Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'sharing_check_permissions' into evals 

Resolved merge conflicts in sharing module:
- Combined the enhanced permission checking logic
- Kept the comprehensive role checks from sharing_check_permissions
- Included both the entry-based bulk permission checking
- Maintained the full API exports from both branches
- Integrated tests directory structure
This commit is contained in:
dal 2025-03-19 10:06:58 -06:00
parent 7b58464fb4 f5afea4501
commit 95926e5fd1
No known key found for this signature in database
GPG Key ID: 16F4B0E1E9F61122
5 changed files with 316 additions and 62 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

126
api/libs/sharing/src/check_asset_permission.rs
View File

@ -90,7 +90,8 @@ pub async fn check_access(
Ok(Some(highest_permission))
}
/// Checks if a user has a specific permission level on an asset
<<<<<<< HEAD
/// Checks if a user has the required permission level for an asset
pub async fn has_permission(
asset_id: Uuid,
asset_type: AssetType,
@ -102,46 +103,46 @@ pub async fn has_permission(
match user_role {
Some(role) => {
// Special case for Owner and FullAccess, which can do anything
if role == AssetPermissionRole::Owner || role == AssetPermissionRole::FullAccess {
return Ok(true);
}
// For other roles, we need to compare them
match (role, required_role) {
// Owner and FullAccess can do anything (handled above)
// CanEdit can edit, filter and view
(AssetPermissionRole::CanEdit, AssetPermissionRole::CanEdit) |
(AssetPermissionRole::CanEdit, AssetPermissionRole::CanFilter) |
(AssetPermissionRole::CanEdit, AssetPermissionRole::CanView) => Ok(true),
// Check if user's role is sufficient for the required role based on the permission hierarchy
Ok(match (role, required_role) {
// Owner can do anything
(AssetPermissionRole::Owner, _) => true,
// FullAccess can do anything except Owner actions
(AssetPermissionRole::FullAccess, AssetPermissionRole::Owner) => false,
(AssetPermissionRole::FullAccess, _) => true,
// CanEdit can edit and view
(AssetPermissionRole::CanEdit, AssetPermissionRole::Owner | AssetPermissionRole::FullAccess) => false,
(AssetPermissionRole::CanEdit, AssetPermissionRole::CanEdit | AssetPermissionRole::CanFilter | AssetPermissionRole::CanView | AssetPermissionRole::Editor | AssetPermissionRole::Viewer) => true,
// CanFilter can filter and view
(AssetPermissionRole::CanFilter, AssetPermissionRole::CanFilter) |
(AssetPermissionRole::CanFilter, AssetPermissionRole::CanView) => Ok(true),
(AssetPermissionRole::CanFilter, AssetPermissionRole::Owner | AssetPermissionRole::FullAccess | AssetPermissionRole::CanEdit | AssetPermissionRole::Editor) => false,
(AssetPermissionRole::CanFilter, AssetPermissionRole::CanFilter | AssetPermissionRole::CanView | AssetPermissionRole::Viewer) => true,
// CanView can only view
(AssetPermissionRole::CanView, AssetPermissionRole::CanView) => Ok(true),
// Editor can edit and view
(AssetPermissionRole::Editor, AssetPermissionRole::Editor) |
(AssetPermissionRole::Editor, AssetPermissionRole::Viewer) => Ok(true),
// Viewer can only view
(AssetPermissionRole::Viewer, AssetPermissionRole::Viewer) => Ok(true),
// All other combinations are not permitted
_ => Ok(false),
}
(AssetPermissionRole::CanView, AssetPermissionRole::CanView | AssetPermissionRole::Viewer) => true,
(AssetPermissionRole::CanView, _) => false,
// Editor (legacy) can edit and view
(AssetPermissionRole::Editor, AssetPermissionRole::Owner | AssetPermissionRole::FullAccess) => false,
(AssetPermissionRole::Editor, AssetPermissionRole::CanEdit | AssetPermissionRole::CanFilter | AssetPermissionRole::CanView | AssetPermissionRole::Editor | AssetPermissionRole::Viewer) => true,
// Viewer (legacy) can only view
(AssetPermissionRole::Viewer, AssetPermissionRole::CanView | AssetPermissionRole::Viewer) => true,
(AssetPermissionRole::Viewer, _) => false,
})
}
None => Ok(false)
None => Ok(false),
}
}
