feat: implement album sharing functionality with permissions management

2025-11-02 17:39:11 +01:00
parent f49d9179f5
commit a36b59a5fb
11 changed files with 263 additions and 31 deletions
--- a/libertas_api/migrations/20251102161826_create_album_shares_table.sql
+++ b/libertas_api/migrations/20251102161826_create_album_shares_table.sql
@@ -0,0 +1,10 @@
+CREATE TYPE album_permission AS ENUM ('view', 'contribute');
+
+CREATE TABLE album_shares (
+    album_id UUID NOT NULL REFERENCES albums (id) ON DELETE CASCADE,
+    user_id UUID NOT NULL REFERENCES users (id) ON DELETE CASCADE,
+    permission album_permission NOT NULL,
+    PRIMARY KEY (album_id, user_id)
+);
+
+CREATE INDEX idx_album_shares_user_id ON album_shares (user_id);
--- a/libertas_api/src/factory.rs
+++ b/libertas_api/src/factory.rs
@@ -5,7 +5,8 @@ use libertas_core::{
    error::{CoreError, CoreResult},
 };
 use libertas_infra::factory::{
-    build_album_repository, build_database_pool, build_media_repository, build_user_repository,
+    build_album_repository, build_album_share_repository, build_database_pool,
+    build_media_repository, build_user_repository,
 };

 use crate::{
@@ -28,6 +29,7 @@ pub async fn build_app_state(config: Config) -> CoreResult<AppState> {
    let user_repo = build_user_repository(&config.database, db_pool.clone()).await?;
    let media_repo = build_media_repository(&config.database, db_pool.clone()).await?;
    let album_repo = build_album_repository(&config.database, db_pool.clone()).await?;
+    let album_share_repo = build_album_share_repository(&config.database, db_pool.clone()).await?;

    let hasher = Arc::new(Argon2Hasher::default());
    let tokenizer = Arc::new(JwtGenerator::new(config.jwt_secret.clone()));
@@ -40,10 +42,15 @@ pub async fn build_app_state(config: Config) -> CoreResult<AppState> {
    let media_service = Arc::new(MediaServiceImpl::new(
        media_repo.clone(),
        user_repo.clone(),
+        album_share_repo.clone(),
        config.clone(),
        nats_client.clone(),
    ));
-    let album_service = Arc::new(AlbumServiceImpl::new(album_repo, media_repo));
+    let album_service = Arc::new(AlbumServiceImpl::new(
+        album_repo,
+        media_repo,
+        album_share_repo,
+    ));

    Ok(AppState {
        user_service,
--- a/libertas_api/src/handlers/album_handlers.rs
+++ b/libertas_api/src/handlers/album_handlers.rs
@@ -3,7 +3,10 @@ use axum::{
    extract::{Path, State},
    http::StatusCode,
 };
-use libertas_core::schema::{AddMediaToAlbumData, CreateAlbumData};
+use libertas_core::{
+    models::AlbumPermission,
+    schema::{AddMediaToAlbumData, CreateAlbumData, ShareAlbumData},
+};
 use serde::Deserialize;
 use uuid::Uuid;

@@ -57,8 +60,32 @@ async fn add_media_to_album(
    Ok(StatusCode::OK)
 }

+#[derive(Deserialize)]
+pub struct ShareAlbumRequest {
+    target_user_id: Uuid,
+    permission: AlbumPermission,
+}
+
+async fn share_album(
+    State(state): State<AppState>,
+    UserId(owner_id): UserId, // The person sharing must be authenticated
+    Path(album_id): Path<Uuid>,
+    Json(payload): Json<ShareAlbumRequest>,
+) -> Result<StatusCode, ApiError> {
+    let data = ShareAlbumData {
+        album_id,
+        target_user_id: payload.target_user_id,
+        permission: payload.permission,
+    };
+
+    state.album_service.share_album(data, owner_id).await?;
+
+    Ok(StatusCode::OK)
+}
+
 pub fn album_routes() -> Router<AppState> {
    Router::new()
        .route("/", axum::routing::post(create_album))
        .route("/{album_id}/media", axum::routing::post(add_media_to_album))
+        .route("/{album_id}/share", axum::routing::post(share_album))
 }
--- a/libertas_api/src/services/album_service.rs
+++ b/libertas_api/src/services/album_service.rs
@@ -6,7 +6,7 @@ use libertas_core::{
    authz,
    error::{CoreError, CoreResult},
    models::Album,
-    repositories::{AlbumRepository, MediaRepository},
+    repositories::{AlbumRepository, AlbumShareRepository, MediaRepository},
    schema::{AddMediaToAlbumData, CreateAlbumData, ShareAlbumData},
    services::AlbumService,
 };
@@ -15,25 +15,21 @@ use uuid::Uuid;
 pub struct AlbumServiceImpl {
    album_repo: Arc<dyn AlbumRepository>,
    media_repo: Arc<dyn MediaRepository>,
+    album_share_repo: Arc<dyn AlbumShareRepository>,
 }

