CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-06-29 19:50:26 +12:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2511 from appwrite/remove-authorization-disable-calls

Browse source 
refactor: replace authorization disable with skip
This commit is contained in:
Eldad A. Fux 2021-12-20 12:54:59 +02:00 committed by GitHub
parent 1b97c9cd43 8826984b1f
commit c068088f79
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
app/controllers/api/account.php
View file

@ -88,11 +88,9 @@ App::post('/v1/account')
}
}
Authorization::disable();
try {
$userId = $userId == 'unique()' ? $dbForInternal->getId() : $userId;
$user = $dbForInternal->createDocument('users', new Document([
$user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId,
'$read' => ['role:all'],
'$write' => ['user:' . $userId],
@ -110,13 +108,11 @@ App::post('/v1/account')
'memberships' => [],
'search' => implode(' ', [$userId, $email, $name]),
'deleted' => false
]));
])));
} catch (Duplicate $th) {
throw new Exception('Account already exists', 409);
}
Authorization::reset();
Authorization::unsetRole('role:' . Auth::USER_ROLE_GUEST);
Authorization::setRole('user:' . $user->getId());
Authorization::setRole('role:' . Auth::USER_ROLE_MEMBER);
@ -490,11 +486,9 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
}
}
Authorization::disable();
try {
$userId = $dbForInternal->getId();
$user = $dbForInternal->createDocument('users', new Document([
$user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId,
'$read' => ['role:all'],
'$write' => ['user:' . $userId],
@ -512,12 +506,10 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
'memberships' => [],
'search' => implode(' ', [$userId, $email, $name]),
'deleted' => false
]));
])));
} catch (Duplicate $th) {
throw new Exception('Account already exists', 409);
}
Authorization::reset();
}
}
@ -939,10 +931,8 @@ App::post('/v1/account/sessions/anonymous')
}
}
Authorization::disable();
$userId = $dbForInternal->getId();
$user = $dbForInternal->createDocument('users', new Document([
$user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId,
'$read' => ['role:all'],
'$write' => ['user:' . $userId],
@ -960,9 +950,7 @@ App::post('/v1/account/sessions/anonymous')
'memberships' => [],
'search' => $userId,
'deleted' => false
]));
Authorization::reset();
])));
// Create session token

22
app/controllers/api/functions.php
View file

@ -700,15 +700,13 @@ App::post('/v1/functions/:functionId/executions')
/** @var Utopia\Database\Database $dbForInternal */
/** @var Utopia\Database\Document $user */
Authorization::disable();
$function = $dbForInternal->getDocument('functions', $functionId);
$function = Authorization::skip(fn() => $dbForInternal->getDocument('functions', $functionId));
if ($function->isEmpty()) {
throw new Exception('Function not found', 404);
}
$tag = $dbForInternal->getDocument('tags', $function->getAttribute('tag'));
$tag = Authorization::skip(fn() => $dbForInternal->getDocument('tags', $function->getAttribute('tag')));
if ($tag->getAttribute('functionId') !== $function->getId()) {
throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404);
@ -718,19 +716,15 @@ App::post('/v1/functions/:functionId/executions')
throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404);
}
Authorization::reset();
$validator = new Authorization($function, 'execute');
if (!$validator->isValid($function->getAttribute('execute'))) { // Check if user has write access to execute function
throw new Exception($validator->getDescription(), 401);
}
Authorization::disable();
$executionId = $dbForInternal->getId();
$execution = $dbForInternal->createDocument('executions', new Document([
$execution = Authorization::skip(fn() => $dbForInternal->createDocument('executions', new Document([
'$id' => $executionId,
'$read' => (!$user->isEmpty()) ? ['user:' . $user->getId()] : [],
'$write' => [],
@ -744,9 +738,7 @@ App::post('/v1/functions/:functionId/executions')
'stderr' => '',
'time' => 0.0,
'search' => implode(' ', [$functionId, $executionId]),
]));
Authorization::reset();
])));
$jwt = ''; // initialize
if (!$user->isEmpty()) { // If userId exists, generate a JWT for function
@ -856,10 +848,8 @@ App::get('/v1/functions/:functionId/executions/:executionId')
->action(function ($functionId, $executionId, $response, $dbForInternal) {
/** @var Appwrite\Utopia\Response $response */
/** @var Utopia\Database\Database $dbForInternal */
Authorization::disable();
$function = $dbForInternal->getDocument('functions', $functionId);
Authorization::reset();
$function = Authorization::skip(fn() => $dbForInternal->getDocument('functions', $functionId));
if ($function->isEmpty()) {
throw new Exception('Function not found', 404);

