From 945d1307babce91cfdab2737720ebf27043ea035 Mon Sep 17 00:00:00 2001 From: fistutzenste Date: Thu, 30 Jul 2020 08:57:57 +0200 Subject: [PATCH] Permission Service --- .gitmodules | 3 + db.sh | 2 +- docker/docker-compose.dev.yml | 11 +++ docker/services.env | 3 + docs/interfaces/permission-service.txt | 102 +++++++++++++++++++++++++ openslides-auth-service | 2 +- openslides-autoupdate-service | 2 +- openslides-backend | 2 +- openslides-permission-service | 1 + services.env | 3 + 10 files changed, 127 insertions(+), 4 deletions(-) create mode 100644 docs/interfaces/permission-service.txt create mode 160000 openslides-permission-service diff --git a/.gitmodules b/.gitmodules index 97e6e4808..17b36605e 100644 --- a/.gitmodules +++ b/.gitmodules @@ -21,3 +21,6 @@ path = openslides-media-service url = git@github.com:OpenSlides/openslides-media-service.git branch = openslides4-dev +[submodule "openslides-permission-service"] + path = openslides-permission-service + url = git@github.com:OpenSlides/openslides-permission-service.git diff --git a/db.sh b/db.sh index 34b1e6bef..b9568604f 100755 --- a/db.sh +++ b/db.sh @@ -1,2 +1,2 @@ #!/bin/bash -docker-compose -f docker-compose.yml -f docker-compose.dev.yml exec datastore-writer psql -h postgres -U openslides +docker-compose -f docker/docker-compose.dev.yml exec datastore-writer psql -h postgres -U openslides diff --git a/docker/docker-compose.dev.yml b/docker/docker-compose.dev.yml index d5c12734d..000298fe1 100644 --- a/docker/docker-compose.dev.yml +++ b/docker/docker-compose.dev.yml @@ -48,6 +48,8 @@ services: depends_on: - datastore-reader - datastore-writer + - auth + - permission env_file: services.env volumes: - ../openslides-backend/openslides_backend:/app/openslides_backend @@ -62,6 +64,15 @@ services: volumes: - ../openslides-autoupdate-service/cmd:/root/cmd - ../openslides-autoupdate-service/internal:/root/internal + permission: + image: openslides-permission-dev + depends_on: + - datastore-reader + env_file: services.env + volumes: + - ../openslides-permission-service/cmd:/app/cmd + - ../openslides-permission-service/internal:/app/internal + - ../openslides-permission-service/pkg:/app/pkg auth: image: openslides-auth-dev depends_on: diff --git a/docker/services.env b/docker/services.env index 8444aa769..cd51ccfea 100644 --- a/docker/services.env +++ b/docker/services.env @@ -12,6 +12,9 @@ ACTION_PORT=9002 PRESENTER_HOST=backend PRESENTER_PORT=9003 +PERMISSION_HOST=permission +PERMISSION_PORT=9005 + AUTH_HOST=auth AUTH_PORT=9004 CACHE_HOST=cache diff --git a/docs/interfaces/permission-service.txt b/docs/interfaces/permission-service.txt new file mode 100644 index 000000000..c468bbd1d --- /dev/null +++ b/docs/interfaces/permission-service.txt @@ -0,0 +1,102 @@ +# Permission Service Interface + + +/** + * Returns true, if the thing requested (identified by `name`) is allowed for each + * provided data in `dataList` by the user given by `user_id`. + * + * Convention: For each action and presenter, there will be an permission check. + * This is not enforced but a good guideline to see which permission check belongs + * to which usecase. + * + * Returns an object with the allowed giving the result. If `allowed` is true, additional + * permission related information can be provided in `addition`. There is either `null` or + * an object per data. E.g. for motion update the supporters my be cleared, if the user has + * no manage perms. This will be given as `{clearSupporters: true}`. + * + * If it was not allowed, one of the data in `dataList` was not allowed. This index is given + * together with the `reason` in `error_index`. + **/ +is_allowed(name: string, user_id: Id, dataList: object[]): + {allowed: true, additions: (object | null)[]} | + {allowed: false, reason: string, error_index: number} + + +/** + * Filters the fqfields that can ve deen by the user. Only fqfields are returned, that are accessible. + * + * First, it is checked, if the object can be seen (check the fqid with restrict_fqids). If so there are some + * special cases: + * - Polls + * - User + * TODO + * + **/ +restrict_fqfields(fqfields: Fqfield[], user_id: Id): Fqfield[] + + +/** + * Filters the fqids, if the objects can be seen by the users. Only fqids from + * accessible objects are returned. + * + * Global special cases: + * - All fqids, if the user has the superadmin role + * - Within the context of a committee: Accessible, if the user is manager of this committee. + * - Within the context of a meeting: Accessible, if the user is in the superadmin group of the meeting. + * + * Non-meeting specific collections: + * - organisation: true + * - role: true + * - User: TODO!! + * - committee: Can the user see the committee + * - meeting: is the user in meeting/user_ids + * TODO: Meeting: Antragsweiterleitungsstruktur!! + * + * meeting-specific collections (Always check first, if the user can see the meeting): + * - motion: can_see? State, state restrctions and submitter? [1] + * - agenda_item: can_see? is_hidden/is_internal -> can_manage? + * - motion_lock: can_see? internal -> can_manage? + * - Mediafile: TODO + * - motion_comment: Can the motion be seen and is the user in one of the read_groups? + * - personal_note: Is it the correct user? Can the content object be seen? + * - *: can_see? + * + * [1] Exception: origin/derived motions can bee seen, but only title/number. TODO + * + **/ +restrict_fqids(fqids: Fqid[], user_id: Id): Fqids[] + + +/** + * Should be called for each update of the datastore with the changed data. It + * returns user ids, which should get a full update since too many/complicated + * permission changes accur. + * + * Possible reasons for additional updates: + * 1) A permission related relation to a user has changed: + * - Relation to a group + * - Relation to a meeting (via guest/temporary relation) + * - Relation to a committee (or an upgrade/downgrade as a manager) + * 2) Role of a user has changed + * 3) Permissions of a group changed -> Full update for all users in this group + * 4) Changes in specific (meeting-related) models: + * - Motion submitter: + * - Motion state: Update des Antrages + * - Motion block internal: Update des Blocks + * - Motion comment section read groups: Update aller Comments dieser Section + * - State restrictions: Update aller Anträge in dem State + * - Agendaitem visibility: Update des Agendaitems + * - Poll state: Wenn state==published volles update aller options/votes + * - Mediafile (has_)inherited_access_groups: Update der Mediafile + * - Mediafile used_as_*: Update der Mediafile + * + **/ +additional_update(updated: {[fqfield: Fqfield]: Value}): Id[] + +/** + * This technical interface must be implemented by the services + * users. + */ +Interface DataProvider { + get: (fqfields: Fqfield[]) => {[fqfield: Fqfield]: Value} +} diff --git a/openslides-auth-service b/openslides-auth-service index a0942237a..cb3c6dd6f 160000 --- a/openslides-auth-service +++ b/openslides-auth-service @@ -1 +1 @@ -Subproject commit a0942237aec45a968ef7b0d0e3829d966f65747a +Subproject commit cb3c6dd6f19c7c66ef41a68008153e196a171257 diff --git a/openslides-autoupdate-service b/openslides-autoupdate-service index 0da4e3aa2..5dee403d9 160000 --- a/openslides-autoupdate-service +++ b/openslides-autoupdate-service @@ -1 +1 @@ -Subproject commit 0da4e3aa2ea65020911d0cbd372c9c21ab3780a6 +Subproject commit 5dee403d9dac436efadb00e732252d1506db58ec diff --git a/openslides-backend b/openslides-backend index ecea11623..1b69f26af 160000 --- a/openslides-backend +++ b/openslides-backend @@ -1 +1 @@ -Subproject commit ecea1162319b83b997a1dca2df9d8d4e4fa1e4e2 +Subproject commit 1b69f26af9055509a922362bcf3ef764a22e14c4 diff --git a/openslides-permission-service b/openslides-permission-service new file mode 160000 index 000000000..070dcf008 --- /dev/null +++ b/openslides-permission-service @@ -0,0 +1 @@ +Subproject commit 070dcf0089a1f580f1af05283ea6e60f99235b92 diff --git a/services.env b/services.env index 8444aa769..cd51ccfea 100644 --- a/services.env +++ b/services.env @@ -12,6 +12,9 @@ ACTION_PORT=9002 PRESENTER_HOST=backend PRESENTER_PORT=9003 +PERMISSION_HOST=permission +PERMISSION_PORT=9005 + AUTH_HOST=auth AUTH_PORT=9004 CACHE_HOST=cache