Merge pull request #2511 from appwrite/remove-authorization-disable-calls
refactor: replace authorization disable with skip
This commit is contained in:
commit
c068088f79
4 changed files with 28 additions and 71 deletions
|
@ -88,11 +88,9 @@ App::post('/v1/account')
|
|||
}
|
||||
}
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
try {
|
||||
$userId = $userId == 'unique()' ? $dbForInternal->getId() : $userId;
|
||||
$user = $dbForInternal->createDocument('users', new Document([
|
||||
$user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
|
||||
'$id' => $userId,
|
||||
'$read' => ['role:all'],
|
||||
'$write' => ['user:' . $userId],
|
||||
|
@ -110,13 +108,11 @@ App::post('/v1/account')
|
|||
'memberships' => [],
|
||||
'search' => implode(' ', [$userId, $email, $name]),
|
||||
'deleted' => false
|
||||
]));
|
||||
])));
|
||||
} catch (Duplicate $th) {
|
||||
throw new Exception('Account already exists', 409);
|
||||
}
|
||||
|
||||
Authorization::reset();
|
||||
|
||||
Authorization::unsetRole('role:' . Auth::USER_ROLE_GUEST);
|
||||
Authorization::setRole('user:' . $user->getId());
|
||||
Authorization::setRole('role:' . Auth::USER_ROLE_MEMBER);
|
||||
|
@ -490,11 +486,9 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
|
|||
}
|
||||
}
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
try {
|
||||
$userId = $dbForInternal->getId();
|
||||
$user = $dbForInternal->createDocument('users', new Document([
|
||||
$user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
|
||||
'$id' => $userId,
|
||||
'$read' => ['role:all'],
|
||||
'$write' => ['user:' . $userId],
|
||||
|
@ -512,12 +506,10 @@ App::get('/v1/account/sessions/oauth2/:provider/redirect')
|
|||
'memberships' => [],
|
||||
'search' => implode(' ', [$userId, $email, $name]),
|
||||
'deleted' => false
|
||||
]));
|
||||
])));
|
||||
} catch (Duplicate $th) {
|
||||
throw new Exception('Account already exists', 409);
|
||||
}
|
||||
|
||||
Authorization::reset();
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -939,10 +931,8 @@ App::post('/v1/account/sessions/anonymous')
|
|||
}
|
||||
}
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
$userId = $dbForInternal->getId();
|
||||
$user = $dbForInternal->createDocument('users', new Document([
|
||||
$user = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
|
||||
'$id' => $userId,
|
||||
'$read' => ['role:all'],
|
||||
'$write' => ['user:' . $userId],
|
||||
|
@ -960,9 +950,7 @@ App::post('/v1/account/sessions/anonymous')
|
|||
'memberships' => [],
|
||||
'search' => $userId,
|
||||
'deleted' => false
|
||||
]));
|
||||
|
||||
Authorization::reset();
|
||||
])));
|
||||
|
||||
// Create session token
|
||||
|
||||
|
|
|
@ -700,15 +700,13 @@ App::post('/v1/functions/:functionId/executions')
|
|||
/** @var Utopia\Database\Database $dbForInternal */
|
||||
/** @var Utopia\Database\Document $user */
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
$function = $dbForInternal->getDocument('functions', $functionId);
|
||||
$function = Authorization::skip(fn() => $dbForInternal->getDocument('functions', $functionId));
|
||||
|
||||
if ($function->isEmpty()) {
|
||||
throw new Exception('Function not found', 404);
|
||||
}
|
||||
|
||||
$tag = $dbForInternal->getDocument('tags', $function->getAttribute('tag'));
|
||||
$tag = Authorization::skip(fn() => $dbForInternal->getDocument('tags', $function->getAttribute('tag')));
|
||||
|
||||
if ($tag->getAttribute('functionId') !== $function->getId()) {
|
||||
throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404);
|
||||
|
@ -718,19 +716,15 @@ App::post('/v1/functions/:functionId/executions')
|
|||
