Implement authorization service and refactor services to use it

- Added `AuthorizationService` and its implementation `AuthorizationServiceImpl` to handle permission checks across various services. - Refactored `AlbumServiceImpl`, `MediaServiceImpl`, `PersonServiceImpl`, and `TagServiceImpl` to utilize the new authorization service for permission checks. - Removed direct permission checks from services and replaced them with calls to the `AuthorizationService`. - Updated repository interfaces to include new methods for checking media permissions in shared albums. - Enhanced the `authz` module with new permission types for better granularity in access control. - Adjusted the `AppState` struct to include the new `authorization_service`.
2025-11-15 14:01:39 +01:00
parent ac8d16ba59
commit 8d05bdfd63
12 changed files with 547 additions and 292 deletions
--- a/libertas_api/src/services/album_service.rs
+++ b/libertas_api/src/services/album_service.rs
@@ -3,31 +3,31 @@ use std::sync::Arc;
 use async_trait::async_trait;
 use chrono::Utc;
 use libertas_core::{
-    authz,
+    authz::{self, Permission},
    error::{CoreError, CoreResult},
    models::Album,
-    repositories::{AlbumRepository, AlbumShareRepository, MediaRepository},
+    repositories::{AlbumRepository, AlbumShareRepository},
    schema::{AddMediaToAlbumData, CreateAlbumData, ShareAlbumData, UpdateAlbumData},
-    services::AlbumService,
+    services::{AlbumService, AuthorizationService},
 };
 use uuid::Uuid;

 pub struct AlbumServiceImpl {
    album_repo: Arc<dyn AlbumRepository>,
-    media_repo: Arc<dyn MediaRepository>,
    album_share_repo: Arc<dyn AlbumShareRepository>,
+    auth_service: Arc<dyn AuthorizationService>,
 }

 impl AlbumServiceImpl {
    pub fn new(
        album_repo: Arc<dyn AlbumRepository>,
-        media_repo: Arc<dyn MediaRepository>,
        album_share_repo: Arc<dyn AlbumShareRepository>,
+        auth_service: Arc<dyn AuthorizationService>,
    ) -> Self {
        Self {
            album_repo,
-            media_repo,
            album_share_repo,
+            auth_service,
        }
    }
 }
@@ -56,55 +56,28 @@ impl AlbumService for AlbumServiceImpl {
    }

    async fn get_album_details(&self, album_id: Uuid, user_id: Uuid) -> CoreResult<Album> {
+        self.auth_service
+            .check_permission(user_id, Permission::ViewAlbum(album_id))
+            .await?;
+
        let album = self
            .album_repo
            .find_by_id(album_id)
            .await?
            .ok_or(CoreError::NotFound("Album".to_string(), album_id))?;

-        let share_permission = self
-            .album_share_repo
-            .get_user_permission(album_id, user_id)
-            .await?;
-
-        if !authz::can_view_album(user_id, &album, share_permission) {
-            return Err(CoreError::Auth("Access denied to album".to_string()));
-        }
-
        Ok(album)
    }

    async fn add_media_to_album(&self, data: AddMediaToAlbumData, user_id: Uuid) -> CoreResult<()> {
-        let album = self
-            .album_repo
-            .find_by_id(data.album_id)
-            .await?
-            .ok_or(CoreError::NotFound("Album".to_string(), data.album_id))?;
-
-        let share_permission = self
-            .album_share_repo
-            .get_user_permission(data.album_id, user_id)
+        self.auth_service
+            .check_permission(user_id, Permission::AddToAlbum(data.album_id))
            .await?;

-        if !authz::can_contribute_to_album(user_id, &album, share_permission) {
-            return Err(CoreError::Auth(
-                "User does not have permission to add media to this album".to_string(),
-            ));
-        }
-
        for media_id in &data.media_ids {
-            let media = self
-                .media_repo
-                .find_by_id(*media_id)
-                .await?
-                .ok_or(CoreError::NotFound("Media".to_string(), *media_id))?;
-
-            if !authz::is_owner(user_id, &media) {
-                return Err(CoreError::Auth(format!(
-                    "Access denied to media item {}",
-                    media_id
-                )));
-            }
+            self.auth_service
+                .check_permission(*media_id, Permission::ViewMedia(*media_id))
+                .await?;
        }

        self.album_repo
@@ -117,17 +90,9 @@ impl AlbumService for AlbumServiceImpl {
    }

    async fn share_album(&self, data: ShareAlbumData, owner_id: Uuid) -> CoreResult<()> {
-        let album = self
-            .album_repo
-            .find_by_id(data.album_id)
-            .await?
-            .ok_or(CoreError::NotFound("Album".to_string(), data.album_id))?;
-
-        if !authz::is_owner(owner_id, &album) {
-            return Err(CoreError::Auth(
-                "Only the album owner can share the album".to_string(),
-            ));
-        }
+        self.auth_service
+            .check_permission(owner_id, Permission::ShareAlbum(data.album_id))
+            .await?;

        if data.target_user_id == owner_id {
            return Err(CoreError::Validation(
@@ -146,23 +111,16 @@ impl AlbumService for AlbumServiceImpl {
        user_id: Uuid,
        data: UpdateAlbumData<'_>,
    ) -> CoreResult<Album> {
+        self.auth_service
+            .check_permission(user_id, Permission::EditAlbum(album_id))
+            .await?;
+
        let mut album = self
            .album_repo
            .find_by_id(album_id)
            .await?
            .ok_or(CoreError::NotFound("Album".to_string(), album_id))?;

-        let share_permission = self
-            .album_share_repo
-            .get_user_permission(album_id, user_id)
-            .await?;
-
-        if !authz::can_contribute_to_album(user_id, &album, share_permission) {
-            return Err(CoreError::Auth(
-                "User does not have permission to update this album".to_string(),
-            ));
-        }
-
        if let Some(name) = data.name {
            if name.is_empty() {
                return Err(CoreError::Validation(
@@ -191,17 +149,9 @@ impl AlbumService for AlbumServiceImpl {
    }

    async fn delete_album(&self, album_id: Uuid, user_id: Uuid) -> CoreResult<()> {
-        let album = self
-            .album_repo
-            .find_by_id(album_id)
-            .await?
-            .ok_or(CoreError::NotFound("Album".to_string(), album_id))?;
-
-        if !authz::is_owner(user_id, &album) {
-            return Err(CoreError::Auth(
-                "Only the album owner can delete the album".to_string(),
-            ));
-        }
+        self.auth_service
+            .check_permission(user_id, Permission::DeleteAlbum(album_id))
+            .await?;

        self.album_repo.delete(album_id).await
    }