mirror of
https://github.com/verdigado/organization_folders.git
synced 2024-12-06 11:22:41 +01:00
added subresources api endpoint
This commit is contained in:
parent
ab378ea223
commit
789a05c4c1
6 changed files with 95 additions and 5 deletions
|
@ -8,6 +8,7 @@ return [
|
||||||
['name' => 'resource#show', 'url' => '/resources/{resourceId}', 'verb' => 'GET'],
|
['name' => 'resource#show', 'url' => '/resources/{resourceId}', 'verb' => 'GET'],
|
||||||
['name' => 'resource#create', 'url' => '/resources/{resourceId}', 'verb' => 'POST'],
|
['name' => 'resource#create', 'url' => '/resources/{resourceId}', 'verb' => 'POST'],
|
||||||
['name' => 'resource#update', 'url' => '/resources/{resourceId}', 'verb' => 'PUT'],
|
['name' => 'resource#update', 'url' => '/resources/{resourceId}', 'verb' => 'PUT'],
|
||||||
|
['name' => 'resource#subResources', 'url' => '/resources/{resourceId}/subResources', 'verb' => 'GET'],
|
||||||
['name' => 'resource_member#index', 'url' => '/resources/{resourceId}/members', 'verb' => 'GET'],
|
['name' => 'resource_member#index', 'url' => '/resources/{resourceId}/members', 'verb' => 'GET'],
|
||||||
['name' => 'resource_member#create', 'url' => '/resources/{resourceId}/members', 'verb' => 'POST'],
|
['name' => 'resource_member#create', 'url' => '/resources/{resourceId}/members', 'verb' => 'POST'],
|
||||||
['name' => 'resource_member#update', 'url' => '/resources/members/{id}', 'verb' => 'PUT'],
|
['name' => 'resource_member#update', 'url' => '/resources/members/{id}', 'verb' => 'PUT'],
|
||||||
|
|
|
@ -9,7 +9,7 @@ use OCP\AppFramework\Controller;
|
||||||
use OCP\IRequest;
|
use OCP\IRequest;
|
||||||
|
|
||||||
class BaseController extends Controller {
|
class BaseController extends Controller {
|
||||||
private AuthorizationService $authorizationService;
|
protected AuthorizationService $authorizationService;
|
||||||
|
|
||||||
public function __construct(
|
public function __construct(
|
||||||
) {
|
) {
|
||||||
|
|
|
@ -8,6 +8,7 @@ use OCP\AppFramework\Http\Attribute\NoAdminRequired;
|
||||||
use OCA\OrganizationFolders\Db\Resource;
|
use OCA\OrganizationFolders\Db\Resource;
|
||||||
use OCA\OrganizationFolders\Service\ResourceService;
|
use OCA\OrganizationFolders\Service\ResourceService;
|
||||||
use OCA\OrganizationFolders\Service\ResourceMemberService;
|
use OCA\OrganizationFolders\Service\ResourceMemberService;
|
||||||
|
use OCA\OrganizationFolders\Service\OrganizationFolderService;
|
||||||
use OCA\OrganizationFolders\Traits\ApiObjectController;
|
use OCA\OrganizationFolders\Traits\ApiObjectController;
|
||||||
|
|
||||||
class ResourceController extends BaseController {
|
class ResourceController extends BaseController {
|
||||||
|
@ -15,10 +16,12 @@ class ResourceController extends BaseController {
|
||||||
use ApiObjectController;
|
use ApiObjectController;
|
||||||
|
|
||||||
public const MEMBERS_INCLUDE = 'members';
|
public const MEMBERS_INCLUDE = 'members';
|
||||||
|
public const SUBRESOURCES_INCLUDE = 'subresources';
|
||||||
|
|
||||||
public function __construct(
|
public function __construct(
|
||||||
private ResourceService $service,
|
private ResourceService $service,
|
||||||
private ResourceMemberService $memberService,
|
private ResourceMemberService $memberService,
|
||||||
|
private OrganizationFolderService $organizationFolderService,
|
||||||
private string $userId,
|
private string $userId,
|
||||||
) {
|
) {
|
||||||
parent::__construct();
|
parent::__construct();
|
||||||
|
@ -37,6 +40,10 @@ class ResourceController extends BaseController {
|
||||||
$result["members"] = $this->memberService->findAll($resource->getId());
|
$result["members"] = $this->memberService->findAll($resource->getId());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if($this->shouldInclude(self::SUBRESOURCES_INCLUDE, $includes)) {
