permissions stub wo/ DB model

src/api/mod.rs

@@ -14,7 +14,6 @@ mod sessions;
 mod tags;
 mod users;
 
-// TODO: PERMISSIONS FOR ENDPOINTS & ACTIONS
 pub fn api_router() -> Router {
     Router::new()
         .route("/api/live", get(async || "Mnemosyne lives"))

src/api/sessions.rs

@@ -11,7 +11,8 @@ use crate::{
     users::{
         User,
         auth::{UserAuthRequired, UserAuthenticate},
-        sessions::Session,
+        permissions::Permission,
+        sessions::{Session, SessionError},
     },
 };
 
@@ -19,6 +20,14 @@ pub async fn get_by_id(
     Path(id): Path<Uuid>,
     headers: HeaderMap,
 ) -> Result<Response, CompositeError> {
-    User::authenticate(&headers)?.required()?;
-    Ok(Json(Session::get_by_id(id)?).into_response())
+    let u = User::authenticate(&headers)?.required()?;
+    let s = Session::get_by_id(id)?;
+
+    match s.user_id == u.id
+        || u.has_permission(Permission::ListOthersSessions)
+            .is_ok_and(|v| v)
+    {
+        true => Ok(Json(s).into_response()),
+        false => Err(SessionError::NoSessionWithId(id))?,
+    }
 }

src/users/mod.rs

@@ -17,6 +17,7 @@ use crate::{
 
 pub mod auth;
 pub mod handle;
+pub mod permissions;
 pub mod sessions;
 pub mod setup;
 

src/users/permissions.rs

@@ -0,0 +1,17 @@
+use crate::users::User;
+
+/// Infradmin and systemuser have all permissions.
+pub enum Permission {
+    // All Users have the right to observe their own sessions
+    ListOthersSessions,
+}
+
+impl User {
+    pub fn has_permission(&self, permission: Permission) -> Result<bool, rusqlite::Error> {
+        if self.is_infradmin() || self.is_systemuser() {
+            return Ok(true);
+        }
+
+        todo!("Do the permission checking here once permissions are modeled in the DB")
+    }
+}