CodeMirror/appwrite
1
0
Fork 0
mirror of synced 2024-07-02 05:00:33 +12:00
Code Issues Projects Releases Wiki Activity

Merge pull request #2511 from appwrite/remove-authorization-disable-calls

Browse source 
refactor: replace authorization disable with skip
This commit is contained in:
Eldad A. Fux 2021-12-20 12:54:59 +02:00 committed by GitHub
parent 1b97c9cd43 8826984b1f
commit c068088f79
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 28 additions and 71 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
app/controllers/api/account.php
View file

@ -88,11 +88,9 @@ App::post('/v1/account')
} }
} }
Authorization::disable();
try { try {
$userId = $userId == 'unique()' ? $dbForInternal->getId() : $userId; $userId = $userId == 'unique()' ? $dbForInternal->getId() : $userId;
$user = $dbForInternal->createDocument('users', new Document([ $user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId, '$id' => $userId,
'$read' => ['role:all'], '$read' => ['role:all'],
'$write' => ['user:' . $userId], '$write' => ['user:' . $userId],
@ -110,13 +108,11 @@ App::post('/v1/account')
'memberships' => [], 'memberships' => [],
'search' => implode(' ', [$userId, $email, $name]), 'search' => implode(' ', [$userId, $email, $name]),
'deleted' => false 'deleted' => false
])); ])));
} catch (Duplicate $th) { } catch (Duplicate $th) {
throw new Exception('Account already exists', 409); throw new Exception('Account already exists', 409);
} }
Authorization::reset();
Authorization::unsetRole('role:' . Auth::USER_ROLE_GUEST); Authorization::unsetRole('role:' . Auth::USER_ROLE_GUEST);
Authorization::setRole('user:' . $user->getId()); Authorization::setRole('user:' . $user->getId());
Authorization::setRole('role:' . Auth::USER_ROLE_MEMBER); Authorization::setRole('role:' . Auth::USER_ROLE_MEMBER);
@ -490,11 +486,9 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
} }
} }
Authorization::disable();
try { try {
$userId = $dbForInternal->getId(); $userId = $dbForInternal->getId();
$user = $dbForInternal->createDocument('users', new Document([ $user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId, '$id' => $userId,
'$read' => ['role:all'], '$read' => ['role:all'],
'$write' => ['user:' . $userId], '$write' => ['user:' . $userId],
@ -512,12 +506,10 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
'memberships' => [], 'memberships' => [],
'search' => implode(' ', [$userId, $email, $name]), 'search' => implode(' ', [$userId, $email, $name]),
'deleted' => false 'deleted' => false
])); ])));
} catch (Duplicate $th) { } catch (Duplicate $th) {
throw new Exception('Account already exists', 409); throw new Exception('Account already exists', 409);
} }
Authorization::reset();
} }
} }
@ -939,10 +931,8 @@ App::post('/v1/account/sessions/anonymous')
} }
} }
Authorization::disable();
$userId = $dbForInternal->getId(); $userId = $dbForInternal->getId();
$user = $dbForInternal->createDocument('users', new Document([ $user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId, '$id' => $userId,
'$read' => ['role:all'], '$read' => ['role:all'],
'$write' => ['user:' . $userId], '$write' => ['user:' . $userId],
@ -960,9 +950,7 @@ App::post('/v1/account/sessions/anonymous')
'memberships' => [], 'memberships' => [],
'search' => $userId, 'search' => $userId,
'deleted' => false 'deleted' => false
])); ])));
Authorization::reset();
// Create session token // Create session token

