Merge pull request #5646 from FinnStutzenstein/permissionService
Permission service
This commit is contained in:
commit
c48b5277c4
3
.gitmodules
vendored
3
.gitmodules
vendored
@ -21,3 +21,6 @@
|
|||||||
path = openslides-media-service
|
path = openslides-media-service
|
||||||
url = git@github.com:OpenSlides/openslides-media-service.git
|
url = git@github.com:OpenSlides/openslides-media-service.git
|
||||||
branch = openslides4-dev
|
branch = openslides4-dev
|
||||||
|
[submodule "openslides-permission-service"]
|
||||||
|
path = openslides-permission-service
|
||||||
|
url = git@github.com:OpenSlides/openslides-permission-service.git
|
||||||
|
2
db.sh
2
db.sh
@ -1,2 +1,2 @@
|
|||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
docker-compose -f docker-compose.yml -f docker-compose.dev.yml exec datastore-writer psql -h postgres -U openslides
|
docker-compose -f docker/docker-compose.dev.yml exec datastore-writer psql -h postgres -U openslides
|
||||||
|
@ -48,6 +48,8 @@ services:
|
|||||||
depends_on:
|
depends_on:
|
||||||
- datastore-reader
|
- datastore-reader
|
||||||
- datastore-writer
|
- datastore-writer
|
||||||
|
- auth
|
||||||
|
- permission
|
||||||
env_file: services.env
|
env_file: services.env
|
||||||
volumes:
|
volumes:
|
||||||
- ../openslides-backend/openslides_backend:/app/openslides_backend
|
- ../openslides-backend/openslides_backend:/app/openslides_backend
|
||||||
@ -62,6 +64,15 @@ services:
|
|||||||
volumes:
|
volumes:
|
||||||
- ../openslides-autoupdate-service/cmd:/root/cmd
|
- ../openslides-autoupdate-service/cmd:/root/cmd
|
||||||
- ../openslides-autoupdate-service/internal:/root/internal
|
- ../openslides-autoupdate-service/internal:/root/internal
|
||||||
|
permission:
|
||||||
|
image: openslides-permission-dev
|
||||||
|
depends_on:
|
||||||
|
- datastore-reader
|
||||||
|
env_file: services.env
|
||||||
|
volumes:
|
||||||
|
- ../openslides-permission-service/cmd:/app/cmd
|
||||||
|
- ../openslides-permission-service/internal:/app/internal
|
||||||
|
- ../openslides-permission-service/pkg:/app/pkg
|
||||||
auth:
|
auth:
|
||||||
image: openslides-auth-dev
|
image: openslides-auth-dev
|
||||||
depends_on:
|
depends_on:
|
||||||
|
@ -12,6 +12,9 @@ ACTION_PORT=9002
|
|||||||
PRESENTER_HOST=backend
|
PRESENTER_HOST=backend
|
||||||
PRESENTER_PORT=9003
|
PRESENTER_PORT=9003
|
||||||
|
|
||||||
|
PERMISSION_HOST=permission
|
||||||
|
PERMISSION_PORT=9005
|
||||||
|
|
||||||
AUTH_HOST=auth
|
AUTH_HOST=auth
|
||||||
AUTH_PORT=9004
|
AUTH_PORT=9004
|
||||||
CACHE_HOST=cache
|
CACHE_HOST=cache
|
||||||
|
102
docs/interfaces/permission-service.txt
Normal file
102
docs/interfaces/permission-service.txt
Normal file
@ -0,0 +1,102 @@
|
|||||||
|
# Permission Service Interface
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Returns true, if the thing requested (identified by `name`) is allowed for each
|
||||||
|
* provided data in `dataList` by the user given by `user_id`.
|
||||||
|
*
|
||||||
|
* Convention: For each action and presenter, there will be an permission check.
|
||||||
|
* This is not enforced but a good guideline to see which permission check belongs
|
||||||
|
* to which usecase.
|
||||||
|
*
|
||||||
|
* Returns an object with the allowed giving the result. If `allowed` is true, additional
|
||||||
|
* permission related information can be provided in `addition`. There is either `null` or
|
||||||
|
* an object per data. E.g. for motion update the supporters my be cleared, if the user has
|
||||||
|
* no manage perms. This will be given as `{clearSupporters: true}`.
|
||||||
|
*
|
||||||
|
* If it was not allowed, one of the data in `dataList` was not allowed. This index is given
|
||||||
|
* together with the `reason` in `error_index`.
|
||||||
|
**/
|
||||||
|
is_allowed(name: string, user_id: Id, dataList: object[]):
|
||||||
|
{allowed: true, additions: (object | null)[]} |
|
||||||
|
{allowed: false, reason: string, error_index: number}
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters the fqfields that can ve deen by the user. Only fqfields are returned, that are accessible.
|
||||||
|
*
|
||||||
|
* First, it is checked, if the object can be seen (check the fqid with restrict_fqids). If so there are some
|
||||||
|
* special cases:
|
||||||
|
* - Polls
|
||||||
|
* - User
|
||||||
|
* TODO
|
||||||
|
*
|
||||||
|
**/
|
||||||
|
restrict_fqfields(fqfields: Fqfield[], user_id: Id): Fqfield[]
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Filters the fqids, if the objects can be seen by the users. Only fqids from
|
||||||
|
* accessible objects are returned.
