Add a dropdown on participate menu, disallow listing participations

Now requires quering the person endpoint to know if an actor participates in an event, organizers can make authenticated requests to event { participants { } } to see the pending / approved participants. Also closes #174 Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2019-09-26 16:38:58 +02:00
parent 8a3e606c15
commit 757d2cabec
34 changed files with 655 additions and 439 deletions
--- a/lib/mobilizon_web/resolvers/event.ex
+++ b/lib/mobilizon_web/resolvers/event.ex
@@ -38,34 +38,42 @@ defmodule MobilizonWeb.Resolvers.Event do
    end
  end

-  @doc """
-  List participant for event (separate request)
-  """
-  def list_participants_for_event(_parent, %{uuid: uuid, page: page, limit: limit}, _resolution) do
-    {:ok, Mobilizon.Events.list_participants_for_event(uuid, [], page, limit)}
-  end
-
  @doc """
  List participants for event (through an event request)
  """
  def list_participants_for_event(
-        %Event{uuid: uuid},
-        %{page: page, limit: limit, roles: roles},
-        _resolution
+        %Event{id: event_id},
+        %{page: page, limit: limit, roles: roles, actor_id: actor_id},
+        %{context: %{current_user: %User{} = user}} = _resolution
      ) do
-    roles =
-      case roles do
-        "" ->
-          []
+    with {:is_owned, %Actor{} = _actor} <- User.owns_actor(user, actor_id),
+         # Check that moderator has right
+         {:actor_approve_permission, true} <-
+           {:actor_approve_permission, Mobilizon.Events.moderator_for_event?(event_id, actor_id)} do
+      roles =
+        case roles do
+          "" ->
+            []

-        roles ->
-          roles
-          |> String.split(",")
-          |> Enum.map(&String.downcase/1)
-          |> Enum.map(&String.to_existing_atom/1)
-      end
+          roles ->
+            roles
+            |> String.split(",")
+            |> Enum.map(&String.downcase/1)
+            |> Enum.map(&String.to_existing_atom/1)
+        end

-    {:ok, Mobilizon.Events.list_participants_for_event(uuid, roles, page, limit)}
+      {:ok, Mobilizon.Events.list_participants_for_event(event_id, roles, page, limit)}
+    else
+      {:is_owned, nil} ->
+        {:error, "Moderator Actor ID is not owned by authenticated user"}
+
+      {:actor_approve_permission, _} ->
+        {:error, "Provided moderator actor ID doesn't have permission on this event"}
+    end
+  end
+
+  def list_participants_for_event(_, _args, _resolution) do
+    {:ok, []}
  end

  def stats_participants_for_event(%Event{id: id}, _args, _resolution) do
--- a/lib/mobilizon_web/resolvers/person.ex
+++ b/lib/mobilizon_web/resolvers/person.ex
@@ -6,6 +6,7 @@ defmodule MobilizonWeb.Resolvers.Person do
  alias Mobilizon.Actors
  alias Mobilizon.Actors.Actor
  alias Mobilizon.Events
+  alias Mobilizon.Events.Participant
  alias Mobilizon.Service.ActivityPub
  alias Mobilizon.Users
  alias Mobilizon.Users.User
@@ -173,27 +174,33 @@ defmodule MobilizonWeb.Resolvers.Person do
  end

  @doc """
-  Returns the list of events this person is going to
+  Returns the participation for a specific event
  """
-  def person_going_to_events(%Actor{id: actor_id}, _args, %{context: %{current_user: user}}) do
-    with {:is_owned, %Actor{} = actor} <- User.owns_actor(user, actor_id),
-         events <- Events.list_event_participations_for_actor(actor) do
-      {:ok, events}
+  def person_participations(%Actor{id: actor_id}, %{event_id: event_id}, %{
+        context: %{current_user: user}
+      }) do
+    with {:is_owned, %Actor{} = _actor} <- User.owns_actor(user, actor_id),
+         {:no_participant, {:ok, %Participant{} = participant}} <-
+           {:no_participant, Events.get_participant(event_id, actor_id)} do
+      {:ok, [participant]}
    else
      {:is_owned, nil} ->
        {:error, "Actor id is not owned by authenticated user"}
+
+      {:no_participant, _} ->
+        {:ok, []}
    end
  end

  @doc """
  Returns the list of events this person is going to
  """
-  def person_going_to_events(_parent, %{}, %{context: %{current_user: user}}) do
-    with %Actor{} = actor <- Users.get_actor_for_user(user),
-         events <- Events.list_event_participations_for_actor(actor) do
-      {:ok, events}
+  def person_participations(%Actor{id: actor_id}, _args, %{context: %{current_user: user}}) do
+    with {:is_owned, %Actor{} = actor} <- User.owns_actor(user, actor_id),
+         participations <- Events.list_event_participations_for_actor(actor) do
+      {:ok, participations}
    else
-      {:is_owned, false} ->
+      {:is_owned, nil} ->
        {:error, "Actor id is not owned by authenticated user"}
    end
  end
--- a/lib/mobilizon_web/resolvers/user.ex
+++ b/lib/mobilizon_web/resolvers/user.ex
@@ -225,10 +225,11 @@ defmodule MobilizonWeb.Resolvers.User do
  @doc """
  Returns the list of events for all of this user's identities are going to
  """
-  def user_participations(_parent, args, %{
-        context: %{current_user: %User{id: user_id}}
+  def user_participations(%User{id: user_id}, args, %{
+        context: %{current_user: %User{id: logged_user_id}}
      }) do
-    with participations <-
+    with true <- user_id == logged_user_id,
+         participations <-
           Events.list_participations_for_user(
             user_id,
             Map.get(args, :after_datetime),