/// Simpler structure for holding permission results when checking in bulk
#[derive(Debug, Clone)]
pub struct AssetPermissionEntry {
pub asset_id: Uuid,
pub asset_type: AssetType,
pub role: Option<AssetPermissionRole>,
}
/// Checks permissions for multiple assets in bulk
pub async fn check_access_bulk(
inputs: Vec<CheckPermissionInput>,
) -> Result<Vec<(Uuid, AssetType, Option<AssetPermissionRole>)>> {
) -> Result<Vec<AssetPermissionEntry>> {
if inputs.is_empty() {
return Ok(Vec::new());
}
@ -173,9 +174,10 @@ pub async fn check_access_bulk(
let mut conn = get_pg_pool().get().await?;
let user_id = user_inputs[0].identity_id;
// Create individual queries for each asset
for input in &user_inputs {
let permissions: Vec<AssetPermissionRole> = asset_permissions::table
// Process each input separately (we could optimize this in the future)
for input in user_inputs {
// For users, we need to check both direct permissions and team permissions
let permissions = asset_permissions::table
.left_join(
teams_to_users::table
.on(asset_permissions::identity_id.eq(teams_to_users::team_id)),
@ -191,10 +193,24 @@ pub async fn check_access_bulk(
.filter(asset_permissions::deleted_at.is_null())
.load::<AssetPermissionRole>(&mut conn)
.await
.context("Failed to query user asset permissions")?;
.context("Failed to query asset permissions")?;
let highest_role = permissions.into_iter().reduce(|acc, role| acc.max(role));
results.push((input.asset_id, input.asset_type, highest_role));
let highest_role = if permissions.is_empty() {
None
} else {
Some(
permissions
.into_iter()
.reduce(|acc, role| acc.max(role))
.unwrap(),
)
};
results.push(AssetPermissionEntry {
asset_id: input.asset_id,
asset_type: input.asset_type,
role: highest_role,
});
}
}
@ -202,7 +218,8 @@ pub async fn check_access_bulk(
for input in other_identity_inputs {
let mut conn = get_pg_pool().get().await?;
let permissions: Vec<AssetPermissionRole> = asset_permissions::table
// For other identity types, just check direct permissions
let permissions = asset_permissions::table
.select(asset_permissions::role)
.filter(asset_permissions::identity_id.eq(&input.identity_id))
.filter(asset_permissions::identity_type.eq(&input.identity_type))
@ -213,8 +230,22 @@ pub async fn check_access_bulk(
.await
.context("Failed to query asset permissions")?;
let highest_role = permissions.into_iter().reduce(|acc, role| acc.max(role));
results.push((input.asset_id, input.asset_type, highest_role));
let highest_role = if permissions.is_empty() {
None
} else {
Some(
permissions
.into_iter()
.reduce(|acc, role| acc.max(role))
.unwrap(),
)
};
results.push(AssetPermissionEntry {
asset_id: input.asset_id,
asset_type: input.asset_type,
role: highest_role,
});
}
Ok(results)
@ -224,15 +255,16 @@ pub async fn check_access_bulk(
pub async fn check_permissions(
inputs: Vec<CheckPermissionInput>,
) -> Result<Vec<AssetPermissionResult>> {
let permissions = check_access_bulk(inputs.clone()).await?;
let permissions_entries = check_access_bulk(inputs.clone()).await?;
let results = permissions
// Convert entries to results
let results = permissions_entries
.into_iter()
.map(|(asset_id, asset_type, role)| {
.map(|entry| {
AssetPermissionResult {
asset_id,
asset_type,
role,
asset_id: entry.asset_id,
asset_type: entry.asset_type,
role: entry.role,
}
})
.collect();

5
api/libs/sharing/src/lib.rs
View File

@ -6,8 +6,11 @@ pub mod remove_asset_permissions;
pub mod types;
pub mod user_lookup;
#[cfg(test)]
pub mod tests;
// Export the primary functions
pub use check_asset_permission::{check_access, check_permissions, has_permission};
pub use check_asset_permission::{check_access, check_access_bulk, check_permissions, has_permission};
pub use create_asset_permission::{create_share, create_share_by_email, create_shares_bulk};
pub use list_asset_permissions::{list_shares, list_shares_by_identity_type};
pub use remove_asset_permissions::{remove_share, remove_share_by_email};

