Add the :role_needed_to_access permission check and refactor

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2021-07-23 09:42:50 +02:00
parent 867e88481d
commit 0995043d04
13 changed files with 131 additions and 79 deletions
--- a/lib/federation/activity_pub/permission.ex
+++ b/lib/federation/activity_pub/permission.ex
@@ -0,0 +1,102 @@
+defmodule Mobilizon.Federation.ActivityPub.Permission do
+  @moduledoc """
+  Module to check group members permissions on objects
+  """
+
+  alias Mobilizon.Actors
+  alias Mobilizon.Actors.Actor
+  alias Mobilizon.Federation.ActivityPub.Types.{Entity, Ownable}
+  require Logger
+
+  @doc """
+  Check that actor can access the object
+  """
+  @spec can_access_group_object?(Actor.t(), Entity.t()) :: boolean()
+  def can_access_group_object?(%Actor{} = actor, object) do
+    can_manage_group_object?(:role_needed_to_access, actor, object)
+  end
+
+  @doc """
+  Check that actor can update the object
+  """
+  @spec can_update_group_object?(Actor.t(), Entity.t()) :: boolean()
+  def can_update_group_object?(%Actor{} = actor, object) do
+    can_manage_group_object?(:role_needed_to_update, actor, object)
+  end
+
+  @doc """
+  Check that actor can delete the object
+  """
+  @spec can_delete_group_object?(Actor.t(), Entity.t()) :: boolean()
+  def can_delete_group_object?(%Actor{} = actor, object) do
+    can_manage_group_object?(:role_needed_to_delete, actor, object)
+  end
+
+  @spec can_manage_group_object?(
+          :role_needed_to_access | :role_needed_to_update | :role_needed_to_delete,
+          Actor.t(),
+          any()
+        ) :: boolean()
+  defp can_manage_group_object?(action_function, %Actor{url: actor_url} = actor, object) do
+    if Ownable.group_actor(object) != nil do
+      case apply(Ownable, action_function, [object]) do
+        role when role in [:member, :moderator, :administrator] ->
+          activity_actor_is_group_member?(actor, object, role)
+
+        _ ->
+          case action_function do
+            :role_needed_to_access ->
+              Logger.warn("Actor #{actor_url} can't access #{object.url}")
+
+            :role_needed_to_update ->
+              Logger.warn("Actor #{actor_url} can't update #{object.url}")
+
+            :role_needed_to_delete ->
+              Logger.warn("Actor #{actor_url} can't delete #{object.url}")
+          end
+
+          false
+      end
+    else
+      true
+    end
+  end
+
+  @spec activity_actor_is_group_member?(Actor.t(), Entity.t(), atom()) :: boolean()
+  defp activity_actor_is_group_member?(
+         %Actor{id: actor_id, url: actor_url},
+         object,
+         role
+       ) do
+    case Ownable.group_actor(object) do
+      %Actor{type: :Group, id: group_id, url: group_url} ->
+        Logger.debug("Group object url is #{group_url}")
+
+        case role do
+          :moderator ->
+            Logger.debug(
+              "Checking if activity actor #{actor_url} is a moderator from group from #{object.url}"
+            )
+
+            Actors.is_moderator?(actor_id, group_id)
+
+          :administrator ->
+            Logger.debug(
+              "Checking if activity actor #{actor_url} is an administrator from group from #{object.url}"
+            )
+
+            Actors.is_administrator?(actor_id, group_id)
+
+          _ ->
+            Logger.debug(
+              "Checking if activity actor #{actor_url} is a member from group from #{object.url}"
+            )
+
+            Actors.is_member?(actor_id, group_id)
+        end
+
+      _ ->
+        false
+    end
+  end
+end