jazzymc/homarr
1
0
Fork 0
Code Issues Pull Requests Actions 1 Packages Projects Releases Wiki Activity

feat: add integration access settings (#725)

Browse Source 
* feat: add integration access settings

* fix: typecheck and test issues

* fix: test timeout

* chore: address pull request feedback

* chore: add throw if action forbidden for integration permissions

* fix: unable to create new migrations because of duplicate prevId in sqlite snapshots

* chore: add sqlite migration for integration permissions

* test: add unit tests for integration access

* test: add permission checks to integration router tests

* test: add unit test for integration permissions

* chore: add mysql migration

* fix: format issues
This commit is contained in:
Meier Lukas
2024-07-08 00:00:37 +02:00
committed by GitHub
parent be711149f7
commit 408cdeb5c3
50 changed files with 4392 additions and 615 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
packages/auth/permissions/board-permissions.ts
View File

@@ -1,5 +1,7 @@
import type { Session } from "next-auth";
import type { BoardPermission } from "@homarr/definitions";
export type BoardPermissionsProps = (
| {
creator: {
@@ -11,10 +13,10 @@ export type BoardPermissionsProps = (
}
) & {
userPermissions: {
permission: string;
permission: BoardPermission;
}[];
groupPermissions: {
permission: string;
permission: BoardPermission;
}[];
isPublic: boolean;
};
@@ -23,11 +25,11 @@ export const constructBoardPermissions = (board: BoardPermissionsProps, session:
const creatorId = "creator" in board ? board.creator?.id : board.creatorId;
return {
hasFullAccess: session?.user.id === creatorId || session?.user.permissions.includes("board-full-access"),
hasFullAccess: session?.user.id === creatorId || session?.user.permissions.includes("board-full-all"),
hasChangeAccess:
session?.user.id === creatorId ||
board.userPermissions.some(({ permission }) => permission === "board-change") ||
board.groupPermissions.some(({ permission }) => permission === "board-change") ||
board.userPermissions.some(({ permission }) => permission === "modify") ||
board.groupPermissions.some(({ permission }) => permission === "modify") ||
session?.user.permissions.includes("board-modify-all"),
hasViewAccess:
session?.user.id === creatorId ||

1
packages/auth/permissions/index.ts
View File

@@ -1 +1,2 @@
export * from "./board-permissions";
export * from "./integration-permissions";

26
packages/auth/permissions/integration-permissions.ts Normal file
View File

@@ -0,0 +1,26 @@
import type { Session } from "next-auth";
import type { IntegrationPermission } from "@homarr/definitions";
export interface IntegrationPermissionsProps {
userPermissions: {
permission: IntegrationPermission;
}[];
groupPermissions: {
permission: IntegrationPermission;
}[];
}
export const constructIntegrationPermissions = (integration: IntegrationPermissionsProps, session: Session | null) => {
return {
hasFullAccess: session?.user.permissions.includes("integration-full-all"),
hasInteractAccess:
integration.userPermissions.some(({ permission }) => permission === "interact") ||
integration.groupPermissions.some(({ permission }) => permission === "interact") ||
session?.user.permissions.includes("integration-interact-all"),
hasUseAccess:
integration.userPermissions.length >= 1 ||
integration.groupPermissions.length >= 1 ||
session?.user.permissions.includes("integration-use-all"),
};
};

16
packages/auth/permissions/test/board-permissions.spec.ts
View File

@@ -33,7 +33,7 @@ describe("constructBoardPermissions", () => {
expect(result.hasViewAccess).toBe(true);
});
test("should return hasFullAccess as true when session permissions include board-full-access", () => {
test("should return hasFullAccess as true when session permissions include board-full-all", () => {
// Arrange
const board = {
creator: {
@@ -46,7 +46,7 @@ describe("constructBoardPermissions", () => {
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["board-full-access"]),
permissions: getPermissionsWithChildren(["board-full-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
@@ -87,14 +87,14 @@ describe("constructBoardPermissions", () => {
expect(result.hasViewAccess).toBe(true);
});
test('should return hasChangeAccess as true when board user permissions include "board-change"', () => {
test('should return hasChangeAccess as true when board user permissions include "modify"', () => {
// Arrange
const board = {
creator: {
id: "1",
},
userPermissions: [{ permission: "board-change" }],
userPermissions: [{ permission: "modify" as const }],
groupPermissions: [],
isPublic: false,
};
@@ -115,14 +115,14 @@ describe("constructBoardPermissions", () => {
expect(result.hasViewAccess).toBe(true);
});
test("should return hasChangeAccess as true when board group permissions include board-change", () => {
test("should return hasChangeAccess as true when board group permissions include modify", () => {
// Arrange
const board = {
creator: {
id: "1",
},
userPermissions: [],
groupPermissions: [{ permission: "board-change" }],
groupPermissions: [{ permission: "modify" as const }],
isPublic: false,
};
const session = {
@@ -175,7 +175,7 @@ describe("constructBoardPermissions", () => {
creator: {
id: "1",
},
userPermissions: [{ permission: "board-view" }],
userPermissions: [{ permission: "view" as const }],
groupPermissions: [],
isPublic: false,
};
@@ -203,7 +203,7 @@ describe("constructBoardPermissions", () => {
id: "1",
},
userPermissions: [],
groupPermissions: [{ permission: "board-view" }],
groupPermissions: [{ permission: "view" as const }],
isPublic: false,
};
const session = {

229
packages/auth/permissions/test/integration-permissions.spec.ts Normal file
View File

@@ -0,0 +1,229 @@
import type { Session } from "next-auth";
import { describe, expect, test } from "vitest";
import { getPermissionsWithChildren } from "@homarr/definitions";
import { constructIntegrationPermissions } from "../integration-permissions";
describe("constructIntegrationPermissions", () => {
test("should return hasFullAccess as true when session permissions include integration-full-all", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["integration-full-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(true);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasInteractAccess as true when session permissions include integration-interact-all", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["integration-interact-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test('should return hasInteractAccess as true when integration user permissions include "interact"', () => {
// Arrange
const integration = {
userPermissions: [{ permission: "interact" as const }],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasInteractAccess as true when integration group permissions include interact", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [{ permission: "interact" as const }],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(true);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasUseAccess as true when session permissions include integration-use-all", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: getPermissionsWithChildren(["integration-use-all"]),
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasUseAccess as true when integration user permissions length is greater than or equal to 1", () => {
// Arrange
const integration = {
userPermissions: [{ permission: "use" as const }],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(true);
});
test("should return hasUseAccess as true when integration group permissions length is greater than or equal to 1", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [{ permission: "use" as const }],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(true);
});
test("should return all false when integration no permissions", () => {
// Arrange
const integration = {
userPermissions: [],
groupPermissions: [],
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructIntegrationPermissions(integration, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasInteractAccess).toBe(false);
expect(result.hasUseAccess).toBe(false);
});
});
/*
test("should return hasViewAccess as true when board is public", () => {
// Arrange
const board = {
creator: {
id: "1",
},
userPermissions: [],
groupPermissions: [],
isPublic: true,
};
const session = {
user: {
id: "2",
permissions: [],
},
expires: new Date().toISOString(),
} satisfies Session;
// Act
const result = constructBoardPermissions(board, session);
// Assert
expect(result.hasFullAccess).toBe(false);
expect(result.hasChangeAccess).toBe(false);
expect(result.hasViewAccess).toBe(true);
});
});
*/