mukimovd/tercul-backend
1
0
Fork 0
mirror of https://github.com/SamyRai/tercul-backend.git synced 2025-12-27 05:11:34 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
3dfe5986cf
tercul-backend/internal/app/authz/authz.go
google-labs-jules[bot] fa90dd79da feat: Complete large-scale refactor and prepare for production 
This commit marks the completion of a major refactoring effort to stabilize the codebase, improve its structure, and prepare it for production.

The key changes include:

- **Domain Layer Consolidation:** The `Work` entity and its related types, along with all other domain entities and repository interfaces, have been consolidated into the main `internal/domain` package. This eliminates import cycles and provides a single, coherent source of truth for the domain model.

- **Data Access Layer Refactoring:** The repository implementations in `internal/data/sql` have been updated to align with the new domain layer. The `BaseRepositoryImpl` has been corrected to use pointer receivers, and all concrete repositories now correctly embed it, ensuring consistent and correct behavior.

- **Application Layer Stabilization:** All application services in `internal/app` have been updated to use the new domain types and repository interfaces. Dependency injection has been corrected throughout the application, ensuring that all services are initialized with the correct dependencies.

- **GraphQL Adapter Fixes:** The GraphQL resolver implementation in `internal/adapters/graphql` has been updated to correctly handle the new domain types and service methods. The auto-generated GraphQL code has been regenerated to ensure it is in sync with the schema and runtime.

- **Test Suite Overhaul:** All test suites have been fixed to correctly implement their respective interfaces and use the updated domain model. Mock repositories and test suites have been corrected to properly embed the `testify` base types, resolving numerous build and linter errors.

- **Dependency Management:** The Go modules have been tidied, and the module cache has been cleaned to ensure a consistent and correct dependency graph.

- **Code Quality and Verification:** The entire codebase now passes all builds, tests, and linter checks, ensuring a high level of quality and stability.

This comprehensive effort has resulted in a more robust, maintainable, and production-ready application.
2025-10-07 11:09:37 +00:00

205 lines
5.5 KiB
Go
Raw Blame History

package authz
import (
"context"
"tercul/internal/domain"
platform_auth "tercul/internal/platform/auth"
)
// Service provides authorization checks for the application.
type Service struct {
workRepo domain.WorkRepository
translationRepo domain.TranslationRepository
}
// NewService creates a new authorization service.
func NewService(workRepo domain.WorkRepository, translationRepo domain.TranslationRepository) *Service {
return &Service{
workRepo: workRepo,
translationRepo: translationRepo,
}
}
// CanEditWork checks if a user has permission to edit a work.
// For now, we'll implement a simple rule: only an admin or the work's author can edit it.
func (s *Service) CanEditWork(ctx context.Context, userID uint, work *domain.Work) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
// Check if the user is an author of the work.
isAuthor, err := s.workRepo.IsAuthor(ctx, work.ID, userID)
if err != nil {
return false, err
}
if isAuthor {
return true, nil
}
return false, domain.ErrForbidden
}
// CanDeleteWork checks if a user has permission to delete a work.
func (s *Service) CanDeleteWork(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
// CanEditEntity checks if a user has permission to edit a specific translatable entity.
func (s *Service) CanEditEntity(ctx context.Context, userID uint, translatableType string, translatableID uint) (bool, error) {
switch translatableType {
case "works":
// For works, we can reuse the CanEditWork logic.
// First, we need to fetch the work.
work, err := s.workRepo.GetByID(ctx, translatableID)
if err != nil {
return false, err // Handles not found, etc.
}
return s.CanEditWork(ctx, userID, work)
default:
// For now, deny all other types by default.
// This can be expanded later.
return false, domain.ErrForbidden
}
}
// CanDeleteTranslation checks if a user can delete a translation.
func (s *Service) CanDeleteTranslation(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
// CanUpdateUser checks if a user has permission to update another user's profile.
func (s *Service) CanCreateWork(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanCreateTranslation(ctx context.Context) (bool, error) {
_, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
return true, nil
}
func (s *Service) CanEditTranslation(ctx context.Context, userID uint, translationID uint) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
// Check if the user is the translator of the translation.
translation, err := s.translationRepo.GetByID(ctx, translationID)
if err != nil {
return false, err
}
if translation.TranslatorID != nil && *translation.TranslatorID == userID {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanCreateBook(ctx context.Context) (bool, error) {
_, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
return true, nil
}
func (s *Service) CanUpdateBook(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanDeleteBook(ctx context.Context) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
return false, domain.ErrForbidden
}
func (s *Service) CanUpdateUser(ctx context.Context, actorID, targetUserID uint) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
// Users can update their own profile.
if actorID == targetUserID {
return true, nil
}
return false, domain.ErrForbidden
}
// CanDeleteComment checks if a user has permission to delete a comment.
// For now, we'll implement a simple rule: only an admin or the comment's author can delete it.
func (s *Service) CanDeleteComment(ctx context.Context, userID uint, comment *domain.Comment) (bool, error) {
claims, ok := platform_auth.GetClaimsFromContext(ctx)
if !ok {
return false, domain.ErrUnauthorized
}
// Admins can do anything.
if claims.Role == string(domain.UserRoleAdmin) {
return true, nil
}
// Check if the user is the author of the comment.
if comment.UserID == userID {
return true, nil
}
return false, domain.ErrForbidden
}
Reference in New Issue View Git Blame Copy Permalink