|
||||||
|
$result["subresources"] = $this->getSubResources($resource->getId());
|
||||||
|
}
|
||||||
|
|
||||||
return $result;
|
return $result;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -68,16 +75,18 @@ class ResourceController extends BaseController {
|
||||||
?string $include,
|
?string $include,
|
||||||
): JSONResponse {
|
): JSONResponse {
|
||||||
return $this->handleErrors(function () use ($organizationFolderId, $type, $name, $parentResourceId, $active, $inheritManagers, $membersAclPermission, $managersAclPermission, $inheritedAclPermission, $include) {
|
return $this->handleErrors(function () use ($organizationFolderId, $type, $name, $parentResourceId, $active, $inheritManagers, $membersAclPermission, $managersAclPermission, $inheritedAclPermission, $include) {
|
||||||
|
$organizationFolder = $this->organizationFolderService->find($organizationFolderId);
|
||||||
|
|
||||||
if(!is_null($parentResourceId)) {
|
if(!is_null($parentResourceId)) {
|
||||||
$parentResource = $this->service->find($parentResourceId);
|
$parentResource = $this->service->find($parentResourceId);
|
||||||
|
|
||||||
$this->denyAccessUnlessGranted(['CREATE_SUBRESOURCE'], $parentResource);
|
$this->denyAccessUnlessGranted(['CREATE_SUBRESOURCE'], $parentResource);
|
||||||
} else {
|
} else {
|
||||||
// TODO: ask future organization folder voter
|
$this->denyAccessUnlessGranted(['CREATE_RESOURCE'], $organizationFolder);
|
||||||
}
|
}
|
||||||
|
|
||||||
$resource = $this->service->create(
|
$resource = $this->service->create(
|
||||||
organizationFolderId: $organizationFolderId,
|
organizationFolderId: $organizationFolder->getId(),
|
||||||
type: $type,
|
type: $type,
|
||||||
name: $name,
|
name: $name,
|
||||||
parentResourceId: $parentResourceId,
|
parentResourceId: $parentResourceId,
|
||||||
|
@ -126,4 +135,44 @@ class ResourceController extends BaseController {
|
||||||
return $this->getApiObjectFromEntity($resource, $include);
|
return $this->getApiObjectFromEntity($resource, $include);
|
||||||
});
|
});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
#[NoAdminRequired]
|
||||||
|
public function subResources(int $resourceId): JSONResponse {
|
||||||
|
return $this->handleNotFound(function () use ($resourceId) {
|
||||||
|
return $this->getSubResources($resourceId);
|
||||||
|
});
|
||||||
|
}
|
||||||
|
|
||||||
|
protected function getSubResources(int $resourceId): array {
|
||||||
|
$resource = $this->service->find($resourceId);
|
||||||
|
$organizationFolder = $this->organizationFolderService->find($resource->getOrganizationFolderId());
|
||||||
|
|
||||||
|
$subresources = $this->service->getSubResources($resource);
|
||||||
|
|
||||||
|
$result = [];
|
||||||
|
|
||||||
|
if($this->authorizationService->isGranted(['MANAGE_ALL_RESOURCES'], $organizationFolder)) {
|
||||||
|
/* fastpath: access to all subresources */
|
||||||
|
$result = $subresources;
|
||||||
|
} else {
|
||||||
|
foreach($subresources as $subresource) {
|
||||||
|
// Future optimization potential 1: the following will potentially check the permissions of each of these subresources all the way up the resource tree.
|
||||||
|
// As sibling resources these subresources share the same resources above them in the tree.
|
||||||
|
// So if access to the parent resource is granted, all subresources with inheritManagers can be granted immediately.
|
||||||
|
// For all other subresources only a check if user has direct (non-inherited) manager rights is neccessary.
|
||||||
|
|
||||||
|
// Future optimization potential 2: READ permission check checks MANAGE_ALL_RESOURCES again, at this point we know this to be false, because of the fastpath.
|
||||||
|
// Could be replaced with something like a READ_DIRECT (name TBD) permission check, which does not check this again.