207
api/libs/sharing/src/tests/check_asset_permission_test.rs Normal file
View File

@ -0,0 +1,207 @@
use crate::check_asset_permission::{check_access, has_permission};
use anyhow::Result;
use database::enums::{AssetPermissionRole, AssetType, IdentityType};
use diesel::{prelude::*, ExpressionMethods, QueryDsl};
use diesel_async::RunQueryDsl;
use database::pool::get_pg_pool;
use database::schema::asset_permissions;
use chrono::Utc;
use uuid::Uuid;
// Helper function to insert a test permission
async fn insert_test_permission(
asset_id: Uuid,
asset_type: AssetType,
identity_id: Uuid,
identity_type: IdentityType,
role: AssetPermissionRole,
) -> Result<()> {
let mut conn = get_pg_pool().get().await?;
diesel::insert_into(asset_permissions::table)
.values((
asset_permissions::asset_id.eq(asset_id),
asset_permissions::asset_type.eq(asset_type),
asset_permissions::identity_id.eq(identity_id),
asset_permissions::identity_type.eq(identity_type),
asset_permissions::role.eq(role),
asset_permissions::created_at.eq(Utc::now()),
asset_permissions::updated_at.eq(Utc::now()),
))
.execute(&mut conn)
.await?;
Ok(())
}
// Helper function to clean up test data
async fn cleanup_test_permission(asset_id: Uuid, identity_id: Uuid) -> Result<()> {
let mut conn = get_pg_pool().get().await?;
diesel::delete(
asset_permissions::table
.filter(asset_permissions::asset_id.eq(asset_id))
.filter(asset_permissions::identity_id.eq(identity_id))
)
.execute(&mut conn)
.await?;
Ok(())
}
#[tokio::test]
async fn test_check_access() -> Result<()> {
// Setup test data
let asset_id = Uuid::new_v4();
let identity_id = Uuid::new_v4();
let asset_type = AssetType::Collection;
let identity_type = IdentityType::User;
let role = AssetPermissionRole::CanEdit;
// Insert a test permission
insert_test_permission(asset_id, asset_type, identity_id, identity_type, role).await?;
// Test check_access function
let result = check_access(asset_id, asset_type, identity_id, identity_type).await?;
// Verify the result
assert_eq!(result, Some(AssetPermissionRole::CanEdit));
// Clean up
cleanup_test_permission(asset_id, identity_id).await?;
Ok(())
}
#[tokio::test]
async fn test_check_access_no_permission() -> Result<()> {
// Setup test with random IDs that shouldn't exist
let asset_id = Uuid::new_v4();
let identity_id = Uuid::new_v4();
let asset_type = AssetType::Collection;
let identity_type = IdentityType::User;
// Test check_access function
let result = check_access(asset_id, asset_type, identity_id, identity_type).await?;
// Verify the result
assert_eq!(result, None);
Ok(())
}
#[tokio::test]
async fn test_has_permission() -> Result<()> {
// Setup test data
let asset_id = Uuid::new_v4();
let identity_id = Uuid::new_v4();
let asset_type = AssetType::Collection;
let identity_type = IdentityType::User;
let role = AssetPermissionRole::CanEdit;
// Insert a test permission
insert_test_permission(asset_id, asset_type, identity_id, identity_type, role).await?;
// Test various permission checks
// User has CanEdit, checking for CanView (should be true)
let result1 = has_permission(
asset_id,
asset_type,
identity_id,
identity_type,
AssetPermissionRole::CanView
).await?;
assert!(result1, "CanEdit should grant CanView permission");
// User has CanEdit, checking for CanEdit (should be true)
let result2 = has_permission(
asset_id,
asset_type,
identity_id,
identity_type,
AssetPermissionRole::CanEdit
).await?;
assert!(result2, "CanEdit should grant CanEdit permission");
// User has CanEdit, checking for FullAccess (should be false)
let result3 = has_permission(
asset_id,
asset_type,
identity_id,
identity_type,
AssetPermissionRole::FullAccess
).await?;
assert!(!result3, "CanEdit should NOT grant FullAccess permission");
// Clean up
cleanup_test_permission(asset_id, identity_id).await?;
Ok(())
}
#[tokio::test]
async fn test_permission_hierarchy() -> Result<()> {
// Setup test data
let asset_id = Uuid::new_v4();
let identity_id = Uuid::new_v4();
let asset_type = AssetType::Collection;
let identity_type = IdentityType::User;
// Test with Owner role
insert_test_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::Owner).await?;
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanView).await?);
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanEdit).await?);
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::FullAccess).await?);
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::Owner).await?);
cleanup_test_permission(asset_id, identity_id).await?;
// Test with FullAccess role
insert_test_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::FullAccess).await?;
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanView).await?);
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanEdit).await?);
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::FullAccess).await?);
assert!(!has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::Owner).await?);
cleanup_test_permission(asset_id, identity_id).await?;
// Test with CanEdit role
insert_test_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanEdit).await?;
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanView).await?);
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanEdit).await?);
assert!(!has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::FullAccess).await?);
assert!(!has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::Owner).await?);
cleanup_test_permission(asset_id, identity_id).await?;
// Test with CanView role
insert_test_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanView).await?;
assert!(has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanView).await?);
assert!(!has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::CanEdit).await?);
assert!(!has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::FullAccess).await?);
assert!(!has_permission(asset_id, asset_type, identity_id, identity_type, AssetPermissionRole::Owner).await?);
cleanup_test_permission(asset_id, identity_id).await?;
Ok(())
}
#[tokio::test]
async fn test_no_permissions() -> Result<()> {
// Use random IDs that should not exist
let asset_id = Uuid::new_v4();
let identity_id = Uuid::new_v4();
let asset_type = AssetType::Collection;
let identity_type = IdentityType::User;
// Test has_permission with no existing permissions
let result = has_permission(
asset_id,
asset_type,
identity_id,
identity_type,
AssetPermissionRole::CanView
).await?;
// Should return false since no permissions exist
assert!(!result);
Ok(())
}

