mirror of
https://github.com/rzmk/learnhouse.git
synced 2025-12-19 04:19:25 +00:00
fix: various bugs & issues
This commit is contained in:
swve
parent
a95206bd74
commit
86e7ecc0fc
15 changed files with 128 additions and 94 deletions
|
|
@ -18,6 +18,7 @@ ALGORITHM = "HS256"
|
|||
|
||||
### 🔒 Passwords Hashing ##############################################################
|
||||
|
||||
|
||||
async def security_hash_password(password: str):
|
||||
return pbkdf2_sha256.hash(password)
|
||||
|
||||
|
|
@ -25,12 +26,15 @@ async def security_hash_password(password: str):
|
|||
async def security_verify_password(plain_password: str, hashed_password: str):
|
||||
return pbkdf2_sha256.verify(plain_password, hashed_password)
|
||||
|
||||
|
||||
### 🔒 Passwords Hashing ##############################################################
|
||||
|
||||
### 🔒 Roles checking ##############################################################
|
||||
|
||||
|
||||
async def verify_user_rights_with_roles(request: Request, action: str, user_id: str, element_id: str, element_org_id: str):
|
||||
async def verify_user_rights_with_roles(
|
||||
request: Request, action: str, user_id: str, element_id: str, element_org_id: str
|
||||
):
|
||||
"""
|
||||
Check if the user has the right to perform the action on the element
|
||||
"""
|
||||
|
|
@ -39,49 +43,45 @@ async def verify_user_rights_with_roles(request: Request, action: str, user_id:
|
|||
|
||||
user = await users.find_one({"user_id": user_id})
|
||||
|
||||
# Check if user is available
|
||||
#########
|
||||
# Users existence verification
|
||||
#########
|
||||
|
||||
if not user and user_id != "anonymous":
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail="User not found")
|
||||
|
||||
status_code=status.HTTP_404_NOT_FOUND, detail="User rights : User not found"
|
||||
)
|
||||
|
||||
# Check if user is anonymous
|
||||
if user_id == "anonymous":
|
||||
return False
|
||||
|
||||
# Check if the user is an admin
|
||||
# Get User
|
||||
user: UserInDB = UserInDB(**await users.find_one({"user_id": user_id}))
|
||||
|
||||
# Organization roles verification
|
||||
#########
|
||||
# Organization Roles verification
|
||||
#########
|
||||
|
||||
for org in user.orgs:
|
||||
# TODO: Check if the org_id (user) is the same as the org_id (element)
|
||||
|
||||
if org.org_id == element_org_id:
|
||||
return True
|
||||
# Check if user is owner or reader of the organization
|
||||
if org.org_role == ("owner" or "editor"):
|
||||
return True
|
||||
|
||||
# Check if user is owner or reader of the organization
|
||||
if org.org_role == ("owner" or "editor"):
|
||||
return True
|
||||
|
||||
# If the user is not an owner or a editor, check if he has a role
|
||||
# Get user roles
|
||||
#########
|
||||
# Roles verification
|
||||
#########
|
||||
user_roles = user.roles
|
||||
|
||||
# TODO: Check if the org_id of the role is the same as the org_id of the element using find
|
||||
|
||||
if action != "create":
|
||||
await check_user_role_org_with_element_org(request, element_id, user_roles)
|
||||
|
||||
# Check if user has the right role
|
||||
|
||||
element_type = await check_element_type(element_id)
|
||||
for role_id in user_roles:
|
||||
role = RoleInDB(**await roles.find_one({"role_id": role_id}))
|
||||
if role.elements[element_type][f"action_{action}"]:
|
||||
return True
|
||||
return await check_user_role_org_with_element_org(request, element_id, user_roles, action)
|
||||
|
||||
# If no role is found, raise an error
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN, detail="You don't have the right to perform this action")
