GKaszewski/libertas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Implement authorization service and refactor services to use it

Browse Source 
- Added `AuthorizationService` and its implementation `AuthorizationServiceImpl` to handle permission checks across various services.
- Refactored `AlbumServiceImpl`, `MediaServiceImpl`, `PersonServiceImpl`, and `TagServiceImpl` to utilize the new authorization service for permission checks.
- Removed direct permission checks from services and replaced them with calls to the `AuthorizationService`.
- Updated repository interfaces to include new methods for checking media permissions in shared albums.
- Enhanced the `authz` module with new permission types for better granularity in access control.
- Adjusted the `AppState` struct to include the new `authorization_service`.
This commit is contained in:
Gabriel Kaszewski
2025-11-15 14:01:39 +01:00
parent ac8d16ba59
commit 8d05bdfd63
12 changed files with 547 additions and 292 deletions
Download Patch File Download Diff File Expand all files Collapse all files

170
libertas_api/src/services/person_service.rs
View File

@@ -1,119 +1,50 @@
use std::sync::Arc;
use async_trait::async_trait;
use libertas_core::{authz, error::{CoreError, CoreResult}, models::{FaceRegion, Media, Person, PersonPermission}, repositories::{FaceRegionRepository, MediaRepository, PersonRepository, PersonShareRepository}, services::PersonService};
use libertas_core::{
authz,
error::{CoreError, CoreResult},
models::{FaceRegion, Person, PersonPermission},
repositories::{FaceRegionRepository, PersonRepository, PersonShareRepository},
services::{AuthorizationService, PersonService},
};
use uuid::Uuid;
pub struct PersonServiceImpl {
person_repo: Arc<dyn PersonRepository>,
face_repo: Arc<dyn FaceRegionRepository>,
media_repo: Arc<dyn MediaRepository>,
person_share_repo: Arc<dyn PersonShareRepository>,
auth_service: Arc<dyn AuthorizationService>,
}
impl PersonServiceImpl {
pub fn new(
person_repo: Arc<dyn PersonRepository>,
face_repo: Arc<dyn FaceRegionRepository>,
media_repo: Arc<dyn MediaRepository>,
person_share_repo: Arc<dyn PersonShareRepository>,
auth_service: Arc<dyn AuthorizationService>,
) -> Self {
Self {
person_repo,
face_repo,
media_repo,
person_share_repo,
auth_service,
}
}
async fn get_and_authorize_person_owner(
&self,
person_id: Uuid,
user_id: Uuid,
) -> CoreResult<Person> {
async fn get_person(&self, person_id: Uuid) -> CoreResult<Person> {
let person = self
.person_repo
.find_by_id(person_id)
.await?
.ok_or(CoreError::NotFound("Person".to_string(), person_id))?;
if person.owner_id != user_id {
return Err(CoreError::Auth(
"User must be the owner to perform this action".to_string(),
));
}
.person_repo
.find_by_id(person_id)
.await?
.ok_or(CoreError::NotFound("Person".to_string(), person_id))?;
Ok(person)
}
async fn get_and_authorize_person_access(
&self,
person_id: Uuid,
user_id: Uuid,
) -> CoreResult<Person> {
let person = self
.person_repo
.find_by_id(person_id)
.await?
.ok_or(CoreError::NotFound("Person".to_string(), person_id))?;
let share_permission = self.person_share_repo.get_user_permission(person_id, user_id).await?;
if !authz::can_access_person(user_id, &person, share_permission) {
return Err(CoreError::Auth(
"User does not have permission to access this person".to_string(),
));
}
Ok(person)
}
async fn get_and_authorize_person_usage(
&self,
person_id: Uuid,
user_id: Uuid,
) -> CoreResult<Person> {
let person = self
.person_repo
.find_by_id(person_id)
.await?
.ok_or(CoreError::NotFound("Person".to_string(), person_id))?;
let share_permission = self.person_share_repo.get_user_permission(person_id, user_id).await?;
if !authz::can_edit_person(user_id, &person, share_permission) {
return Err(CoreError::Auth(
"User does not have permission to use this person".to_string(),
));
}
Ok(person)
}
async fn authorize_media_access(
&self,
media_id: Uuid,
user_id: Uuid,
) -> CoreResult<Media> {
let media = self.media_repo.find_by_id(media_id).await?.ok_or(CoreError::NotFound("Media".to_string(), media_id))?;
