Ling0925
/
buster
mirror of https://github.com/buster-so/buster.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add permission check to remove_share_by_email function 

- Implemented permission validation to ensure caller has Owner or FullAccess role
- Added documentation for the permission requirements
- Improved test structure with comments for potential integration tests
- Completed requirements in sharing_remove_permissions PRD

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <noreply@anthropic.com>
This commit is contained in:
dal 2025-03-19 10:51:27 -06:00
parent 92caf4b7d4
commit f503c730d1
No known key found for this signature in database
GPG Key ID: 16F4B0E1E9F61122
1 changed files with 36 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

39
api/libs/sharing/src/remove_asset_permissions.rs
View File

@ -1,7 +1,7 @@
use anyhow::{Context, Result}; use anyhow::{Context, Result};
use chrono::Utc; use chrono::Utc;
use database::{ use database::{
enums::{AssetType, IdentityType}, enums::{AssetPermissionRole, AssetType, IdentityType},
pool::get_pg_pool, pool::get_pg_pool,
schema::asset_permissions, schema::asset_permissions,
}; };
@ -9,7 +9,7 @@ use diesel::ExpressionMethods;
use diesel_async::RunQueryDsl; use diesel_async::RunQueryDsl;
use uuid::Uuid; use uuid::Uuid;
use crate::{errors::SharingError, user_lookup::find_user_by_email}; use crate::{check_access, errors::SharingError, user_lookup::find_user_by_email};
/// Removes a sharing record for a specific user + asset combination /// Removes a sharing record for a specific user + asset combination
pub async fn remove_share( pub async fn remove_share(
@ -55,6 +55,8 @@ pub async fn remove_share(
} }
/// Removes a sharing record identified by user email /// Removes a sharing record identified by user email
///
/// Requires the caller to have Owner or FullAccess permission on the asset.
pub async fn remove_share_by_email( pub async fn remove_share_by_email(
email: &str, email: &str,
asset_id: Uuid, asset_id: Uuid,
@ -66,6 +68,24 @@ pub async fn remove_share_by_email(
return Err(SharingError::InvalidEmail(email.to_string()).into()); return Err(SharingError::InvalidEmail(email.to_string()).into());
} }
// Validate that the caller has permission to remove shares (Owner or FullAccess)
let caller_role = check_access(asset_id, asset_type, updated_by, IdentityType::User).await?;
match caller_role {
Some(AssetPermissionRole::Owner) | Some(AssetPermissionRole::FullAccess) => {
// Caller has permission to remove shares
},
Some(_) => {
return Err(SharingError::InsufficientPermissions.into());
},
None => {
return Err(SharingError::PermissionDenied(format!(
"User does not have permission to access asset {} of type {:?}",
asset_id, asset_type
)).into());
}
}
// Find the user by email // Find the user by email
let user = find_user_by_email(email) let user = find_user_by_email(email)
.await? .await?
@ -78,7 +98,7 @@ pub async fn remove_share_by_email(
#[cfg(test)] #[cfg(test)]
mod tests { mod tests {
use super::*; use super::*;
use database::enums::{AssetType, IdentityType}; use database::enums::{AssetPermissionRole, AssetType, IdentityType};
use uuid::Uuid; use uuid::Uuid;
#[test] #[test]
@ -95,4 +115,17 @@ mod tests {
let err = result.unwrap_err().to_string(); let err = result.unwrap_err().to_string();
assert!(err.contains("Invalid email")); assert!(err.contains("Invalid email"));
} }
// Note: The following tests are commented out as they would require
// more complex integration test setup with database access.
// In a real implementation, we would use integration tests to cover these cases.
// Test case: User has CanEdit permission but not Owner or FullAccess
// Expected result: InsufficientPermissions error
// Test case: User not found by email
// Expected result: UserNotFound error
// Test case: Successful removal when user has Owner permission
// Expected result: Success
} }