|
||||||
|
if($this->authorizationService->isGranted(['READ'], $resource)) {
|
||||||
|
$result[] = $subresource;
|
||||||
|
} else if($this->authorizationService->isGranted(['READ_LIMITED'], $resource)) {
|
||||||
|
$result[] = $subresource->limitedJsonSerialize();
|
||||||
|
}
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return $result;
|
||||||
|
}
|
||||||
}
|
}
|
|
@ -24,4 +24,14 @@ abstract class Resource extends Entity implements JsonSerializable, TableSeriali
|
||||||
}
|
}
|
||||||
|
|
||||||
abstract public function getType(): string;
|
abstract public function getType(): string;
|
||||||
|
|
||||||
|
public function limitedJsonSerialize(): array {
|
||||||
|
return [
|
||||||
|
'id' => $this->id,
|
||||||
|
'parentResource' => $this->parentResource,
|
||||||
|
'organizationFolderId' => $this->organizationFolderId,
|
||||||
|
'type' => $this->getType(),
|
||||||
|
'name' => $this->name,
|
||||||
|
];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
|
@ -41,6 +41,8 @@ class ResourceVoter extends Voter {
|
||||||
$resource = $subject;
|
$resource = $subject;
|
||||||
return match ($attribute) {
|
return match ($attribute) {
|
||||||
'READ' => $this->isGranted( $user, $resource),
|
'READ' => $this->isGranted( $user, $resource),
|
||||||
|
// can read limited information about the resource (true: limited read is allowed, full read may be allowed, false: limited read is not allowed, full read may be allowed (!))
|
||||||
|
'READ_LIMITED' => $this->isGrantedLimitedRead($user, $resource),
|
||||||
'UPDATE' => $this->isGranted($user, $resource),
|
'UPDATE' => $this->isGranted($user, $resource),
|
||||||
'DELETE' => $this->isGranted($user, $resource),
|
'DELETE' => $this->isGranted($user, $resource),
|
||||||
'UPDATE_MEMBERS' => $this->isGranted($user, $resource),
|
'UPDATE_MEMBERS' => $this->isGranted($user, $resource),
|
||||||
|
@ -108,6 +110,34 @@ class ResourceVoter extends Voter {
|
||||||
|| $this->isResourceManager($user, $resource, $resourceOrganizationFolder);
|
|| $this->isResourceManager($user, $resource, $resourceOrganizationFolder);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function isGrantedLimitedRead(IUser $user, Resource $resource): bool {
|
||||||
|
$subResources = $this->resourceService->getAllSubResources($resource);
|
||||||
|
|
||||||
|
foreach($subResources as $subResource) {
|
||||||
|
if($this->isManagerOfAnySubresource($user, $subResource)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
|
protected function isManagerOfAnySubresource(IUser $user, Resource $resource) {
|
||||||
|
if($this->isGranted($user, $resource)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
|
||||||
|
$subResources = $this->resourceService->getAllSubResources($resource);
|
||||||
|
|
||||||
|
foreach($subResources as $subResource) {
|
||||||
|
if($this->isManagerOfAnySubresource($user, $subResource)) {
|
||||||
|
return true;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
return false;
|
||||||
|
}
|
||||||
|
|
||||||
private function userIsInGroup(IUser $user, string $groupId): bool {
|
private function userIsInGroup(IUser $user, string $groupId): bool {
|
||||||
return $this->groupManager->isInGroup($user->getUID(), $groupId);
|
return $this->groupManager->isInGroup($user->getUID(), $groupId);
|
||||||
}
|
}
|
||||||
|
|
|
@ -40,7 +40,7 @@ const saveInheritManagers = async (inheritManagers) => {
|
||||||
|
|
||||||
watch(() => props.resourceId, async (newResourceId) => {
|
watch(() => props.resourceId, async (newResourceId) => {
|
||||||
loading.value = true;
|
loading.value = true;
|
||||||
resource.value = await api.getResource(newResourceId, "model+members");
|
resource.value = await api.getResource(newResourceId, "model+members+subresources");
|
||||||
currentResourceName.value = resource.value.name;
|
currentResourceName.value = resource.value.name;
|
||||||
loading.value = false;
|
loading.value = false;
|
||||||
}, { immediate: true });
|
}, { immediate: true });
|
||||||
|
|
Loading…
Reference in a new issue