22
app/controllers/api/functions.php
View file

@ -700,15 +700,13 @@ App::post('/v1/functions/:functionId/executions')
/** @var Utopia\Database\Database $dbForInternal */ /** @var Utopia\Database\Database $dbForInternal */
/** @var Utopia\Database\Document $user */ /** @var Utopia\Database\Document $user */
Authorization::disable(); $function = Authorization::skip(fn() => $dbForInternal->getDocument('functions', $functionId));
$function = $dbForInternal->getDocument('functions', $functionId);
if ($function->isEmpty()) { if ($function->isEmpty()) {
throw new Exception('Function not found', 404); throw new Exception('Function not found', 404);
} }
$tag = $dbForInternal->getDocument('tags', $function->getAttribute('tag')); $tag = Authorization::skip(fn() => $dbForInternal->getDocument('tags', $function->getAttribute('tag')));
if ($tag->getAttribute('functionId') !== $function->getId()) { if ($tag->getAttribute('functionId') !== $function->getId()) {
throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404); throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404);
@ -718,19 +716,15 @@ App::post('/v1/functions/:functionId/executions')
throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404); throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404);
} }
Authorization::reset();
$validator = new Authorization($function, 'execute'); $validator = new Authorization($function, 'execute');
if (!$validator->isValid($function->getAttribute('execute'))) { // Check if user has write access to execute function if (!$validator->isValid($function->getAttribute('execute'))) { // Check if user has write access to execute function
throw new Exception($validator->getDescription(), 401); throw new Exception($validator->getDescription(), 401);
} }
Authorization::disable();
$executionId = $dbForInternal->getId(); $executionId = $dbForInternal->getId();
$execution = $dbForInternal->createDocument('executions', new Document([ $execution = Authorization::skip(fn() => $dbForInternal->createDocument('executions', new Document([
'$id' => $executionId, '$id' => $executionId,
'$read' => (!$user->isEmpty()) ? ['user:' . $user->getId()] : [], '$read' => (!$user->isEmpty()) ? ['user:' . $user->getId()] : [],
'$write' => [], '$write' => [],
@ -744,9 +738,7 @@ App::post('/v1/functions/:functionId/executions')
'stderr' => '', 'stderr' => '',
'time' => 0.0, 'time' => 0.0,
'search' => implode(' ', [$functionId, $executionId]), 'search' => implode(' ', [$functionId, $executionId]),
])); ])));
Authorization::reset();
$jwt = ''; // initialize $jwt = ''; // initialize
if (!$user->isEmpty()) { // If userId exists, generate a JWT for function if (!$user->isEmpty()) { // If userId exists, generate a JWT for function
@ -856,10 +848,8 @@ App::get('/v1/functions/:functionId/executions/:executionId')
->action(function ($functionId, $executionId, $response, $dbForInternal) { ->action(function ($functionId, $executionId, $response, $dbForInternal) {
/** @var Appwrite\Utopia\Response $response */ /** @var Appwrite\Utopia\Response $response */
/** @var Utopia\Database\Database $dbForInternal */ /** @var Utopia\Database\Database $dbForInternal */
Authorization::disable(); $function = Authorization::skip(fn() => $dbForInternal->getDocument('functions', $functionId));
$function = $dbForInternal->getDocument('functions', $functionId);
Authorization::reset();
if ($function->isEmpty()) { if ($function->isEmpty()) {
throw new Exception('Function not found', 404); throw new Exception('Function not found', 404);