if !authz::is_owner(user_id, &media) {
return Err(CoreError::Auth(
"User does not have permission to access this media".to_string(),
));
}
Ok(media)
}
}
#[async_trait]
impl PersonService for PersonServiceImpl {
async fn create_person(
&self,
name: &str,
owner_id: Uuid,
) -> CoreResult<Person> {
async fn create_person(&self, name: &str, owner_id: Uuid) -> CoreResult<Person> {
let person = Person {
id: Uuid::new_v4(),
owner_id,
@@ -127,21 +58,28 @@ impl PersonService for PersonServiceImpl {
}
async fn get_person(&self, person_id: Uuid, user_id: Uuid) -> CoreResult<Person> {
self.get_and_authorize_person_access(person_id, user_id).await
self.auth_service
.check_permission(user_id, authz::Permission::ViewPerson(person_id))
.await?;
self.person_repo
.find_by_id(person_id)
.await?
.ok_or(CoreError::NotFound("Person".to_string(), person_id))
}
async fn list_people(&self, user_id: Uuid) -> CoreResult<Vec<Person>> {
let mut owned_people = self.person_repo.list_by_user(user_id).await?;
let shared_people_with_perms = self
.person_share_repo
.list_people_shared_with_user(user_id)
.await?;
.person_share_repo
.list_people_shared_with_user(user_id)
.await?;
let shared_people = shared_people_with_perms
.into_iter()
.map(|(person, _permission)| person)
.collect::<Vec<Person>>();
.into_iter()
.map(|(person, _permission)| person)
.collect::<Vec<Person>>();
owned_people.extend(shared_people);
@@ -154,14 +92,22 @@ impl PersonService for PersonServiceImpl {
name: &str,
user_id: Uuid,
) -> CoreResult<Person> {
let mut person = self.get_and_authorize_person_owner(person_id, user_id).await?;
self.auth_service
.check_permission(user_id, authz::Permission::EditPerson(person_id))
.await?;
let mut person = self.get_person(person_id).await?;
person.name = name.to_string();
self.person_repo.update(person.clone()).await?;
Ok(person)
}
async fn delete_person(&self, person_id: Uuid, user_id: Uuid) -> CoreResult<()> {
self.get_and_authorize_person_owner(person_id, user_id).await?;
self.auth_service
.check_permission(user_id, authz::Permission::DeletePerson(person_id))
.await?;
self.person_repo.delete(person_id).await
}
@@ -171,15 +117,21 @@ impl PersonService for PersonServiceImpl {
person_id: Uuid,
user_id: Uuid,
) -> CoreResult<FaceRegion> {
self.get_and_authorize_person_usage(person_id, user_id).await?;
self.auth_service
.check_permission(user_id, authz::Permission::UsePerson(person_id))
.await?;
self.auth_service
.check_permission(user_id, authz::Permission::AssignFace(face_region_id))
.await?;
let mut face = self
.face_repo
.find_by_id(face_region_id)
.await?
.ok_or(CoreError::NotFound("FaceRegion".to_string(), face_region_id))?;
self.authorize_media_access(face.media_id, user_id).await?;
let mut face =
self.face_repo
.find_by_id(face_region_id)
.await?
.ok_or(CoreError::NotFound(
"FaceRegion".to_string(),
face_region_id,
))?;
self.face_repo
.update_person_id(face_region_id, person_id)
@@ -194,7 +146,9 @@ impl PersonService for PersonServiceImpl {
media_id: Uuid,
user_id: Uuid,
) -> CoreResult<Vec<FaceRegion>> {
self.authorize_media_access(media_id, user_id).await?;
self.auth_service
.check_permission(user_id, authz::Permission::ViewFaces(media_id))
.await?;
self.face_repo.find_by_media_id(media_id).await
}
@@ -206,7 +160,9 @@ impl PersonService for PersonServiceImpl {
permission: PersonPermission,
owner_id: Uuid,
) -> CoreResult<()> {
self.get_and_authorize_person_owner(person_id, owner_id).await?;
self.auth_service
.check_permission(owner_id, authz::Permission::SharePerson(person_id))
.await?;
self.person_share_repo
.create_or_update_share(person_id, target_user_id, permission)
@@ -219,10 +175,12 @@ impl PersonService for PersonServiceImpl {
target_user_id: Uuid,
owner_id: Uuid,
) -> CoreResult<()> {
self.get_and_authorize_person_owner(person_id, owner_id).await?;
self.auth_service
.check_permission(owner_id, authz::Permission::SharePerson(person_id))
.await?;
self.person_share_repo
.remove_share(person_id, target_user_id)
.await
}
}
}