mukimovd/tercul-backend
1
0
Fork 0
mirror of https://github.com/SamyRai/tercul-backend.git synced 2025-12-27 05:11:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
main
tercul-backend/internal/app/authz/authz.go
Damir Mukimov d50722dad5
Some checks failed
Test / Integration Tests (push) Successful in 4s
Details
Build / Build Binary (push) Failing after 2m9s
Details
Docker Build / Build Docker Image (push) Failing after 2m32s
Details
Test / Unit Tests (push) Failing after 3m12s
Details
Lint / Go Lint (push) Failing after 1m0s
Details
Refactor ID handling to use UUIDs across the application 
- Updated database models and repositories to replace uint IDs with UUIDs.
- Modified test fixtures to generate and use UUIDs for authors, translations, users, and works.
- Adjusted mock implementations to align with the new UUID structure.
- Ensured all relevant functions and methods are updated to handle UUIDs correctly.
- Added necessary imports for UUID handling in various files.
2025-12-27 00:33:34 +01:00

255 lines
6.8 KiB
Go
Raw Permalink Blame History

package authz
import (
"context"
"tercul/internal/domain"
platform_auth "tercul/internal/platform/auth"
"github.com/google/uuid"
)
// Service provides authorization checks for the application.
type Service struct {
workRepo domain.WorkRepository
authorRepo domain.AuthorRepository
userRepo domain.UserRepository
translationRepo domain.TranslationRepository
}
// NewService creates a new authorization service.
func NewService(workRepo domain.WorkRepository, authorRepo domain.AuthorRepository, userRepo domain.UserRepository, translationRepo domain.TranslationRepository) *Service {
return &Service{
workRepo: workRepo,
authorRepo: authorRepo,
userRepo: userRepo,
translationRepo: translationRepo,
}
}
// CanEditWork checks if a user has permission to edit a work.
// For now, we'll implement a simple rule: only an admin or the work's author can edit it.
func (s *Service) CanEditWork(ctx context.Context, userID uuid.UUID, work *domain.Work) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
user, err := s.userRepo.GetByID(ctx, userID)
if err != nil {
return false, err
}
author, err := s.authorRepo.FindByName(ctx, user.Username)
if err != nil {
// If the author profile doesn't exist for the user, they can't be the author.
return false, nil
}
// Check if the user is an author of the work.
isAuthor, err := s.workRepo.IsAuthor(ctx, work.ID, author.ID)
if err != nil {
return false, err
}
if isAuthor {
return true, nil
}
return false, domain.ErrForbidden
}
// CanDeleteWork checks if a user has permission to delete a work.
func (s *Service) CanDeleteWork(ctx context.Context, userID uuid.UUID, work *domain.Work) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
user, err := s.userRepo.GetByID(ctx, userID)
if err != nil {
return false, err
}
author, err := s.authorRepo.FindByName(ctx, user.Username)
if err != nil {
// If the author profile doesn't exist for the user, they can't be the author.
return false, nil
}
// Check if the user is an author of the work.
isAuthor, err := s.workRepo.IsAuthor(ctx, work.ID, author.ID)
if err != nil {
return false, err
}
if isAuthor {
return true, nil
}
return false, domain.ErrForbidden
}
// CanEditEntity checks if a user has permission to edit a specific translatable entity.
func (s *Service) CanEditEntity(ctx context.Context, userID uuid.UUID, translatableType string, translatableID uuid.UUID) (bool, error) {
switch translatableType {
case "works":
// For works, we can reuse the CanEditWork logic.
// First, we need to fetch the work.
work, err := s.workRepo.GetByID(ctx, translatableID)
if err != nil {
return false, err // Handles not found, etc.
}
return s.CanEditWork(ctx, userID, work)
default:
// For now, deny all other types by default.
// This can be expanded later.
return false, domain.ErrForbidden
}
}
// CanDeleteTranslation checks if a user can delete a translation.
func (s *Service) CanDeleteTranslation(ctx context.Context, userID uuid.UUID, translationID uuid.UUID) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
translation, err := s.translationRepo.GetByID(ctx, translationID)
if err != nil {
return false, err
}
if translation.TranslatorID != nil && *translation.TranslatorID == userID {
return true, nil
}
return false, domain.ErrForbidden
}
// CanUpdateUser checks if a user has permission to update another user's profile.
func (s *Service) CanCreateWork(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanCreateTranslation(ctx context.Context) (bool, error) {
_, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
return true, nil
}
func (s *Service) CanEditTranslation(ctx context.Context, userID uuid.UUID, translationID uuid.UUID) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
// Check if the user is the translator of the translation.
translation, err := s.translationRepo.GetByID(ctx, translationID)
if err != nil {
return false, err
}
if translation.TranslatorID != nil && *translation.TranslatorID == userID {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanCreateBook(ctx context.Context) (bool, error) {
_, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
return true, nil
}
func (s *Service) CanUpdateBook(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanDeleteBook(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanUpdateUser(ctx context.Context, actorID, targetUserID uuid.UUID) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
// Users can update their own profile.
if actorID == targetUserID {
return true, nil
}
return false, domain.ErrForbidden
}
// CanDeleteComment checks if a user has permission to delete a comment.
// For now, we'll implement a simple rule: only an admin or the comment's author can delete it.
func (s *Service) CanDeleteComment(ctx context.Context, userID uuid.UUID, comment *domain.Comment) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
// Check if the user is the author of the comment.
if comment.UserID == userID {
return true, nil
}
return false, domain.ErrForbidden
}
Reference in New Issue View Git Blame Copy Permalink