From 8a3054e19ade82e2792cfb0f2a8af9e502c5eb52 Mon Sep 17 00:00:00 2001
From: Sabir Hassan <sabirbk06@gmail.com>
Date: Sat, 30 Jul 2022 00:01:15 +0500
Subject: [PATCH] fix: show non-admin user his own permissions only

---
 api/src/controllers/permission.ts    | 54 +++++++++++++++++-----------
 api/src/model/Permission.ts          | 33 ++++++++++++++++-
 api/src/routes/api/permission.ts     |  2 +-
 api/src/utils/getAuthorizedRoutes.ts |  3 +-
 4 files changed, 67 insertions(+), 25 deletions(-)

diff --git a/api/src/controllers/permission.ts b/api/src/controllers/permission.ts
index 14f4c18..a73f16b 100644
--- a/api/src/controllers/permission.ts
+++ b/api/src/controllers/permission.ts
@@ -1,3 +1,4 @@
+import express from 'express'
 import {
   Security,
   Route,
@@ -8,7 +9,8 @@ import {
   Post,
   Patch,
   Delete,
-  Body
+  Body,
+  Request
 } from 'tsoa'
 
 import Permission from '../model/Permission'
@@ -71,7 +73,7 @@ export interface PermissionDetailsResponse {
 @Tags('Permission')
 export class PermissionController {
   /**
-   * @summary Get list of all permissions (uri, setting and userDetail).
+   * @summary Get a list of user's permissions, if user is admin all permissions are returned.
    *
    */
   @Example<PermissionDetailsResponse[]>([
@@ -100,8 +102,10 @@ export class PermissionController {
     }
   ])
   @Get('/')
-  public async getAllPermissions(): Promise<PermissionDetailsResponse[]> {
-    return getAllPermissions()
+  public async getAllPermissions(
+    @Request() request: express.Request
+  ): Promise<PermissionDetailsResponse[]> {
+    return getAllPermissions(request)
   }
 
   /**
@@ -161,24 +165,32 @@ export class PermissionController {
   }
 }
 
-const getAllPermissions = async (): Promise<PermissionDetailsResponse[]> =>
-  (await Permission.find({})
-    .select({
-      _id: 0,
-      permissionId: 1,
-      uri: 1,
-      setting: 1
-    })
-    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
-    .populate({
-      path: 'group',
-      select: 'groupId name description -_id',
-      populate: {
-        path: 'users',
-        select: 'id username displayName isAdmin -_id',
-        options: { limit: 15 }
+const getAllPermissions = async (
+  req: express.Request
+): Promise<PermissionDetailsResponse[]> => {
+  const { user } = req
+
+  if (user?.isAdmin) return await Permission.get({})
+  else {
+    const permissions: PermissionDetailsResponse[] = []
+
+    const dbUser = await User.findOne({ id: user?.userId })
+    if (!dbUser)
+      throw {
+        code: 404,
+        status: 'Not Found',
+        message: 'User not found.'
       }
-    })) as unknown as PermissionDetailsResponse[]
+
+    permissions.push(...(await Permission.get({ user: dbUser._id })))
+
+    for (const group of dbUser.groups) {
+      permissions.push(...(await Permission.get({ group })))
+    }
+
+    return permissions
+  }
+}
 
 const createPermission = async ({
   uri,
diff --git a/api/src/model/Permission.ts b/api/src/model/Permission.ts
index 8d9454e..bb8302d 100644
--- a/api/src/model/Permission.ts
+++ b/api/src/model/Permission.ts
@@ -1,5 +1,11 @@
 import mongoose, { Schema, model, Document, Model } from 'mongoose'
 const AutoIncrement = require('mongoose-sequence')(mongoose)
+import { PermissionDetailsResponse } from '../controllers'
+
+interface GetPermissionBy {
+  user?: Schema.Types.ObjectId
+  group?: Schema.Types.ObjectId
+}
 
 interface IPermissionDocument extends Document {
   uri: string
@@ -11,7 +17,9 @@ interface IPermissionDocument extends Document {
 
 interface IPermission extends IPermissionDocument {}
 
-interface IPermissionModel extends Model<IPermission> {}
+interface IPermissionModel extends Model<IPermission> {
+  get(getBy: GetPermissionBy): Promise<PermissionDetailsResponse[]>
+}
 
 const permissionSchema = new Schema<IPermissionDocument>({
   uri: {
@@ -28,6 +36,29 @@ const permissionSchema = new Schema<IPermissionDocument>({
 
 permissionSchema.plugin(AutoIncrement, { inc_field: 'permissionId' })
 
+// Static Methods
+permissionSchema.static('get', async function (getBy: GetPermissionBy): Promise<
+  PermissionDetailsResponse[]
+> {
+  return (await this.find(getBy)
+    .select({
+      _id: 0,
+      permissionId: 1,
+      uri: 1,
+      setting: 1
+    })
+    .populate({ path: 'user', select: 'id username displayName isAdmin -_id' })
+    .populate({
+      path: 'group',
+      select: 'groupId name description -_id',
+      populate: {
+        path: 'users',
+        select: 'id username displayName isAdmin -_id',
+        options: { limit: 15 }
+      }
+    })) as unknown as PermissionDetailsResponse[]
+})
+
 export const Permission: IPermissionModel = model<
   IPermission,
   IPermissionModel
diff --git a/api/src/routes/api/permission.ts b/api/src/routes/api/permission.ts
index 1cab853..9395124 100644
--- a/api/src/routes/api/permission.ts
+++ b/api/src/routes/api/permission.ts
@@ -11,7 +11,7 @@ const controller = new PermissionController()
 
 permissionRouter.get('/', async (req, res) => {
   try {
-    const response = await controller.getAllPermissions()
+    const response = await controller.getAllPermissions(req)
     res.send(response)
   } catch (err: any) {
     const statusCode = err.code
diff --git a/api/src/utils/getAuthorizedRoutes.ts b/api/src/utils/getAuthorizedRoutes.ts
index 82f581b..a9ab123 100644
--- a/api/src/utils/getAuthorizedRoutes.ts
+++ b/api/src/utils/getAuthorizedRoutes.ts
@@ -9,8 +9,7 @@ const StaticAuthorizedRoutes = [
   '/SASjsApi/drive/file',
   '/SASjsApi/drive/folder',
   '/SASjsApi/drive/fileTree',
-  '/SASjsApi/drive/rename',
-  '/SASjsApi/permission'
+  '/SASjsApi/drive/rename'
 ]
 
 export const getAuthorizedRoutes = () => {