backend/service/
map_access_control.rs

1use actix_http::StatusCode;
2
3use crate::model::entity::Map;
4#[cfg(feature = "access_control")]
5use crate::model::entity::MapCollaborator;
6#[cfg(feature = "access_control")]
7use crate::model::r#enum::privacy_access_control::AccessControl;
8use crate::{
9    config::{auth::user_info::UserInfo, data::SharedPool},
10    error::ServiceError,
11};
12
13/// Order of the variants is important for comparison.
14#[derive(Debug, PartialEq, PartialOrd, Eq, Ord)]
15pub enum AccessRights {
16    /// The user has no rights.
17    None,
18    /// The user has read rights to a map.
19    Read,
20    /// The user has read/write rights to a map.
21    Write,
22}
23
24/// Check if the current user has the correct permissions to view or perform an action on a map.
25///
26/// # Errors
27/// If the connection to the database could not be established.
28/// If the user does not have the required rights for performing an action on a map.
29#[cfg(feature = "access_control")]
30pub async fn check_permissions(
31    map_id: i32,
32    pool: &SharedPool,
33    user_info: UserInfo,
34    required_rights: AccessRights,
35) -> Result<(), ServiceError> {
36    let mut conn = pool.get().await?;
37    let map_id_i64 = i64::from(map_id);
38    let result = Map::find_by_id(map_id_i64, &mut conn).await?;
39
40    if result.created_by == user_info.id || user_info.is_admin() {
41        return Ok(());
42    }
43
44    let is_collaborator =
45        MapCollaborator::contains_user_as_collaborator(user_info.id, map_id_i64, &mut conn).await?;
46
47    if is_collaborator {
48        return Ok(());
49    }
50
51    let actual_rights = result.privacy.check_access(&user_info);
52
53    if actual_rights == AccessRights::None {
54        return Err(ServiceError::new(StatusCode::NOT_FOUND, "Map not found"));
55    } else if actual_rights < required_rights {
56        return Err(ServiceError::new(
57            StatusCode::FORBIDDEN,
58            "no permissions to update data",
59        ));
60    }
61    Ok(())
62}
63
64/// Check if the current user has the correct permissions to create a map.
65///
66/// # Errors
67/// If the user does not have the required rights for creating a map.
68pub async fn check_creation_permission(user_info: &UserInfo) -> Result<(), ServiceError> {
69    if user_info.is_member() || user_info.is_admin() {
70        Ok(())
71    } else {
72        Err(ServiceError::new(
73            StatusCode::FORBIDDEN,
74            "Only members are allowed to create",
75        ))
76    }
77}
78
79/// This mirrors the the initial behavior of Access Control.
80/// Only owners are allowed to modify maps.
81///
82/// # Errors
83/// If the user is not the owner of the map and requires writing access.
84#[cfg(not(feature = "access_control"))]
85pub async fn check_permissions(
86    map_id: i32,
87    pool: &SharedPool,
88    user_info: UserInfo,
89    required_rights: AccessRights,
90) -> Result<(), ServiceError> {
91    if user_info.is_admin() {
92        return Ok(());
93    }
94    let mut conn = pool.get().await?;
95    let map = Map::find_by_id(map_id, &mut conn).await?;
96    if required_rights > AccessRights::Read && map.created_by != user_info.id {
97        return Err(ServiceError {
98            status_code: StatusCode::FORBIDDEN,
99            reason: "no permission to update data".to_owned(),
100        });
101    }
102    Ok(())
103}