Add 'dis_grant' command

2023-01-05 12:55:28 +01:00 · 2023-01-05 12:55:28 +01:00 · 8b55fd74f9
commit 8b55fd74f9
parent 6bf6d3a8f5
10 changed files with 161 additions and 18 deletions
--- a/internal/dis/component/auth/permission.go
+++ b/internal/dis/component/auth/permission.go
@ -48,6 +48,24 @@ func (g grantDeny) Denied() string {
 	return string(g)
 }

+// AllPermissions returns a new permission that checks if all the given permissions are set
+func AllPermissions(clauses ...Permission) Permission {
+	return func(user *AuthUser, r *http.Request) (ok Grant, err error) {
+		for _, clause := range clauses {
+			perm, err := clause.Permit(user, r)
+			if err != nil {
+				return perm, err
+			}
+			if !perm.Granted() {
+				return perm, nil
+			}
+		}
+
+		// everything was fine
+		return grantAllow{}, nil
+	}
+}
+
 var errPermissionPanic = errors.New("permission: panic()")

 // Permit checks if the given user has this permission.
--- a/internal/dis/component/auth/policy/grants.go
+++ b/internal/dis/component/auth/policy/grants.go
@ -15,10 +15,21 @@ var (

 // Set sets a specific grant, overwriting a previous grant (if any)
 func (policy *Policy) Set(ctx context.Context, grant models.Grant) error {
-	if grant.User == "" || grant.Slug == "" || grant.DrupalUsername == "" {
+	if grant.DrupalUsername == "" {
+		grant.DrupalUsername = grant.User
+	}
+	if grant.User == "" || grant.Slug == "" {
 		return ErrInvalid
 	}

+	// check that the referenced user exists!
+	{
+		_, err := policy.Dependencies.Auth.User(ctx, grant.User)
+		if err != nil {
+			return err
+		}
+	}
+
 	// get the table
 	table, err := policy.table(ctx)
 	if err != nil {
@ -27,8 +38,7 @@ func (policy *Policy) Set(ctx context.Context, grant models.Grant) error {

 	// and create or update the given user / slug combination
 	return table.Clauses(clause.OnConflict{
-		Columns:   []clause.Column{{Name: "user"}, {Name: "slug"}},
-		DoUpdates: clause.AssignmentColumns([]string{"drupal_user", "admin"}),
+		UpdateAll: true,
 	}).Create(&grant).Error
 }

--- a/internal/dis/component/auth/policy/policy.go
+++ b/internal/dis/component/auth/policy/policy.go
@ -4,6 +4,7 @@ import (
 	"context"

 	"github.com/FAU-CDI/wisski-distillery/internal/dis/component"
+	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/auth"
 	"github.com/FAU-CDI/wisski-distillery/internal/dis/component/sql"
 	"github.com/FAU-CDI/wisski-distillery/internal/models"
 	"gorm.io/gorm"
@ -13,7 +14,8 @@ type Policy struct {
 	component.Base

 	Dependencies struct {
-		SQL *sql.SQL
+		SQL  *sql.SQL
+		Auth *auth.Auth
 	}
 }

--- a/internal/dis/component/auth/protect.go
+++ b/internal/dis/component/auth/protect.go
@ -74,5 +74,10 @@ func (auth *Auth) Protect(handler http.Handler, perm Permission) http.Handler {

 // Admin represents a permission that checks if a user is an administrator and has totp enabled.
 var Admin Permission = func(user *AuthUser, r *http.Request) (ok Grant, err error) {
-	return Bool2Grant(user != nil && user.IsAdmin() && user.IsTOTPEnabled(), "user needs to have admin permissions and TOTP enabled"), nil
+	return Bool2Grant(user != nil && user.IsAdmin() && user.IsTOTPEnabled(), "user needs to have admin permissions and passcode enabled"), nil
+}
+
+// User represents a permission that checks if a user has totp enabled.
+var User Permission = func(user *AuthUser, r *http.Request) (ok Grant, err error) {
+	return Bool2Grant(user != nil && user.IsEnabled() && user.IsTOTPEnabled(), "user needs to have passcode enabled"), nil
 }
--- a/internal/dis/component/auth/templates/user.html
+++ b/internal/dis/component/auth/templates/user.html
@ -13,23 +13,26 @@
 {{ define "content" }}
 <div class="pure-u-1">
    <p>
-        {{ if .User.IsAdmin }}
-        You are an administrator.
-        {{ else }}
-        You are a regular user.
-        {{ end }}
-        {{ if .User.IsTOTPEnabled }}
-        You have TOTP enabled.
-        {{ else }}
-        You do not have TOTP enabled.
-        {{ end }}
+        <ul>
+            {{ if .User.IsAdmin }}
+                <li>Role: <b>Administrator</b></li>
+            {{ else }}
+                <li>Role: <b>Regular User</b></li>
+            {{ end }}
+
+            {{ if .User.IsTOTPEnabled }}
+                <li>Passcode Enabled: <b>true</b></li>
+            {{ else }}
+                <li>Passcode Enabled: <b>false</b> <small>(some actions are disabled)</small></li>
+            {{ end }}
+        </ul>
    </p>
    <div class="pure-button-group" role="group" role="Actions">
        <a class="pure-button" href="/user/password/">Change Password</a>
        {{ if .User.IsTOTPEnabled }}
-        <a class="pure-button" href="/user/totp/disable/">Disable TOTP</a>
+            <a class="pure-button" href="/user/totp/disable/">Disable Passcode (TOTP)</a>
        {{ else }}
-        <a class="pure-button" href="/user/totp/enable/">Enable TOTP</a>
+            <a class="pure-button" href="/user/totp/enable/">Enable Passcode (TOTP)</a>
        {{ end }}
    </div>
    <hr />