Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

feat: Enhance user authorization checks and refactor related functions 

- Added user authorization checks in `list_attributes`, `list_dataset_groups`, `list_datasets`, `list_permission_groups`, and `list_teams` functions to ensure only users with appropriate roles can access these resources.
- Refactored the `list_teams_handler` to accept `user_id` as a parameter, improving clarity and consistency across user-related functions.
- Updated SQL queries to utilize the new authorization checks, enhancing security and data integrity.
- Removed redundant column allowances in `list_teams` permissions, streamlining the codebase.
This commit is contained in:
dal 2025-01-20 16:29:46 -07:00
parent 094be8a3f1
commit 31473f8d55
No known key found for this signature in database
GPG Key ID: 16F4B0E1E9F61122
7 changed files with 75 additions and 40 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
api/src/database/models.rs
View File

@ -11,6 +11,11 @@ allow_columns_to_appear_in_same_group_by_clause!(
dataset_groups::name,
dataset_permissions::id,
dataset_groups_permissions::id,
teams::id,
teams::name,
permission_groups_to_identities::permission_group_id,
teams_to_users::user_id,
teams_to_users::role
);
#[derive(Queryable, Insertable, Identifiable, Associations, Debug)]

18
api/src/routes/rest/routes/users/assets/list_attributes.rs
View File

@ -12,6 +12,7 @@ use crate::database::lib::get_pg_pool;
use crate::database::models::User;
use crate::database::schema::{users, users_to_organizations};
use crate::routes::rest::ApiResponse;
use crate::utils::security::checks::is_user_workspace_admin_or_data_admin;
use crate::utils::user::user_info::get_user_organization_id;
#[derive(Debug, Serialize)]
@ -42,14 +43,13 @@ pub async fn list_attributes(
async fn list_attributes_handler(user: User, user_id: Uuid) -> Result<Vec<AttributeInfo>> {
let mut conn = get_pg_pool().get().await?;
let user_orgnazation_id = match get_user_organization_id(&user_id).await {
Ok(id) => id,
Err(e) => {
tracing::error!("Error getting user organization id: {:?}", e);
return Err(anyhow::anyhow!("Error getting user organization id"));
}
};
let organization_id = get_user_organization_id(&user_id).await?;
if !is_user_workspace_admin_or_data_admin(&user, &organization_id).await? {
return Err(anyhow::anyhow!(
"User is not authorized to list dataset groups"
));
}
let auth_user_orgnazation_id = match user.attributes.get("organization_id") {
Some(Value::String(id)) => Uuid::parse_str(id).unwrap(),
Some(_) => return Err(anyhow::anyhow!("User organization id not found")),
@ -66,14 +66,14 @@ async fn list_attributes_handler(user: User, user_id: Uuid) -> Result<Vec<Attrib
return Err(anyhow::anyhow!("User is not authorized to list attributes"));
};
if auth_user_orgnazation_id != user_orgnazation_id {
if auth_user_orgnazation_id != organization_id {
return Err(anyhow::anyhow!("User is not authorized to list attributes"));
}
let user_attributes = match users::table
.filter(users::id.eq(user_id))
.inner_join(users_to_organizations::table.on(users::id.eq(users_to_organizations::user_id)))
.filter(users_to_organizations::organization_id.eq(user_orgnazation_id))
.filter(users_to_organizations::organization_id.eq(organization_id))
.select(users::attributes)
.first::<Value>(&mut *conn)
.await

11
api/src/routes/rest/routes/users/assets/list_dataset_groups.rs
View File

@ -11,6 +11,7 @@ use crate::database::lib::get_pg_pool;
use crate::database::models::User;
use crate::database::schema::{dataset_groups, dataset_groups_permissions, dataset_permissions};
use crate::routes::rest::ApiResponse;
use crate::utils::security::checks::is_user_workspace_admin_or_data_admin;
use crate::utils::user::user_info::get_user_organization_id;
#[derive(Debug, Serialize)]
@ -39,16 +40,20 @@ pub async fn list_dataset_groups(
Ok(ApiResponse::JsonData(dataset_groups))
}
async fn list_dataset_groups_handler(user: User, id: Uuid) -> Result<Vec<DatasetGroupInfo>> {
async fn list_dataset_groups_handler(user: User, user_id: Uuid) -> Result<Vec<DatasetGroupInfo>> {
let mut conn = get_pg_pool().get().await?;
let organization_id = get_user_organization_id(&user.id).await?;
let organization_id = get_user_organization_id(&user_id).await?;
if !is_user_workspace_admin_or_data_admin(&user, &organization_id).await? {
return Err(anyhow::anyhow!("User is not authorized to list dataset groups"));
}
let groups = dataset_groups::table
.left_join(
dataset_groups_permissions::table.on(dataset_groups_permissions::dataset_group_id
.eq(dataset_groups::id)
.and(dataset_groups_permissions::permission_type.eq("user"))
.and(dataset_groups_permissions::permission_id.eq(id))
.and(dataset_groups_permissions::permission_id.eq(user_id))
.and(dataset_groups_permissions::deleted_at.is_null())),
)
.left_join(

7
api/src/routes/rest/routes/users/assets/list_datasets.rs
View File

@ -11,6 +11,7 @@ use crate::database::lib::get_pg_pool;
use crate::database::models::User;
use crate::database::schema::{dataset_permissions, datasets};
use crate::routes::rest::ApiResponse;
use crate::utils::security::checks::is_user_workspace_admin_or_data_admin;
use crate::utils::user::user_info::get_user_organization_id;
#[derive(Debug, Serialize)]
@ -37,7 +38,11 @@ pub async fn list_datasets(
async fn list_datasets_handler(user: User, user_id: Uuid) -> Result<Vec<DatasetInfo>> {
let mut conn = get_pg_pool().get().await?;
let organization_id = get_user_organization_id(&user.id).await?;
let organization_id = get_user_organization_id(&user_id).await?;
if !is_user_workspace_admin_or_data_admin(&user, &organization_id).await? {
return Err(anyhow::anyhow!("User is not authorized to list datasets"));
}
let datasets = match datasets::table
.left_join(

