forge/Vervis
1
0
Fork 0
Code Pull requests Activity

S2S: Relax role requirements for adding-resource-to-team

Browse source 
- Factory.Add now requires write instead of admin
- Group.Add.Resource now allows any role, not necessarily admin
This commit is contained in:
Pere Lev 2024-08-07 18:06:06 +03:00
parent a418e21ee2
commit d52eacd2a3
No known key found for this signature in database
GPG key ID: 5252C5C863E5E57D
2 changed files with 35 additions and 23 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/Vervis/Actor/Factory.hs
View file

@ -643,8 +643,8 @@ factoryAdd now factoryID (Verse authorIdMsig body) add = do
let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig
(object, target, role) <- parseAdd author add (object, target, role) <- parseAdd author add
unless (role == AP.RoleAdmin) $ unless (role == AP.RoleWrite) $
throwE "Add role isn't admin" throwE "Add role isn't write"
case (target, object) of case (target, object) of
(Left (ATFactoryTeams j), _) | j == factoryID -> (Left (ATFactoryTeams j), _) | j == factoryID ->
addTeamActive object addTeamActive object
@ -796,7 +796,7 @@ factoryAdd now factoryID (Verse authorIdMsig body) add = do
where where
insertSquad resourceID topicDB addDB acceptID = do insertSquad resourceID topicDB addDB acceptID = do
squadID <- insert $ Squad AP.RoleAdmin resourceID squadID <- insert $ Squad AP.RoleWrite resourceID
case topicDB of case topicDB of
Left (Entity g _) -> insert_ $ SquadTopicLocal squadID g Left (Entity g _) -> insert_ $ SquadTopicLocal squadID g
Right a -> insert_ $ SquadTopicRemote squadID a Right a -> insert_ $ SquadTopicRemote squadID a
@ -910,7 +910,7 @@ factoryAdd now factoryID (Verse authorIdMsig body) add = do
where where
insertSquad resourceID topicDB addDB = do insertSquad resourceID topicDB addDB = do
squadID <- insert $ Squad AP.RoleAdmin resourceID squadID <- insert $ Squad AP.RoleWrite resourceID
case topicDB of case topicDB of
Left (Entity g _) -> insert_ $ SquadTopicLocal squadID g Left (Entity g _) -> insert_ $ SquadTopicLocal squadID g
Right a -> insert_ $ SquadTopicRemote squadID a Right a -> insert_ $ SquadTopicRemote squadID a