|
||||||
|
*
|
||||||
|
* Global special cases:
|
||||||
|
* - All fqids, if the user has the superadmin role
|
||||||
|
* - Within the context of a committee: Accessible, if the user is manager of this committee.
|
||||||
|
* - Within the context of a meeting: Accessible, if the user is in the superadmin group of the meeting.
|
||||||
|
*
|
||||||
|
* Non-meeting specific collections:
|
||||||
|
* - organisation: true
|
||||||
|
* - role: true
|
||||||
|
* - User: TODO!!
|
||||||
|
* - committee: Can the user see the committee
|
||||||
|
* - meeting: is the user in meeting/user_ids
|
||||||
|
* TODO: Meeting: Antragsweiterleitungsstruktur!!
|
||||||
|
*
|
||||||
|
* meeting-specific collections (Always check first, if the user can see the meeting):
|
||||||
|
* - motion: can_see? State, state restrctions and submitter? [1]
|
||||||
|
* - agenda_item: can_see? is_hidden/is_internal -> can_manage?
|
||||||
|
* - motion_lock: can_see? internal -> can_manage?
|
||||||
|
* - Mediafile: TODO
|
||||||
|
* - motion_comment: Can the motion be seen and is the user in one of the read_groups?
|
||||||
|
* - personal_note: Is it the correct user? Can the content object be seen?
|
||||||
|
* - *: can_see?
|
||||||
|
*
|
||||||
|
* [1] Exception: origin/derived motions can bee seen, but only title/number. TODO
|
||||||
|
*
|
||||||
|
**/
|
||||||
|
restrict_fqids(fqids: Fqid[], user_id: Id): Fqids[]
|
||||||
|
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Should be called for each update of the datastore with the changed data. It
|
||||||
|
* returns user ids, which should get a full update since too many/complicated
|
||||||
|
* permission changes accur.
|
||||||
|
*
|
||||||
|
* Possible reasons for additional updates:
|
||||||
|
* 1) A permission related relation to a user has changed:
|
||||||
|
* - Relation to a group
|
||||||
|
* - Relation to a meeting (via guest/temporary relation)
|
||||||
|
* - Relation to a committee (or an upgrade/downgrade as a manager)
|
||||||
|
* 2) Role of a user has changed
|
||||||
|
* 3) Permissions of a group changed -> Full update for all users in this group
|
||||||
|
* 4) Changes in specific (meeting-related) models:
|
||||||
|
* - Motion submitter:
|
||||||
|
* - Motion state: Update des Antrages
|
||||||
|
* - Motion block internal: Update des Blocks
|
||||||
|
* - Motion comment section read groups: Update aller Comments dieser Section
|
||||||
|
* - State restrictions: Update aller Anträge in dem State
|
||||||
|
* - Agendaitem visibility: Update des Agendaitems
|
||||||
|
* - Poll state: Wenn state==published volles update aller options/votes
|
||||||
|
* - Mediafile (has_)inherited_access_groups: Update der Mediafile
|
||||||
|
* - Mediafile used_as_*: Update der Mediafile
|
||||||
|
*
|
||||||
|
**/
|
||||||
|
additional_update(updated: {[fqfield: Fqfield]: Value}): Id[]
|
||||||
|
|
||||||
|
/**
|
||||||
|
* This technical interface must be implemented by the services
|
||||||
|
* users.
|
||||||
|
*/
|
||||||
|
Interface DataProvider {
|
||||||
|
get: (fqfields: Fqfield[]) => {[fqfield: Fqfield]: Value}
|
||||||
|
}
|
@ -1 +1 @@
|
|||||||
Subproject commit a0942237aec45a968ef7b0d0e3829d966f65747a
|
Subproject commit cb3c6dd6f19c7c66ef41a68008153e196a171257
|
@ -1 +1 @@
|
|||||||
Subproject commit 0da4e3aa2ea65020911d0cbd372c9c21ab3780a6
|
Subproject commit 5dee403d9dac436efadb00e732252d1506db58ec
|
@ -1 +1 @@
|
|||||||
Subproject commit ecea1162319b83b997a1dca2df9d8d4e4fa1e4e2
|
Subproject commit 1b69f26af9055509a922362bcf3ef764a22e14c4
|
1
openslides-permission-service
Submodule
1
openslides-permission-service
Submodule
@ -0,0 +1 @@
|
|||||||
|
Subproject commit 070dcf0089a1f580f1af05283ea6e60f99235b92
|
@ -12,6 +12,9 @@ ACTION_PORT=9002
|
|||||||
PRESENTER_HOST=backend
|
PRESENTER_HOST=backend
|
||||||
PRESENTER_PORT=9003
|
PRESENTER_PORT=9003
|
||||||
|
|
||||||
|
PERMISSION_HOST=permission
|
||||||
|
PERMISSION_PORT=9005
|
||||||
|
|
||||||
AUTH_HOST=auth
|
AUTH_HOST=auth
|
||||||
AUTH_PORT=9004
|
AUTH_PORT=9004
|
||||||
CACHE_HOST=cache
|
CACHE_HOST=cache
|
||||||
|
Loading…
Reference in New Issue
Block a user