Organizations update

2018-04-30 13:25:10 +02:00
parent 654e8a5817
commit bc6bfdec46
12 changed files with 414 additions and 209 deletions
--- a/server/router/organizationroute/controller.go
+++ b/server/router/organizationroute/controller.go
@@ -78,7 +78,12 @@ func (c *controller) handleAddOrganization(ctx echo.Context) error {
 func (c *controller) handle(ctx echo.Context) error {
 	orgType, _ := routeutils.GetAndValidateStringQueryParam(ctx, "type", "Type is mandatory")

-	resp, err := c.svc.Organization.GetByType(orgType)
+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	resp, err := c.svc.Organization.GetByType(orgType, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -92,7 +97,12 @@ func (c *controller) handleDetail(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	resp, err := c.svc.Organization.GetByUUID(orgUUID)
+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	resp, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -112,7 +122,12 @@ func (c *controller) handleParent(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	resp, err := c.svc.Organization.SetParentOrganization(orgUUID, parent.UUID)
+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	resp, err := c.svc.Organization.SetParentOrganization(orgUUID, parent.UUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -132,12 +147,17 @@ func (c *controller) handleChild(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	_, err = c.svc.Organization.SetParentOrganization(child.UUID, orgUUID)
+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	resp, err := c.svc.Organization.GetByUUID(orgUUID)
+	_, err = c.svc.Organization.SetParentOrganization(child.UUID, orgUUID, authUser)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
+	resp, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -151,11 +171,16 @@ func (c *controller) handleNameSearch(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
 	searchType := ""
 	searchType, _ = routeutils.GetAndValidateStringQueryParam(ctx, "type", "Type is mandatory")

 	cache := cache.Instance(c.cfg)
-	cacheKey := ctx.Request().Method + ctx.Request().URL.RawPath + ctx.Request().URL.RawQuery
+	cacheKey := ctx.Request().Method + ctx.Request().URL.RawPath + ctx.Request().URL.RawQuery + authUser.ID

 	resp := []viewmodel.Organization{}
 	err = cache.GetStruct(cacheKey, &resp)
@@ -163,7 +188,7 @@ func (c *controller) handleNameSearch(ctx echo.Context) error {
 		if err != domain.ErrCacheMiss {
 			ctx.Logger().Errorf(domain.LogProblemGettingFromCache, err)
 		}
-		resp, err = c.svc.Organization.GetByName(name, searchType)
+		resp, err = c.svc.Organization.GetByName(name, searchType, authUser)
 		if err != nil {
 			return routeutils.HandleAPIError(ctx, err)
 		}
@@ -180,24 +205,24 @@ func (c *controller) handleRemoveAddress(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
 	orgUUID, err := routeutils.GetAndValidateStringParam(ctx, "org_uuid", "Org ID is mandatory")
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	uInt, err := auth.GetTokenDetail(ctx, c.cfg)
-	if err != nil {
-		return routeutils.HandleAPIError(ctx, err)
-	}
-	createdUser := uInt.(map[string]interface{})
-	address.UpdatedUser.ID = createdUser["useruuid"].(string)
+	address.UpdatedUser.ID = authUser.ID

-	err = c.svc.Organization.InactivateOrganizationAddress(orgUUID, address)
+	err = c.svc.Organization.InactivateOrganizationAddress(orgUUID, address, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	resp, err := c.svc.Organization.GetByUUID(orgUUID)
+	resp, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -217,20 +242,19 @@ func (c *controller) handleAddAddress(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	uInt, err := auth.GetTokenDetail(ctx, c.cfg)
+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
-	createdUser := uInt.(map[string]interface{})
-	address.CreatedUser.ID = createdUser["useruuid"].(string)
-	address.UpdatedUser.ID = address.CreatedUser.ID
+	address.CreatedUser.ID = authUser.ID
+	address.UpdatedUser.ID = authUser.ID

-	_, err = c.svc.Organization.SetOrganizationAddress(orgUUID, address)
+	_, err = c.svc.Organization.SetOrganizationAddress(orgUUID, address, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	resp, err := c.svc.Organization.GetByUUID(orgUUID)
+	resp, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -250,19 +274,18 @@ func (c *controller) handleRemoveContact(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	uInt, err := auth.GetTokenDetail(ctx, c.cfg)
+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
-	createdUser := uInt.(map[string]interface{})
-	contact.UpdatedUser.ID = createdUser["useruuid"].(string)
+	contact.UpdatedUser.ID = authUser.ID