5
api/src/routes/rest/routes/users/assets/list_permission_groups.rs
View File

@ -11,6 +11,7 @@ use crate::database::lib::get_pg_pool;
use crate::database::models::{PermissionGroup, User};
use crate::database::schema::permission_groups;
use crate::routes::rest::ApiResponse;
use crate::utils::security::checks::is_user_workspace_admin_or_data_admin;
use crate::utils::user::user_info::get_user_organization_id;
#[derive(Debug, Serialize)]
@ -43,6 +44,10 @@ async fn list_permission_groups_handler(user: User) -> Result<Vec<PermissionGrou
let mut conn = get_pg_pool().get().await?;
let organization_id = get_user_organization_id(&user.id).await?;
if !is_user_workspace_admin_or_data_admin(&user, &organization_id).await? {
return Err(anyhow::anyhow!("User is not authorized to list permission groups"));
}
let groups: Vec<PermissionGroup> = permission_groups::table
.filter(permission_groups::organization_id.eq(organization_id))
.filter(permission_groups::deleted_at.is_null())

61
api/src/routes/rest/routes/users/assets/list_teams.rs
View File

@ -1,31 +1,32 @@
use anyhow::Result;
use axum::extract::Path;
use axum::http::StatusCode;
use axum::Extension;
use chrono::{DateTime, Utc};
use diesel::prelude::*;
use diesel_async::RunQueryDsl;
use serde::Serialize;
use uuid::Uuid;
use crate::database::lib::get_pg_pool;
use crate::database::models::{Team, User};
use crate::database::schema::teams;
use crate::database::models::User;
use crate::database::schema::{teams, teams_to_users};
use crate::routes::rest::ApiResponse;
use crate::utils::security::checks::is_user_workspace_admin_or_data_admin;
use crate::utils::user::user_info::get_user_organization_id;
#[derive(Debug, Serialize)]
pub struct TeamInfo {
pub id: Uuid,
pub name: String,
pub organization_id: Uuid,
pub created_at: DateTime<Utc>,
pub updated_at: DateTime<Utc>,
pub user_count: i64,
pub assigned: bool,
}
pub async fn list_teams(
Extension(user): Extension<User>,
Path(id): Path<Uuid>,
) -> Result<ApiResponse<Vec<TeamInfo>>, (StatusCode, &'static str)> {
let teams = match list_teams_handler(user).await {
let teams = match list_teams_handler(user, id).await {
Ok(teams) => teams,
Err(e) => {
tracing::error!("Error listing teams: {:?}", e);
@ -36,26 +37,48 @@ pub async fn list_teams(
Ok(ApiResponse::JsonData(teams))
}
async fn list_teams_handler(user: User) -> Result<Vec<TeamInfo>> {
async fn list_teams_handler(user: User, user_id: Uuid) -> Result<Vec<TeamInfo>> {
let mut conn = get_pg_pool().get().await?;
let organization_id = get_user_organization_id(&user.id).await?;
let organization_id = get_user_organization_id(&user_id).await?;
let teams: Vec<Team> = teams::table
if !is_user_workspace_admin_or_data_admin(&user, &organization_id).await? {
return Err(anyhow::anyhow!("User is not authorized to list teams"));
}
let teams = match teams::table
.left_join(
teams_to_users::table.on(teams::id
.eq(teams_to_users::team_id)
.and(teams_to_users::deleted_at.is_null())
.and(teams_to_users::user_id.eq(user_id))),
)
.select((
teams::id,
teams::name,
diesel::dsl::sql::<diesel::sql_types::BigInt>("COALESCE(count(teams_to_users.user_id), 0)"),
diesel::dsl::sql::<diesel::sql_types::Bool>("teams_to_users.user_id IS NOT NULL"),
))
.group_by((teams::id, teams::name, teams_to_users::user_id))
.filter(teams::organization_id.eq(organization_id))
.filter(teams::deleted_at.is_null())
.order_by(teams::created_at.desc())
.load(&mut *conn)
.await?;
.load::<(Uuid, String, i64, bool)>(&mut *conn)
.await
{
Ok(teams) => teams,
Err(e) => {
tracing::error!("Error listing teams: {:?}", e);
return Err(anyhow::anyhow!("Error listing teams"));
}
};
Ok(teams
.into_iter()
.map(|team| TeamInfo {
id: team.id,
name: team.name,
organization_id: team.organization_id,
created_at: team.created_at,
updated_at: team.updated_at,
.map(|(id, name, count, assigned)| TeamInfo {
id,
name,
user_count: count,
assigned,
})
.collect())
}

8
api/src/routes/ws/permissions/list_teams.rs
View File

@ -51,14 +51,6 @@ pub struct TeamPermissionInfo {
pub team_role: Option<TeamToUserRole>,
}
allow_columns_to_appear_in_same_group_by_clause!(
teams::id,
teams::name,
permission_groups_to_identities::permission_group_id,
teams_to_users::user_id,
teams_to_users::role,
);
pub async fn list_teams(user: &User, req: ListTeamPermissionsRequest) -> Result<()> {
let page = req.page.unwrap_or(0);
let page_size = req.page_size.unwrap_or(25);