throw new Exception('Tag not found. Deploy tag before trying to execute a function', 404);
|
||||
}
|
||||
|
||||
Authorization::reset();
|
||||
|
||||
$validator = new Authorization($function, 'execute');
|
||||
|
||||
if (!$validator->isValid($function->getAttribute('execute'))) { // Check if user has write access to execute function
|
||||
throw new Exception($validator->getDescription(), 401);
|
||||
}
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
$executionId = $dbForInternal->getId();
|
||||
|
||||
$execution = $dbForInternal->createDocument('executions', new Document([
|
||||
$execution = Authorization::skip(fn() => $dbForInternal->createDocument('executions', new Document([
|
||||
'$id' => $executionId,
|
||||
'$read' => (!$user->isEmpty()) ? ['user:' . $user->getId()] : [],
|
||||
'$write' => [],
|
||||
|
@ -744,9 +738,7 @@ App::post('/v1/functions/:functionId/executions')
|
|||
'stderr' => '',
|
||||
'time' => 0.0,
|
||||
'search' => implode(' ', [$functionId, $executionId]),
|
||||
]));
|
||||
|
||||
Authorization::reset();
|
||||
])));
|
||||
|
||||
$jwt = ''; // initialize
|
||||
if (!$user->isEmpty()) { // If userId exists, generate a JWT for function
|
||||
|
@ -857,9 +849,7 @@ App::get('/v1/functions/:functionId/executions/:executionId')
|
|||
/** @var Appwrite\Utopia\Response $response */
|
||||
/** @var Utopia\Database\Database $dbForInternal */
|
||||
|
||||
Authorization::disable();
|
||||
$function = $dbForInternal->getDocument('functions', $functionId);
|
||||
Authorization::reset();
|
||||
$function = Authorization::skip(fn() => $dbForInternal->getDocument('functions', $functionId));
|
||||
|
||||
if ($function->isEmpty()) {
|
||||
throw new Exception('Function not found', 404);
|
||||
|
|
|
@ -47,13 +47,11 @@ App::post('/v1/teams')
|
|||
/** @var Utopia\Database\Database $dbForInternal */
|
||||
/** @var Appwrite\Event\Event $events */
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
$isPrivilegedUser = Auth::isPrivilegedUser(Authorization::getRoles());
|
||||
$isAppUser = Auth::isAppUser(Authorization::getRoles());
|
||||
|
||||
$teamId = $teamId == 'unique()' ? $dbForInternal->getId() : $teamId;
|
||||
$team = $dbForInternal->createDocument('teams', new Document([
|
||||
$team = Authorization::skip(fn() => $dbForInternal->createDocument('teams', new Document([
|
||||
'$id' => $teamId ,
|
||||
'$read' => ['team:'.$teamId],
|
||||
'$write' => ['team:'.$teamId .'/owner'],
|
||||
|
@ -61,9 +59,7 @@ App::post('/v1/teams')
|
|||
'sum' => ($isPrivilegedUser || $isAppUser) ? 0 : 1,
|
||||
'dateCreated' => \time(),
|
||||
'search' => implode(' ', [$teamId, $name]),
|
||||
]));
|
||||
|
||||
Authorization::reset();
|
||||
])));
|
||||
|
||||
if (!$isPrivilegedUser && !$isAppUser) { // Don't add user on server mode
|
||||
$membership = new Document([
|
||||
|
@ -318,11 +314,9 @@ App::post('/v1/teams/:teamId/memberships')
|
|||
}
|
||||
}
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
try {
|
||||
$userId = $dbForInternal->getId();
|
||||
$invitee = $dbForInternal->createDocument('users', new Document([
|
||||
$invitee = Authorization::skip(fn() => $dbForInternal->createDocument('users', new Document([
|
||||
'$id' => $userId,
|
||||
'$read' => ['user:'.$userId, 'role:all'],
|
||||
'$write' => ['user:'.$userId],
|
||||
|
@ -344,12 +338,10 @@ App::post('/v1/teams/:teamId/memberships')
|
|||
'tokens' => [],
|
||||
'memberships' => [],
|
||||
'search' => implode(' ', [$userId, $email, $name]),
|
||||
]));
|
||||
])));
|
||||
} catch (Duplicate $th) {
|
||||
throw new Exception('Account already exists', 409);
|
||||
}
|
||||
|
||||
Authorization::reset();
|
||||
}
|
||||
|
||||