-	err = c.svc.Organization.InactivateOrganizationContact(orgUUID, contact)
+	err = c.svc.Organization.InactivateOrganizationContact(orgUUID, contact, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	resp, err := c.svc.Organization.GetByUUID(orgUUID)
+	resp, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -282,20 +305,19 @@ func (c *controller) handleAddContact(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	uInt, err := auth.GetTokenDetail(ctx, c.cfg)
+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
-	createdUser := uInt.(map[string]interface{})
-	contact.CreatedUser.ID = createdUser["useruuid"].(string)
-	contact.UpdatedUser.ID = contact.CreatedUser.ID
+	contact.CreatedUser.ID = authUser.ID
+	contact.UpdatedUser.ID = authUser.ID

-	_, err = c.svc.Organization.SetOrganizationContact(orgUUID, contact)
+	_, err = c.svc.Organization.SetOrganizationContact(orgUUID, contact, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}

-	resp, err := c.svc.Organization.GetByUUID(orgUUID)
+	resp, err := c.svc.Organization.GetByUUID(orgUUID, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
--- a/server/router/usersroute/controller.go
+++ b/server/router/usersroute/controller.go
@@ -274,6 +274,11 @@ func (c *controller) handleMember(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
 	if user.PhoneNumber == nil && user.Email == nil || len(*user.PhoneNumber) == 0 && len(*user.Email) == 0 {
 		return routeutils.ResponseAPIAuthError(ctx, "phonenumber or email is required", false)
 	}
@@ -314,7 +319,7 @@ func (c *controller) handleMember(ctx echo.Context) error {
 	}
 	user.Profiles = append(user.Profiles, profile)

-	user, err = c.svc.Users.Create(user)
+	user, err = c.svc.Users.Create(user, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -328,6 +333,11 @@ func (c *controller) handleBulkPortal(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
 	for i, _ := range users {
 		if len(users[i].Profiles) == 0 {
 			return routeutils.ResponseAPIAuthError(ctx, "profile is required", false)
@@ -360,7 +370,7 @@ func (c *controller) handleBulkPortal(ctx echo.Context) error {
 		}
 	}

-	returnUser, err := c.svc.Users.CreateBulk(users)
+	returnUser, err := c.svc.Users.CreateBulk(users, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
@@ -374,6 +384,11 @@ func (c *controller) handlePortal(ctx echo.Context) error {
 		return routeutils.HandleAPIError(ctx, err)
 	}

+	authUser, err := auth.GetUserDetail(ctx, c.cfg)
+	if err != nil {
+		return routeutils.HandleAPIError(ctx, err)
+	}
+
 	if len(user.Profiles) == 0 {
 		return routeutils.ResponseAPIAuthError(ctx, "profile is required", false)
 	}
@@ -404,7 +419,7 @@ func (c *controller) handlePortal(ctx echo.Context) error {
 		user.Name = fmt.Sprintf("%s %s", user.First, user.Last)
 	}

-	user, err = c.svc.Users.Create(user)
+	user, err = c.svc.Users.Create(user, authUser)
 	if err != nil {
 		return routeutils.HandleAPIError(ctx, err)
 	}
--- a/server/serverconfig/authorization.go
+++ b/server/serverconfig/authorization.go
@@ -1,8 +1,6 @@
 package serverconfig

 import (
-	"fmt"
-
 	"bitbucket.org/nemt/nemt-portal-api/application/applicationservice"
 	"bitbucket.org/nemt/nemt-portal-api/application/viewmodel"
 	"bitbucket.org/nemt/nemt-portal-api/infra/auth"
@@ -77,8 +75,8 @@ func (a *Config) CheckPermission(c echo.Context) bool {
 	}
 	method := c.Request().Method
 	path := c.Request().URL.Path
-	objectOrganization := a.organizationGoverningObject(c, user)
-	objectRole := a.roleGoverningObject(c, user)
+
+	objectsRole, objectsOrganization, objectsOrganizationType, object := a.policyObjectAttributes(c, user)

 	currentUsersOrganization := viewmodel.Organization{}
 	if len(user.Organizations) > 0 {
@@ -89,49 +87,74 @@ func (a *Config) CheckPermission(c echo.Context) bool {
 	if len(user.Profiles) > 0 {
 		currentUsersRole = user.Profiles[0]
 	}
-	orgRelation := organizationsRelation(currentUsersOrganization, objectOrganization)
-	objRelation := a.objectRelation(c, user)

