Implement authorization service and refactor services to use it

- Added `AuthorizationService` and its implementation `AuthorizationServiceImpl` to handle permission checks across various services. - Refactored `AlbumServiceImpl`, `MediaServiceImpl`, `PersonServiceImpl`, and `TagServiceImpl` to utilize the new authorization service for permission checks. - Removed direct permission checks from services and replaced them with calls to the `AuthorizationService`. - Updated repository interfaces to include new methods for checking media permissions in shared albums. - Enhanced the `authz` module with new permission types for better granularity in access control. - Adjusted the `AppState` struct to include the new `authorization_service`.
2025-11-15 14:01:39 +01:00
parent ac8d16ba59
commit 8d05bdfd63
12 changed files with 547 additions and 292 deletions
--- a/libertas_infra/src/repositories/album_share_repository.rs
+++ b/libertas_infra/src/repositories/album_share_repository.rs
@@ -1,10 +1,12 @@
+use crate::db_models::PostgresAlbumPermission;
 use async_trait::async_trait;
 use libertas_core::{
-    error::{CoreError, CoreResult}, models::AlbumPermission, repositories::AlbumShareRepository
+    error::{CoreError, CoreResult},
+    models::AlbumPermission,
+    repositories::AlbumShareRepository,
 };
 use sqlx::PgPool;
 use uuid::Uuid;
-use crate::db_models::PostgresAlbumPermission;

 #[derive(Clone)]
 pub struct PostgresAlbumShareRepository {
@@ -83,4 +85,30 @@ impl AlbumShareRepository for PostgresAlbumShareRepository {

        Ok(result.exists.unwrap_or(false))
    }
+
+    async fn is_media_in_contributable_album(
+        &self,
+        media_id: Uuid,
+        user_id: Uuid,
+    ) -> CoreResult<bool> {
+        let result = sqlx::query!(
+            r#"
+            SELECT EXISTS (
+                SELECT 1
+                FROM album_media am
+                JOIN album_shares ash ON am.album_id = ash.album_id
+                WHERE am.media_id = $1 AND ash.user_id = $2
+                  AND ash.permission = $3
+            )
+            "#,
+            media_id,
+            user_id,
+            PostgresAlbumPermission::Contribute as PostgresAlbumPermission,
+        )
+        .fetch_one(&self.pool)
+        .await
+        .map_err(|e| CoreError::Database(e.to_string()))?;
+
+        Ok(result.exists.unwrap_or(false))
+    }
 }