50
src/Vervis/Actor/Group.hs
View file

@ -169,23 +169,23 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig let author = bimap (view _1) (remoteAuthorURI . view _1) authorIdMsig
(object, target, role) <- parseAdd author add (object, target, role) <- parseAdd author add
unless (role == AP.RoleAdmin) $ --unless (role == AP.RoleAdmin) $
throwE "Add role isn't admin" -- throwE "Add role isn't admin"
case (target, object) of case (target, object) of
(Left (ATGroupChildren j), _) | j == groupID -> (Left (ATGroupChildren j), _) | j == groupID ->
addChildActive object addChildActive role object
(Left (ATGroupParents j), _) | j == groupID -> (Left (ATGroupParents j), _) | j == groupID ->
addParentActive object addParentActive role object
(Left (ATGroupEfforts j), _) | j == groupID -> (Left (ATGroupEfforts j), _) | j == groupID ->
addResourceActive object addResourceActive role object
(_, Left (LocalActorGroup j)) | j == groupID -> (_, Left (LocalActorGroup j)) | j == groupID ->
case target of case target of
Left (ATGroupParents j) | j /= groupID -> Left (ATGroupParents j) | j /= groupID ->
addChildPassive $ Left j addChildPassive role $ Left j
Left (ATGroupChildren j) | j /= groupID -> Left (ATGroupChildren j) | j /= groupID ->
addParentPassive $ Left j addParentPassive role $ Left j
Left at | isJust $ addTargetResourceTeams at -> Left at | isJust $ addTargetResourceTeams at ->
addResourcePassive $ Left $ fromJust $ addTargetResourceTeams at addResourcePassive role $ Left $ fromJust $ addTargetResourceTeams at
Right (ObjURI h luColl) -> do Right (ObjURI h luColl) -> do
-- NOTE this is HTTP GET done synchronously in the activity -- NOTE this is HTTP GET done synchronously in the activity
-- handler -- handler
@ -199,11 +199,11 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
AP.ResourceChild _ _ -> throwE "Add.target remote ResourceChild" AP.ResourceChild _ _ -> throwE "Add.target remote ResourceChild"
let typ = AP.actorType d let typ = AP.actorType d
if typ == AP.ActorTypeTeam && Just luColl == AP.rwcSubteams rwc if typ == AP.ActorTypeTeam && Just luColl == AP.rwcSubteams rwc
then addParentPassive $ Right $ ObjURI h lu then addParentPassive role $ Right $ ObjURI h lu
else if typ == AP.ActorTypeTeam && Just luColl == AP.rwcParentsOrProjects rwc else if typ == AP.ActorTypeTeam && Just luColl == AP.rwcParentsOrProjects rwc
then addChildPassive $ Right $ ObjURI h lu then addChildPassive role $ Right $ ObjURI h lu
else if AP.actorTypeIsResourceNT typ && Just luColl == AP.rwcTeams rwc else if AP.actorTypeIsResourceNT typ && Just luColl == AP.rwcTeams rwc
then addResourcePassive $ Right $ ObjURI h lu then addResourcePassive role $ Right $ ObjURI h lu
else throwE "Weird collection situation" else throwE "Weird collection situation"
_ -> throwE "I'm being added somewhere irrelevant" _ -> throwE "I'm being added somewhere irrelevant"
_ -> throwE "This Add isn't for me" _ -> throwE "This Add isn't for me"
@ -243,7 +243,10 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
return (action, recipientSet, remoteActors, fwdHosts) return (action, recipientSet, remoteActors, fwdHosts)
addParentActive parent = do addParentActive role parent = do
unless (role == AP.RoleAdmin) $
throwE "Add role isn't admin"
-- If parent is local, find it in our DB -- If parent is local, find it in our DB
-- If parent is remote, HTTP GET it, verify it's an actor of Group -- If parent is remote, HTTP GET it, verify it's an actor of Group
@ -353,7 +356,10 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
insert_ $ SourceUsAccept usID acceptID insert_ $ SourceUsAccept usID acceptID
addChildActive child = do addChildActive role child = do
unless (role == AP.RoleAdmin) $
throwE "Add role isn't admin"
-- If child is local, find it in our DB -- If child is local, find it in our DB
-- If child is remote, HTTP GET it, verify it's an actor of Group -- If child is remote, HTTP GET it, verify it's an actor of Group
@ -463,7 +469,10 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
insert_ $ DestUsAccept destID acceptID insert_ $ DestUsAccept destID acceptID
addParentPassive parent = do addParentPassive role parent = do
unless (role == AP.RoleAdmin) $
throwE "Add role isn't admin"
-- If parent is local, find it in our DB -- If parent is local, find it in our DB
-- If parent is remote, HTTP GET it, verify it's an actor of Group -- If parent is remote, HTTP GET it, verify it's an actor of Group
@ -548,7 +557,10 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
Right (author, _, addID) -> Right (author, _, addID) ->
insert_ $ SourceThemGestureRemote themID (remoteAuthorId author) addID insert_ $ SourceThemGestureRemote themID (remoteAuthorId author) addID
addChildPassive child = do addChildPassive role child = do
unless (role == AP.RoleAdmin) $
throwE "Add role isn't admin"
-- If child is local, find it in our DB -- If child is local, find it in our DB
-- If child is remote, HTTP GET it, verify it's an actor of Group -- If child is remote, HTTP GET it, verify it's an actor of Group
@ -633,7 +645,7 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
Right (author, _, addID) -> Right (author, _, addID) ->
insert_ $ DestThemGestureRemote themID (remoteAuthorId author) addID insert_ $ DestThemGestureRemote themID (remoteAuthorId author) addID
addResourceActive resource = do addResourceActive role resource = do
-- If resource is local, find it in our DB -- If resource is local, find it in our DB
-- If resource is remote, HTTP GET it, verify it's an actor of Group -- If resource is remote, HTTP GET it, verify it's an actor of Group
@ -724,7 +736,7 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
where where
insertEffort topicDB addDB acceptID = do insertEffort topicDB addDB acceptID = do
effortID <- insert $ Effort AP.RoleAdmin groupID effortID <- insert $ Effort role groupID
case topicDB of case topicDB of
Left r -> insert_ $ EffortTopicLocal effortID r Left r -> insert_ $ EffortTopicLocal effortID r
Right a -> insert_ $ EffortTopicRemote effortID a Right a -> insert_ $ EffortTopicRemote effortID a
@ -770,7 +782,7 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
return (action, recipientSet, remoteActors, fwdHosts) return (action, recipientSet, remoteActors, fwdHosts)
addResourcePassive resource = do addResourcePassive role resource = do
-- If resource is local, find it in our DB -- If resource is local, find it in our DB
-- If resource is remote, HTTP GET it, verify it's an actor of Group -- If resource is remote, HTTP GET it, verify it's an actor of Group
@ -840,7 +852,7 @@ groupAdd now groupID (Verse authorIdMsig body) add = do
where where
insertEffort topicDB addDB = do insertEffort topicDB addDB = do
effortID <- insert $ Effort AP.RoleAdmin groupID effortID <- insert $ Effort role groupID
case topicDB of case topicDB of
Left r -> insert_ $ EffortTopicLocal effortID r Left r -> insert_ $ EffortTopicLocal effortID r
Right a -> insert_ $ EffortTopicRemote effortID a Right a -> insert_ $ EffortTopicRemote effortID a