diff --git a/src/api/mod.rs b/src/api/mod.rs index 189821e..66a36ae 100644 --- a/src/api/mod.rs +++ b/src/api/mod.rs @@ -14,7 +14,6 @@ mod sessions; mod tags; mod users; -// TODO: PERMISSIONS FOR ENDPOINTS & ACTIONS pub fn api_router() -> Router { Router::new() .route("/api/live", get(async || "Mnemosyne lives")) diff --git a/src/api/sessions.rs b/src/api/sessions.rs index 214525e..ca5b525 100644 --- a/src/api/sessions.rs +++ b/src/api/sessions.rs @@ -11,7 +11,8 @@ use crate::{ users::{ User, auth::{UserAuthRequired, UserAuthenticate}, - sessions::Session, + permissions::Permission, + sessions::{Session, SessionError}, }, }; @@ -19,6 +20,14 @@ pub async fn get_by_id( Path(id): Path, headers: HeaderMap, ) -> Result { - User::authenticate(&headers)?.required()?; - Ok(Json(Session::get_by_id(id)?).into_response()) + let u = User::authenticate(&headers)?.required()?; + let s = Session::get_by_id(id)?; + + match s.user_id == u.id + || u.has_permission(Permission::ListOthersSessions) + .is_ok_and(|v| v) + { + true => Ok(Json(s).into_response()), + false => Err(SessionError::NoSessionWithId(id))?, + } } diff --git a/src/users/mod.rs b/src/users/mod.rs index 2ee38f9..f562bc6 100644 --- a/src/users/mod.rs +++ b/src/users/mod.rs @@ -17,6 +17,7 @@ use crate::{ pub mod auth; pub mod handle; +pub mod permissions; pub mod sessions; pub mod setup; diff --git a/src/users/permissions.rs b/src/users/permissions.rs new file mode 100644 index 0000000..f6fa0e6 --- /dev/null +++ b/src/users/permissions.rs @@ -0,0 +1,17 @@ +use crate::users::User; + +/// Infradmin and systemuser have all permissions. +pub enum Permission { + // All Users have the right to observe their own sessions + ListOthersSessions, +} + +impl User { + pub fn has_permission(&self, permission: Permission) -> Result { + if self.is_infradmin() || self.is_systemuser() { + return Ok(true); + } + + todo!("Do the permission checking here once permissions are modeled in the DB") + } +}