Admin permission, grant/revoke/reset permission helpers

2026-05-06 18:19:09 +02:00
parent 1f07952973
commit e2e9a3efb5
1 changed files with 73 additions and 8 deletions
--- a/src/users/permissions.rs
+++ b/src/users/permissions.rs
@@ -3,8 +3,10 @@ use sqlx::PgConnection;
 use crate::{database::DatabaseError, users::User};

 /// Infradmin and systemuser have all permissions.
-#[derive(strum::IntoStaticStr)]
+#[derive(Debug, Clone, PartialEq, strum::IntoStaticStr)]
 pub enum Permission {
+    // Pass all the permission checks
+    Admin,
    // All Users have the right to observe their own sessions
    ListOthersSessions,
    // All Users have the right to revoke their own sessions
@@ -34,15 +36,11 @@ impl Permission {
 }

 impl User {
-    pub async fn has_permission(
+    async fn permission_dbstate(
        &self,
        conn: &mut PgConnection,
        permission: Permission,
-    ) -> Result<bool, DatabaseError> {
-        if self.is_infradmin() || self.is_systemuser() {
-            return Ok(true);
-        }
-
+    ) -> Result<Option<bool>, DatabaseError> {
        let permission_key: &'static str = (&permission).into();
        let state: Option<bool> = sqlx::query_scalar(
            "SELECT state FROM user_permissions WHERE user_id = $1 AND permission = $2",
@@ -52,6 +50,73 @@ impl User {
        .fetch_optional(&mut *conn)
        .await?;

-        Ok(state.unwrap_or_else(|| permission.is_default_permission()))
+        Ok(state)
+    }
+
+    pub async fn has_permission(
+        &self,
+        conn: &mut PgConnection,
+        permission: Permission,
+    ) -> Result<bool, DatabaseError> {
+        if self.is_infradmin() || self.is_systemuser() {
+            return Ok(true);
+        }
+        if let Some(true) = self.permission_dbstate(conn, Permission::Admin).await? {
+            return Ok(true);
+        }
+
+        Ok(self
+            .permission_dbstate(conn, permission)
+            .await?
+            .unwrap_or(false))
+    }
+
+    pub async fn grant_permission(
+        &self,
+        conn: &mut PgConnection,
+        permission: Permission,
+    ) -> Result<(), DatabaseError> {
+        let permission_key: &'static str = (&permission).into();
+        sqlx::query(
+            "INSERT INTO user_permissions (user_id, permission, state) VALUES ($1, $2, TRUE) ON CONFLICT (user_id, permission) DO UPDATE SET state = EXCLUDED.state",
+        )
+        .bind(self.id)
+        .bind(permission_key)
+        .execute(&mut *conn)
+        .await?;
+
+        Ok(())
+    }
+
+    pub async fn revoke_permission(
+        &self,
+        conn: &mut PgConnection,
+        permission: Permission,
+    ) -> Result<(), DatabaseError> {
+        let permission_key: &'static str = (&permission).into();
+        sqlx::query(
+            "INSERT INTO user_permissions (user_id, permission, state) VALUES ($1, $2, FALSE) ON CONFLICT (user_id, permission) DO UPDATE SET state = EXCLUDED.state",
+        )
+        .bind(self.id)
+        .bind(permission_key)
+        .execute(&mut *conn)
+        .await?;
+
+        Ok(())
+    }
+
+    pub async fn reset_permission(
+        &self,
+        conn: &mut PgConnection,
+        permission: Permission,
+    ) -> Result<(), DatabaseError> {
+        let permission_key: &'static str = (&permission).into();
+        sqlx::query("DELETE FROM user_permissions WHERE user_id = $1 AND permission = $2")
+            .bind(self.id)
+            .bind(permission_key)
+            .execute(&mut *conn)
+            .await?;
+
+        Ok(())
    }
 }