Use Permission module to check if user can have access to resource

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-07-23 11:34:28 +02:00 · 2021-07-23 11:34:28 +02:00 · c394f2cc5a
parent 0995043d04
commit c394f2cc5a
3 changed files with 25 additions and 10 deletions
--- a/lib/federation/activity_pub/transmogrifier.ex
+++ b/lib/federation/activity_pub/transmogrifier.ex
@ -902,7 +902,6 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
         type
       )
       when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do
-    # TODO: The actor that accepts the Join activity may another one that the event organizer ?
    # Or maybe for groups it's the group that sends the Accept activity
    with {:ok, %Activity{} = activity, %Member{role: :member} = member} <-
           ActivityPub.accept(
--- a/lib/graphql/resolvers/event.ex
+++ b/lib/graphql/resolvers/event.ex
@ -12,6 +12,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
  alias Mobilizon.GraphQL.API

  alias Mobilizon.Federation.ActivityPub.Activity
+  alias Mobilizon.Federation.ActivityPub.Permission
  import Mobilizon.Users.Guards, only: [is_moderator: 1]
  import Mobilizon.Web.Gettext

@ -75,13 +76,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
  defp find_private_event(
         _parent,
         %{uuid: uuid},
-         %{context: %{current_user: %User{id: user_id}}} = _resolution
+         %{context: %{current_user: %User{} = user}} = _resolution
       ) do
-    case {:has_event, Events.get_own_event_by_uuid_with_preload(uuid, user_id)} do
-      {:has_event, %Event{} = event} ->
-        {:ok, event}
+    %Actor{} = profile = Users.get_actor_for_user(user)

-      {:has_event, _} ->
+    case Events.get_event_by_uuid_with_preload(uuid) do
+      # Event attributed to group
+      %Event{attributed_to: %Actor{}} = event ->
+        if Permission.can_access_group_object?(profile, event) do
+          {:ok, event}
+        else
+          {:error, :event_not_found}
+        end
+
+      # Own event
+      %Event{organizer_actor: %Actor{id: actor_id}} = event ->
+        if actor_id == profile.id do
+          {:ok, event}
+        else
+          {:error, :event_not_found}
+        end
+
+      _ ->
        {:error, :event_not_found}
    end
  end
--- a/lib/graphql/resolvers/post.ex
+++ b/lib/graphql/resolvers/post.ex
@ -7,7 +7,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
  alias Mobilizon.{Actors, Posts, Users}
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Federation.ActivityPub
-  alias Mobilizon.Federation.ActivityPub.Utils
+  alias Mobilizon.Federation.ActivityPub.{Permission, Utils}
  alias Mobilizon.Posts.Post
  alias Mobilizon.Storage.Page
  alias Mobilizon.Users.User
@ -69,11 +69,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
          }
        } = _resolution
      ) do
-    with {:current_actor, %Actor{id: actor_id}} <-
+    with {:current_actor, %Actor{} = current_profile} <-
           {:current_actor, Users.get_actor_for_user(user)},
-         {:post, %Post{attributed_to: %Actor{id: group_id}} = post} <-
+         {:post, %Post{attributed_to: %Actor{}} = post} <-
           {:post, Posts.get_post_by_slug_with_preloads(slug)},
-         {:member, true} <- {:member, Actors.is_member?(actor_id, group_id)} do
+         {:member, true} <- {:member, Permission.can_access_group_object?(current_profile, post)} do
      {:ok, post}
    else
      {:member, false} -> get_post(parent, %{slug: slug}, nil)