-	// parameters to Enforce must match the request section of the authorization model
-	return a.Enforcer.Enforce(currentUsersRole.Key, objectRole.Key, orgRelation, objRelation, path, method)
+	currentUsersOrganizationType := ""
+	if len(user.Profiles) > 0 {
+		currentUsersOrganizationType = user.Profiles[0].Organization.Type.Key
+	}
+
+	orgRelation := organizationsRelation(currentUsersOrganization, objectsOrganization)
+	objRelation := a.objectRelation(object, user)
+
+	// parameters to Enforce must match the request section of the authorization_model.conf
+	return a.Enforcer.Enforce(currentUsersRole.Key,
+		objectsRole.Key,
+		objectsOrganizationType,
+		currentUsersOrganizationType,
+		orgRelation,
+		objRelation,
+		path,
+		method)

 }

-// organizationGoverningObject returns the organization that is the owner of the object that is being accessed
-// in case object exists and returns users role if it is a new object
-func (a *Config) organizationGoverningObject(c echo.Context, userDetails viewmodel.User) (result viewmodel.Organization) {
+// policyObjectAttributes returns all information about the object being accessed for the policy
+// in case object exists and returns users information if it is a new object
+func (a *Config) policyObjectAttributes(c echo.Context, userDetails viewmodel.User) (viewmodel.Profile, viewmodel.Organization, string, interface{}) {

-	fmt.Println("***************")
-	fmt.Println(c.ParamValues())
-	fmt.Println("***************")
-	existingUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) > 1
-	newUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) <= 1
+	var object interface{}
+
+	objectIsNew := len(c.ParamValues()) <= 1
+	objectIsExisting := len(c.ParamValues()) > 1
+
+	existingUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsNew
+	newUser := strings.Contains(c.Request().URL.Path, "/users") && objectIsExisting
+
+	existingOrganization := strings.Contains(c.Request().URL.Path, "/organization") && objectIsExisting
+	newOrganization := strings.Contains(c.Request().URL.Path, "/organization") && objectIsNew

 	switch {
 	case existingUser:
-		user, _ := a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
-		result = user.Organizations[0]
+		object, _ = a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
 	case newUser && len(userDetails.Organizations) > 0:
-		result = userDetails.Organizations[0]
+		object = userDetails
+	case existingOrganization:
+		object, _ = a.Svc.Organization.GetByUUID(c.ParamValues()[1], userDetails)
+	case newOrganization:
+		object = viewmodel.Organization{}
 	}
-	return
-}

-// organizationGoverningObject returns the role that is the owner of the object that is being accessed
-// in case object exists and returns users role if it is a new object
-func (a *Config) roleGoverningObject(c echo.Context, userDetails viewmodel.User) (result viewmodel.Profile) {
-
-	existingUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) > 1
-	newUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) <= 1
-
-	switch {
-	case existingUser:
-		user, _ := a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
-		result = user.Profiles[0]
-	case newUser && len(userDetails.Organizations) > 0:
-		result = userDetails.Profiles[0]
+	objectsRole := viewmodel.Profile{}
+	switch obj := object.(type) {
+	case viewmodel.User:
+		if len(obj.Profiles) > 0 {
+			objectsRole = obj.Profiles[0]
+		}
 	}
-	return
+
+	objectsOrganization := viewmodel.Organization{}
+	switch obj := object.(type) {
+	case viewmodel.User:
+		if len(obj.Profiles) > 0 {
+			objectsOrganization = obj.Profiles[0].Organization
+		}
+	case viewmodel.Organization:
+		objectsOrganization = obj
+	}
+
+	objectsOrganizationType := objectsOrganization.Type.Key
+
+	return objectsRole, objectsOrganization, objectsOrganizationType, object
 }

 func organizationsRelation(requestOrganization, currentUsersOrganization viewmodel.Organization) string {
@@ -156,15 +179,14 @@ func organizationsRelation(requestOrganization, currentUsersOrganization viewmod

 // organizationGoverningObject returns the role that is the owner of the object that is being accessed
 // in case object exists and returns users role if it is a new object
-func (a *Config) objectRelation(c echo.Context, userDetails viewmodel.User) string {
+func (a *Config) objectRelation(object interface{}, currentUser viewmodel.User) string {

-	existingUser := strings.Contains(c.Request().URL.Path, "/users") && len(c.ParamValues()) > 1
-
-	switch {
-	case existingUser:
-		user, _ := a.Svc.Users.GetByUUID(c.ParamValues()[1], "")
-		if user.ID == userDetails.ID {
+	switch obj := object.(type) {
+	case viewmodel.User:
+		if obj.ID == currentUser.ID {
 			return "[self]"
+		} else {
+			return "[other]"
 		}
 	}
 	return "[other]"