object",
         "required": [
-          "entity",
-          "comment"
+          "entity"
         ],
         "properties": {
           "comment": {
-            "$ref": "#/components/schemas/PublicComment"
+            "allOf": [
+              {
+                "$ref": "#/components/schemas/PublicComment"
+              }
+            ],
+            "nullable": true
           },
           "entity": {
             "$ref": "#/components/schemas/PublicEntity"