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="User rights : You don't have the right to perform this action",
|
||||
)
|
||||
|
||||
|
||||
async def check_element_type(element_id):
|
||||
|
|
@ -104,11 +104,17 @@ async def check_element_type(element_id):
|
|||
return "activities"
|
||||
else:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_409_CONFLICT, detail="Issue verifying element nature")
|
||||
status_code=status.HTTP_409_CONFLICT,
|
||||
detail="User rights : Issue verifying element nature",
|
||||
)
|
||||
|
||||
|
||||
async def check_user_role_org_with_element_org(request: Request, element_id: str, roles_list: list[UserRolesInOrganization]):
|
||||
|
||||
async def check_user_role_org_with_element_org(
|
||||
request: Request,
|
||||
element_id: str,
|
||||
roles_list: list[UserRolesInOrganization],
|
||||
action: str,
|
||||
):
|
||||
element_type = await check_element_type(element_id)
|
||||
element = request.app.db[element_type]
|
||||
roles = request.app.db["roles"]
|
||||
|
|
@ -117,19 +123,27 @@ async def check_user_role_org_with_element_org(request: Request, element_id: str
|
|||
singular_form_element = element_type[:-1]
|
||||
|
||||
element_type_id = singular_form_element + "_id"
|
||||
|
||||
|
||||
element_org = await element.find_one({element_type_id: element_id})
|
||||
|
||||
|
||||
for role_id in roles_list:
|
||||
role = RoleInDB(**await roles.find_one({"role_id": role_id}))
|
||||
if role.org_id == element_org["org_id"]:
|
||||
return True
|
||||
if role.org_id == "*":
|
||||
return True
|
||||
for role in roles_list:
|
||||
# Check if The role belongs to the same organization as the element
|
||||
role_db = await roles.find_one({"role_id": role.role_id})
|
||||
role = RoleInDB(**role_db)
|
||||
if role.org_id == element_org["org_id"] or role.org_id == "*":
|
||||
# Check if user has the right role
|
||||
for role in roles_list:
|
||||
role_db = await roles.find_one({"role_id": role.role_id})
|
||||
role = RoleInDB(**role_db)
|
||||
if role.elements[element_type][f"action_{action}"]:
|
||||
return True
|
||||
|
||||
else:
|
||||
raise HTTPException(
|
||||
status_code=status.HTTP_403_FORBIDDEN, detail="You don't have the right to perform this action")
|
||||
status_code=status.HTTP_403_FORBIDDEN,
|
||||
detail="User rights (roles) : You don't have the right to perform this action",
|
||||
)
|
||||
|
||||
|
||||
### 🔒 Roles checking ##############################################################
|
||||
|
|
|
|||
|
|
@ -84,6 +84,11 @@ async def get_activity(request: Request, activity_id: str, current_user: PublicU
|
|||
course = await courses.find_one({"chapters": coursechapter_id})
|
||||
|
||||
isCoursePublic = course["public"]
|
||||
isAuthor = current_user.user_id in course["authors"]
|
||||
|
||||
if isAuthor:
|
||||
activity = ActivityInDB(**activity)
|
||||
return activity
|
||||
|
||||
# verify course rights
|
||||
hasRoleRights = await verify_user_rights_with_roles(
|
||||
|
|
|
|||
|
|
@ -374,6 +374,11 @@ async def verify_rights(
|
|||
|
||||
course = await courses.find_one({"course_id": course_id})
|
||||
|
||||
isAuthor = current_user.user_id in course["authors"]
|
||||
|
||||
if isAuthor:
|
||||
return True
|
||||
|
||||
if (
|
||||
current_user.user_id == "anonymous"
|
||||
and course["public"] is True
|
||||
|
|
@ -390,7 +395,7 @@ async def verify_rights(
|
|||
hasRoleRights = await verify_user_rights_with_roles(
|
||||
request, action, current_user.user_id, course_id, course["org_id"]
|
||||
)
|
||||
isAuthor = current_user.user_id in course["authors"]
|
||||
|
||||
|
||||
if not hasRoleRights and not isAuthor:
|
||||
raise HTTPException(
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue