Implement authorization service and refactor services to use it

- Added `AuthorizationService` and its implementation `AuthorizationServiceImpl` to handle permission checks across various services. - Refactored `AlbumServiceImpl`, `MediaServiceImpl`, `PersonServiceImpl`, and `TagServiceImpl` to utilize the new authorization service for permission checks. - Removed direct permission checks from services and replaced them with calls to the `AuthorizationService`. - Updated repository interfaces to include new methods for checking media permissions in shared albums. - Enhanced the `authz` module with new permission types for better granularity in access control. - Adjusted the `AppState` struct to include the new `authorization_service`.
2025-11-15 14:01:39 +01:00
parent ac8d16ba59
commit 8d05bdfd63
12 changed files with 547 additions and 292 deletions
--- a/libertas_api/src/services/media_service.rs
+++ b/libertas_api/src/services/media_service.rs
@@ -1,9 +1,19 @@
-use std::{path::{Path, PathBuf}, sync::Arc};
+use std::{
+    path::{Path, PathBuf},
+    sync::Arc,
+};

 use async_trait::async_trait;
 use futures::stream::StreamExt;
 use libertas_core::{
-    authz, config::AppConfig, error::{CoreError, CoreResult}, media_utils::{ExtractedExif, extract_exif_data_from_bytes, get_storage_path_and_date}, models::{Media, MediaBundle, MediaMetadata}, repositories::{AlbumShareRepository, MediaMetadataRepository, MediaRepository, UserRepository}, schema::{ListMediaOptions, UploadMediaData}, services::MediaService
+    authz,
+    config::AppConfig,
+    error::{CoreError, CoreResult},
+    media_utils::{ExtractedExif, extract_exif_data_from_bytes, get_storage_path_and_date},
+    models::{Media, MediaBundle, MediaMetadata},
+    repositories::{MediaMetadataRepository, MediaRepository, UserRepository},
+    schema::{ListMediaOptions, UploadMediaData},
+    services::{AuthorizationService, MediaService},
 };
 use serde_json::json;
 use sha2::{Digest, Sha256};
@@ -13,8 +23,8 @@ use uuid::Uuid;
 pub struct MediaServiceImpl {
    repo: Arc<dyn MediaRepository>,
    user_repo: Arc<dyn UserRepository>,
-    album_share_repo: Arc<dyn AlbumShareRepository>,
    metadata_repo: Arc<dyn MediaMetadataRepository>,
+    auth_service: Arc<dyn AuthorizationService>,
    config: AppConfig,
    nats_client: async_nats::Client,
 }
@@ -23,16 +33,16 @@ impl MediaServiceImpl {
    pub fn new(
        repo: Arc<dyn MediaRepository>,
        user_repo: Arc<dyn UserRepository>,
-        album_share_repo: Arc<dyn AlbumShareRepository>,
        metadata_repo: Arc<dyn MediaMetadataRepository>,
+        auth_service: Arc<dyn AuthorizationService>,
        config: AppConfig,
        nats_client: async_nats::Client,
    ) -> Self {
        Self {
            repo,
            user_repo,
-            album_share_repo,
            metadata_repo,
+            auth_service,
            config,
            nats_client,
        }
@@ -52,21 +62,27 @@ impl MediaService for MediaServiceImpl {
            .await?;

        let file_bytes_clone = file_bytes.clone();
-        let extracted_data = tokio::task::spawn_blocking(move || {
-            extract_exif_data_from_bytes(&file_bytes_clone)
-        })
-        .await
-        .unwrap()?;
+        let extracted_data =
+            tokio::task::spawn_blocking(move || extract_exif_data_from_bytes(&file_bytes_clone))
+                .await
+                .unwrap()?;

-        let (storage_path_buf, _date_taken) =
-            get_storage_path_and_date(&extracted_data, &filename);
+        let (storage_path_buf, _date_taken) = get_storage_path_and_date(&extracted_data, &filename);

        let storage_path_str = self
            .persist_media_file(&file_bytes, &storage_path_buf)
            .await?;

        let media = self
-            .persist_media_metadata(owner_id, filename, mime_type, storage_path_str, hash, file_size, extracted_data)
+            .persist_media_metadata(
+                owner_id,
+                filename,
+                mime_type,
+                storage_path_str,
+                hash,
+                file_size,
+                extracted_data,
+            )
            .await?;

        self.publish_new_media_job(media.id).await?;
@@ -75,71 +91,48 @@ impl MediaService for MediaServiceImpl {
    }

    async fn get_media_details(&self, id: Uuid, user_id: Uuid) -> CoreResult<MediaBundle> {
+        self.auth_service
+            .check_permission(user_id, authz::Permission::ViewMedia(id))
+            .await?;
+
        let media = self
            .repo
            .find_by_id(id)
            .await?
            .ok_or(CoreError::NotFound("Media".to_string(), id))?;

-        let user = self
-            .user_repo
-            .find_by_id(user_id)
-            .await?
-            .ok_or(CoreError::NotFound("User".to_string(), user_id))?;
-
-        if !authz::is_owner(user_id, &media) && !authz::is_admin(&user) {
-             let is_shared = self
-            .album_share_repo
-            .is_media_in_shared_album(id, user_id)
-            .await?;
-
-            tracing::warn!("User {} attempted to access media {} without permission, media owner is: {}", user_id, id, media.owner_id);
-
-            if !is_shared {
-                tracing::warn!("User {} attempted to access media {} without permission, media owner is: {}", user_id, id, media.owner_id);
-                return Err(CoreError::Auth("Access denied".to_string()));
-            }
-        }
-
        let metadata = self.metadata_repo.find_by_media_id(id).await?;

        Ok(MediaBundle { media, metadata })
    }

-    async fn list_user_media(&self, user_id: Uuid, options: ListMediaOptions) -> CoreResult<Vec<Media>> {
+    async fn list_user_media(
+        &self,
+        user_id: Uuid,
+        options: ListMediaOptions,
+    ) -> CoreResult<Vec<Media>> {
        self.repo.list_by_user(user_id, &options).await
    }

    async fn get_media_filepath(&self, id: Uuid, user_id: Uuid) -> CoreResult<String> {
+        self.auth_service
+            .check_permission(user_id, authz::Permission::ViewMedia(id))
+            .await?;
+
        let media = self
            .repo
            .find_by_id(id)
            .await?
            .ok_or(CoreError::NotFound("Media".to_string(), id))?;

-        let user = self
-            .user_repo
-            .find_by_id(user_id)
-            .await?
-            .ok_or(CoreError::NotFound("User".to_string(), user_id))?;
-
-        if authz::is_owner(user_id, &media) || authz::is_admin(&user) {
-            return Ok(media.storage_path);
-        }
-
-        let is_shared = self
-            .album_share_repo
-            .is_media_in_shared_album(id, user_id)
-            .await?;
-
-        if is_shared {
-            return Ok(media.storage_path);
-        }
-
-        Err(CoreError::Auth("Access denied".to_string()))
+        Ok(media.storage_path)
    }

    async fn delete_media(&self, id: Uuid, user_id: Uuid) -> CoreResult<()> {
+        self.auth_service
+            .check_permission(user_id, authz::Permission::DeleteMedia(id))
+            .await?;
+
        let media = self
            .repo
            .find_by_id(id)
@@ -152,10 +145,6 @@ impl MediaService for MediaServiceImpl {
            .await?
            .ok_or(CoreError::NotFound("User".to_string(), user_id))?;

-        if !authz::is_owner(user_id, &media) && !authz::is_admin(&user) {
-            return Err(CoreError::Auth("Access denied".to_string()));
-        }
-
        let full_path = PathBuf::from(&self.config.media_library_path).join(&media.storage_path);
        self.repo.delete(id).await?;

@@ -227,7 +216,11 @@ impl MediaServiceImpl {
        Ok(())
    }

-    async fn persist_media_file(&self, file_bytes: &[u8], storage_path: &Path) -> CoreResult<String> {
+    async fn persist_media_file(
+        &self,
+        file_bytes: &[u8],
+        storage_path: &Path,
+    ) -> CoreResult<String> {
        let mut dest_path = PathBuf::from(&self.config.media_library_path);
        dest_path.push(storage_path);