42
app/controllers/api/teams.php
View file

@ -47,13 +47,11 @@ App::post('/v1/teams')
/** @var Utopia\Database\Database $dbForInternal */ /** @var Utopia\Database\Database $dbForInternal */
/** @var Appwrite\Event\Event $events */ /** @var Appwrite\Event\Event $events */
Authorization::disable();
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles()); $isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
$isAppUser = Auth::isAppUser(Authorization::getRoles()); $isAppUser = Auth::isAppUser(Authorization::getRoles());
$teamId = $teamId == 'unique()' ? $dbForInternal->getId() : $teamId; $teamId = $teamId == 'unique()' ? $dbForInternal->getId() : $teamId;
$team = $dbForInternal->createDocument('teams', new Document([ $team = Authorization::skip(fn() => $dbForInternal->createDocument('teams', new Document([
'$id' => $teamId , '$id' => $teamId ,
'$read' => ['team:'.$teamId], '$read' => ['team:'.$teamId],
'$write' => ['team:'.$teamId .'/owner'], '$write' => ['team:'.$teamId .'/owner'],
@ -61,9 +59,7 @@ App::post('/v1/teams')
'sum' => ($isPrivilegedUser || $isAppUser) ? 0 : 1, 'sum' => ($isPrivilegedUser || $isAppUser) ? 0 : 1,
'dateCreated' => \time(), 'dateCreated' => \time(),
'search' => implode(' ', [$teamId, $name]), 'search' => implode(' ', [$teamId, $name]),
])); ])));
Authorization::reset();
if (!$isPrivilegedUser && !$isAppUser) { // Don't add user on server mode if (!$isPrivilegedUser && !$isAppUser) { // Don't add user on server mode
$membership = new Document([ $membership = new Document([
@ -318,11 +314,9 @@ App::post('/v1/teams/:teamId/memberships')
} }
} }
Authorization::disable();
try { try {
$userId = $dbForInternal->getId(); $userId = $dbForInternal->getId();
$invitee = $dbForInternal->createDocument('users', new Document([ $invitee = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
'$id' => $userId, '$id' => $userId,
'$read' => ['user:'.$userId, 'role:all'], '$read' => ['user:'.$userId, 'role:all'],
'$write' => ['user:'.$userId], '$write' => ['user:'.$userId],
@ -344,12 +338,10 @@ App::post('/v1/teams/:teamId/memberships')
'tokens' => [], 'tokens' => [],
'memberships' => [], 'memberships' => [],
'search' => implode(' ', [$userId, $email, $name]), 'search' => implode(' ', [$userId, $email, $name]),
])); ])));
} catch (Duplicate $th) { } catch (Duplicate $th) {
throw new Exception('Account already exists', 409); throw new Exception('Account already exists', 409);
} }
Authorization::reset();
} }
$isOwner = Authorization::isRole('team:'.$team->getId().'/owner');; $isOwner = Authorization::isRole('team:'.$team->getId().'/owner');;
@ -374,21 +366,18 @@ App::post('/v1/teams/:teamId/memberships')
]); ]);
if ($isPrivilegedUser || $isAppUser) { // Allow admin to create membership if ($isPrivilegedUser || $isAppUser) { // Allow admin to create membership
Authorization::disable();
try { try {
$membership = $dbForInternal->createDocument('memberships', $membership); $membership = Authorization::skip(fn() => $dbForInternal->createDocument('memberships', $membership));
} catch (Duplicate $th) { } catch (Duplicate $th) {
throw new Exception('User has already been invited or is already a member of this team', 409); throw new Exception('User has already been invited or is already a member of this team', 409);
} }
$team->setAttribute('sum', $team->getAttribute('sum', 0) + 1);
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1)); $team = Authorization::skip(fn() => $dbForInternal->updateDocument('teams', $team->getId(), $team));
// Attach user to team // Attach user to team
$invitee->setAttribute('memberships', $membership, Document::SET_TYPE_APPEND); $invitee->setAttribute('memberships', $membership, Document::SET_TYPE_APPEND);
$invitee = $dbForInternal->updateDocument('users', $invitee->getId(), $invitee); $invitee = Authorization::skip(fn() => $dbForInternal->updateDocument('users', $invitee->getId(), $invitee));
Authorization::reset();
} else { } else {
try { try {
$membership = $dbForInternal->createDocument('memberships', $membership); $membership = $dbForInternal->createDocument('memberships', $membership);
@ -702,11 +691,7 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status')
$user = $dbForInternal->updateDocument('users', $user->getId(), $user); $user = $dbForInternal->updateDocument('users', $user->getId(), $user);
$membership = $dbForInternal->updateDocument('memberships', $membership->getId(), $membership); $membership = $dbForInternal->updateDocument('memberships', $membership->getId(), $membership);
Authorization::disable(); $team = Authorization::skip(fn() => $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1)));
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1));
Authorization::reset();
$audits $audits
->setParam('userId', $user->getId()) ->setParam('userId', $user->getId())
@ -791,14 +776,13 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
} }
} }
Authorization::disable(); $user->setAttribute('memberships', $memberships);
$dbForInternal->updateDocument('users', $user->getId(), $user->setAttribute('memberships', $memberships)); Authorization::skip(fn() => $dbForInternal->updateDocument('users', $user->getId(), $user));
Authorization::reset();
if ($membership->getAttribute('confirm')) { // Count only confirmed members if ($membership->getAttribute('confirm')) { // Count only confirmed members
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', \max($team->getAttribute('sum', 0) - 1, 0))); $team->setAttribute('sum', \max($team->getAttribute('sum', 0) - 1, 0));
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team);
} }
$audits $audits

11
app/init.php
View file

@ -706,18 +706,13 @@ App::setResource('project', function($dbForConsole, $request, $console) {
/** @var Utopia\Database\Database $dbForConsole */ /** @var Utopia\Database\Database $dbForConsole */
/** @var Utopia\Database\Document $console */ /** @var Utopia\Database\Document $console */
$projectId = $request->getParam('project', $projectId = $request->getParam('project', $request->getHeader('x-appwrite-project', 'console'));
$request->getHeader('x-appwrite-project', 'console'));
if($projectId === 'console') { if($projectId === 'console') {
return $console; return $console;
} }
Authorization::disable(); $project = Authorization::skip(fn() => $dbForConsole->getDocument('projects', $projectId));
$project = $dbForConsole->getDocument('projects', $projectId);
Authorization::reset();
return $project; return $project;
}, ['dbForConsole', 'request', 'console']); }, ['dbForConsole', 'request', 'console']);