42
app/controllers/api/teams.php
View file

@ -47,13 +47,11 @@ App::post('/v1/teams')
/** @var Utopia\Database\Database $dbForInternal */
/** @var Appwrite\Event\Event $events */
Authorization::disable();
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAppUser = Auth::isAppUser(Authorization::getRoles());
$teamId = $teamId == 'unique()' ? $dbForInternal->getId() : $teamId;
$team = $dbForInternal->createDocument('teams', new Document([
$team = Authorization::skip(fn() => $dbForInternal->createDocument('teams', new Document([
'$id' => $teamId ,
'$read' => ['team:'.$teamId],
'$write' => ['team:'.$teamId .'/owner'],
@ -61,9 +59,7 @@ App::post('/v1/teams')
'sum' => ($isPrivilegedUser || $isAppUser) ? 0 : 1,
'dateCreated' => \time(),
'search' => implode(' ', [$teamId, $name]),
]));
Authorization::reset();
])));
if (!$isPrivilegedUser && !$isAppUser) { // Don't add user on server mode
$membership = new Document([
@ -318,11 +314,9 @@ App::post('/v1/teams/:teamId/memberships')
}
}
Authorization::disable();
try {
$userId = $dbForInternal->getId();
$invitee = $dbForInternal->createDocument('users', new Document([
$invitee = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId,
'$read' => ['user:'.$userId, 'role:all'],
'$write' => ['user:'.$userId],
@ -344,12 +338,10 @@ App::post('/v1/teams/:teamId/memberships')
'tokens' => [],
'memberships' => [],
'search' => implode(' ', [$userId, $email, $name]),
]));
])));
} catch (Duplicate $th) {
throw new Exception('Account already exists', 409);
}
Authorization::reset();
}
$isOwner = Authorization::isRole('team:'.$team->getId().'/owner');;
@ -374,21 +366,18 @@ App::post('/v1/teams/:teamId/memberships')
]);
if ($isPrivilegedUser || $isAppUser) { // Allow admin to create membership
Authorization::disable();
try {
$membership = $dbForInternal->createDocument('memberships', $membership);
$membership = Authorization::skip(fn() => $dbForInternal->createDocument('memberships', $membership));
} catch (Duplicate $th) {
throw new Exception('User has already been invited or is already a member of this team', 409);
}
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1));
$team->setAttribute('sum', $team->getAttribute('sum', 0) + 1);
$team = Authorization::skip(fn() => $dbForInternal->updateDocument('teams', $team->getId(), $team));
// Attach user to team
$invitee->setAttribute('memberships', $membership, Document::SET_TYPE_APPEND);
$invitee = $dbForInternal->updateDocument('users', $invitee->getId(), $invitee);
Authorization::reset();
$invitee = Authorization::skip(fn() => $dbForInternal->updateDocument('users', $invitee->getId(), $invitee));
} else {
try {
$membership = $dbForInternal->createDocument('memberships', $membership);
@ -702,11 +691,7 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status')
$user = $dbForInternal->updateDocument('users', $user->getId(), $user);
$membership = $dbForInternal->updateDocument('memberships', $membership->getId(), $membership);
Authorization::disable();
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1));
Authorization::reset();
$team = Authorization::skip(fn() => $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1)));
$audits
->setParam('userId', $user->getId())
@ -791,14 +776,13 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
}
}
Authorization::disable();
$user->setAttribute('memberships', $memberships);
$dbForInternal->updateDocument('users', $user->getId(), $user->setAttribute('memberships', $memberships));
Authorization::reset();
Authorization::skip(fn() => $dbForInternal->updateDocument('users', $user->getId(), $user));
if ($membership->getAttribute('confirm')) { // Count only confirmed members
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', \max($team->getAttribute('sum', 0) - 1, 0)));
$team->setAttribute('sum', \max($team->getAttribute('sum', 0) - 1, 0));
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team);
}
$audits

11
app/init.php
View file

@ -706,18 +706,13 @@ App::setResource('project', function($dbForConsole, $request, $console) {
/** @var Utopia\Database\Database $dbForConsole */
/** @var Utopia\Database\Document $console */
$projectId = $request->getParam('project',
$request->getHeader('x-appwrite-project', 'console'));
$projectId = $request->getParam('project', $request->getHeader('x-appwrite-project', 'console'));
if($projectId === 'console') {
return $console;
}
Authorization::disable();
$project = $dbForConsole->getDocument('projects', $projectId);
Authorization::reset();
$project = Authorization::skip(fn() => $dbForConsole->getDocument('projects', $projectId));
return $project;
}, ['dbForConsole', 'request', 'console']);