gractwo/mnemosyne
4
0
Fork 0
Code Pull Requests Actions Packages Activity

Admin permission, grant/revoke/reset permission helpers

Browse Source
This commit is contained in:
jmanczak
2026-05-06 18:19:09 +02:00
parent 1f07952973
commit e2e9a3efb5
1 changed files with 73 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

81
src/users/permissions.rs
View File

@@ -3,8 +3,10 @@ use sqlx::PgConnection;
use crate::{database::DatabaseError, users::User}; use crate::{database::DatabaseError, users::User};
/// Infradmin and systemuser have all permissions. /// Infradmin and systemuser have all permissions.
#[derive(strum::IntoStaticStr)] #[derive(Debug, Clone, PartialEq, strum::IntoStaticStr)]
pub enum Permission { pub enum Permission {
// Pass all the permission checks
Admin,
// All Users have the right to observe their own sessions // All Users have the right to observe their own sessions
ListOthersSessions, ListOthersSessions,
// All Users have the right to revoke their own sessions // All Users have the right to revoke their own sessions
@@ -34,15 +36,11 @@ impl Permission {
} }
impl User { impl User {
pub async fn has_permission( async fn permission_dbstate(
&self, &self,
conn: &mut PgConnection, conn: &mut PgConnection,
permission: Permission, permission: Permission,
) -> Result<bool, DatabaseError> { ) -> Result<Option<bool>, DatabaseError> {
if self.is_infradmin() || self.is_systemuser() {
return Ok(true);
}
let permission_key: &'static str = (&permission).into(); let permission_key: &'static str = (&permission).into();
let state: Option<bool> = sqlx::query_scalar( let state: Option<bool> = sqlx::query_scalar(
"SELECT state FROM user_permissions WHERE user_id = $1 AND permission = $2", "SELECT state FROM user_permissions WHERE user_id = $1 AND permission = $2",
@@ -52,6 +50,73 @@ impl User {
.fetch_optional(&mut *conn) .fetch_optional(&mut *conn)
.await?; .await?;
Ok(state.unwrap_or_else(|| permission.is_default_permission())) Ok(state)
}
pub async fn has_permission(
&self,
conn: &mut PgConnection,
permission: Permission,
) -> Result<bool, DatabaseError> {
if self.is_infradmin() || self.is_systemuser() {
return Ok(true);
}
if let Some(true) = self.permission_dbstate(conn, Permission::Admin).await? {
return Ok(true);
}
Ok(self
.permission_dbstate(conn, permission)
.await?
.unwrap_or(false))
}
pub async fn grant_permission(
&self,
conn: &mut PgConnection,
permission: Permission,
) -> Result<(), DatabaseError> {
let permission_key: &'static str = (&permission).into();
sqlx::query(
"INSERT INTO user_permissions (user_id, permission, state) VALUES ($1, $2, TRUE) ON CONFLICT (user_id, permission) DO UPDATE SET state = EXCLUDED.state",
)
.bind(self.id)
.bind(permission_key)
.execute(&mut *conn)
.await?;
Ok(())
}
pub async fn revoke_permission(
&self,
conn: &mut PgConnection,
permission: Permission,
) -> Result<(), DatabaseError> {
let permission_key: &'static str = (&permission).into();
sqlx::query(
"INSERT INTO user_permissions (user_id, permission, state) VALUES ($1, $2, FALSE) ON CONFLICT (user_id, permission) DO UPDATE SET state = EXCLUDED.state",
)
.bind(self.id)
.bind(permission_key)
.execute(&mut *conn)
.await?;
Ok(())
}
pub async fn reset_permission(
&self,
conn: &mut PgConnection,
permission: Permission,
) -> Result<(), DatabaseError> {
let permission_key: &'static str = (&permission).into();
sqlx::query("DELETE FROM user_permissions WHERE user_id = $1 AND permission = $2")
.bind(self.id)
.bind(permission_key)
.execute(&mut *conn)
.await?;
Ok(())
} }
} }