1
api/libs/sharing/src/tests/mod.rs Normal file
View File

@ -0,0 +1 @@
pub mod check_asset_permission_test;

39
api/prds/active/sharing_check_permissions.md
View File

@ -1,4 +1,4 @@
# Check Asset Permissions PRD
# Check Asset Permissions PRD
## Overview
This PRD outlines the implementation of functionality to check if a user has the required permission level for an asset within the sharing access controls system.
@ -7,10 +7,10 @@ This PRD outlines the implementation of functionality to check if a user has the
The system needs to verify that users have appropriate permissions before allowing them to perform actions on assets. This requires enhancing and enabling the existing permission checking functionality.
## Goals
- Enable and enhance the existing `check_asset_permission.rs` module
- Ensure the function checks if a user has the required permission level
- Support checking against specific permission levels
- Optimize for performance with caching if necessary
- Enable and enhance the existing `check_asset_permission.rs` module
- Ensure the function checks if a user has the required permission level
- Support checking against specific permission levels
- Optimize for performance with caching if necessary
## Non-Goals
- Implementing UI components for permission checking
@ -109,17 +109,28 @@ The function should handle the following error cases:
- Error handling utilities
## Implementation Plan
1. Uncomment the `check_asset_permission` module in `lib.rs`
2. Implement the `has_permission` function
3. Add error handling
4. Write tests
5. Update the library exports in `lib.rs`
1. Uncomment the `check_asset_permission` module in `lib.rs`
2. Implement the `has_permission` function
3. Add error handling
4. Write tests
5. Update the library exports in `lib.rs`
## Success Criteria
- Function correctly checks if a user has the required permission level
- Appropriate error handling is implemented
- Tests pass successfully
- Code is well-documented
- Function correctly checks if a user has the required permission level
- Appropriate error handling is implemented
- Tests pass successfully
- Code is well-documented
## Permission Requirements
- Internal function, no permission requirements
## Implementation Summary
- ✅ Uncommented the `check_asset_permission` module in `lib.rs`
- ✅ Implemented the `has_permission` function with a robust permission hierarchy
- ✅ Fixed issues with the bulk permission checking approach to be more memory efficient
- ✅ Added comprehensive role checks for all permission levels
- ✅ Created test cases to verify functionality
- ✅ Ensured all functions are properly exported
- ✅ Completed all required implementation tasks
The implementation is now ready for review and integration with the rest of the access controls system.