$isOwner = Authorization::isRole('team:'.$team->getId().'/owner');;
|
||||
|
@ -374,21 +366,18 @@ App::post('/v1/teams/:teamId/memberships')
|
|||
]);
|
||||
|
||||
if ($isPrivilegedUser || $isAppUser) { // Allow admin to create membership
|
||||
Authorization::disable();
|
||||
try {
|
||||
$membership = $dbForInternal->createDocument('memberships', $membership);
|
||||
$membership = Authorization::skip(fn() => $dbForInternal->createDocument('memberships', $membership));
|
||||
} catch (Duplicate $th) {
|
||||
throw new Exception('User has already been invited or is already a member of this team', 409);
|
||||
}
|
||||
|
||||
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1));
|
||||
$team->setAttribute('sum', $team->getAttribute('sum', 0) + 1);
|
||||
$team = Authorization::skip(fn() => $dbForInternal->updateDocument('teams', $team->getId(), $team));
|
||||
|
||||
// Attach user to team
|
||||
$invitee->setAttribute('memberships', $membership, Document::SET_TYPE_APPEND);
|
||||
|
||||
$invitee = $dbForInternal->updateDocument('users', $invitee->getId(), $invitee);
|
||||
|
||||
Authorization::reset();
|
||||
$invitee = Authorization::skip(fn() => $dbForInternal->updateDocument('users', $invitee->getId(), $invitee));
|
||||
} else {
|
||||
try {
|
||||
$membership = $dbForInternal->createDocument('memberships', $membership);
|
||||
|
@ -702,11 +691,7 @@ App::patch('/v1/teams/:teamId/memberships/:membershipId/status')
|
|||
$user = $dbForInternal->updateDocument('users', $user->getId(), $user);
|
||||
$membership = $dbForInternal->updateDocument('memberships', $membership->getId(), $membership);
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1));
|
||||
|
||||
Authorization::reset();
|
||||
$team = Authorization::skip(fn() => $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', $team->getAttribute('sum', 0) + 1)));
|
||||
|
||||
$audits
|
||||
->setParam('userId', $user->getId())
|
||||
|
@ -791,14 +776,13 @@ App::delete('/v1/teams/:teamId/memberships/:membershipId')
|
|||
}
|
||||
}
|
||||
|
||||
Authorization::disable();
|
||||
$user->setAttribute('memberships', $memberships);
|
||||
|
||||
$dbForInternal->updateDocument('users', $user->getId(), $user->setAttribute('memberships', $memberships));
|
||||
|
||||
Authorization::reset();
|
||||
Authorization::skip(fn() => $dbForInternal->updateDocument('users', $user->getId(), $user));
|
||||
|
||||
if ($membership->getAttribute('confirm')) { // Count only confirmed members
|
||||
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team->setAttribute('sum', \max($team->getAttribute('sum', 0) - 1, 0)));
|
||||
$team->setAttribute('sum', \max($team->getAttribute('sum', 0) - 1, 0));
|
||||
$team = $dbForInternal->updateDocument('teams', $team->getId(), $team);
|
||||
}
|
||||
|
||||
$audits
|
||||
|
|
|
@ -706,18 +706,13 @@ App::setResource('project', function($dbForConsole, $request, $console) {
|
|||
/** @var Utopia\Database\Database $dbForConsole */
|
||||
/** @var Utopia\Database\Document $console */
|
||||
|
||||
$projectId = $request->getParam('project',
|
||||
$request->getHeader('x-appwrite-project', 'console'));
|
||||
$projectId = $request->getParam('project', $request->getHeader('x-appwrite-project', 'console'));
|
||||
|
||||
if($projectId === 'console') {
|
||||
return $console;
|
||||
}
|
||||
|
||||
Authorization::disable();
|
||||
|
||||
$project = $dbForConsole->getDocument('projects', $projectId);
|
||||
|
||||
Authorization::reset();
|
||||
$project = Authorization::skip(fn() => $dbForConsole->getDocument('projects', $projectId));
|
||||
|
||||
return $project;
|
||||
}, ['dbForConsole', 'request', 'console']);
|
||||
|
|
Loading…
Reference in a new issue