 impl AlbumServiceImpl {
-    pub fn new(album_repo: Arc<dyn AlbumRepository>, media_repo: Arc<dyn MediaRepository>) -> Self {
+    pub fn new(
+        album_repo: Arc<dyn AlbumRepository>,
+        media_repo: Arc<dyn MediaRepository>,
+        album_share_repo: Arc<dyn AlbumShareRepository>,
+    ) -> Self {
        Self {
            album_repo,
            media_repo,
+            album_share_repo,
        }
    }
-
-    async fn is_album_owner(&self, user_id: Uuid, album_id: Uuid) -> CoreResult<bool> {
-        let album = self
-            .album_repo
-            .find_by_id(album_id)
-            .await?
-            .ok_or(CoreError::NotFound("Album".to_string(), album_id))?;
-
-        Ok(album.owner_id == user_id)
-    }
 }

 #[async_trait]
@@ -66,7 +62,12 @@ impl AlbumService for AlbumServiceImpl {
            .await?
            .ok_or(CoreError::NotFound("Album".to_string(), album_id))?;

-        if !authz::is_owner(user_id, &album) {
+        let share_permission = self
+            .album_share_repo
+            .get_user_permission(album_id, user_id)
+            .await?;
+
+        if !authz::can_view_album(user_id, &album, share_permission) {
            return Err(CoreError::Auth("Access denied to album".to_string()));
        }

@@ -80,8 +81,15 @@ impl AlbumService for AlbumServiceImpl {
            .await?
            .ok_or(CoreError::NotFound("Album".to_string(), data.album_id))?;

-        if !authz::is_owner(user_id, &album) {
-            return Err(CoreError::Auth("User does not own this album".to_string()));
+        let share_permission = self
+            .album_share_repo
+            .get_user_permission(data.album_id, user_id)
+            .await?;
+
+        if !authz::can_contribute_to_album(user_id, &album, share_permission) {
+            return Err(CoreError::Auth(
+                "User does not have permission to add media to this album".to_string(),
+            ));
        }

        for media_id in &data.media_ids {
@@ -108,8 +116,27 @@ impl AlbumService for AlbumServiceImpl {
        self.album_repo.list_by_user(user_id).await
    }

-    async fn share_album(&self, _data: ShareAlbumData, _owner_id: Uuid) -> CoreResult<()> {
-        // This is not part of the MVP, but part of the trait
-        unimplemented!("Sharing will be implemented in a future phase")
+    async fn share_album(&self, data: ShareAlbumData, owner_id: Uuid) -> CoreResult<()> {
+        let album = self
+            .album_repo
+            .find_by_id(data.album_id)
+            .await?
+            .ok_or(CoreError::NotFound("Album".to_string(), data.album_id))?;
+
+        if !authz::is_owner(owner_id, &album) {
+            return Err(CoreError::Auth(
+                "Only the album owner can share the album".to_string(),
+            ));
+        }
+
+        if data.target_user_id == owner_id {
+            return Err(CoreError::Validation(
+                "Cannot share album with oneself".to_string(),
+            ));
+        }
+
+        self.album_share_repo
+            .create_or_update_share(data.album_id, data.target_user_id, data.permission)
+            .await
    }
 }
--- a/libertas_api/src/services/media_service.rs
+++ b/libertas_api/src/services/media_service.rs
@@ -8,7 +8,7 @@ use libertas_core::{
    config::Config,
    error::{CoreError, CoreResult},
    models::Media,
-    repositories::{MediaRepository, UserRepository},
+    repositories::{AlbumShareRepository, MediaRepository, UserRepository},
    schema::UploadMediaData,
    services::MediaService,
 };
@@ -20,6 +20,7 @@ use uuid::Uuid;
 pub struct MediaServiceImpl {
    repo: Arc<dyn MediaRepository>,
    user_repo: Arc<dyn UserRepository>,
+    album_share_repo: Arc<dyn AlbumShareRepository>,
    config: Config,
    nats_client: async_nats::Client,
 }
@@ -28,12 +29,14 @@ impl MediaServiceImpl {
    pub fn new(
        repo: Arc<dyn MediaRepository>,
        user_repo: Arc<dyn UserRepository>,
+        album_share_repo: Arc<dyn AlbumShareRepository>,
        config: Config,
        nats_client: async_nats::Client,
    ) -> Self {
        Self {
            repo,
            user_repo,
+            album_share_repo,
            config,
            nats_client,
        }
@@ -141,11 +144,20 @@ impl MediaService for MediaServiceImpl {
            .await?
            .ok_or(CoreError::NotFound("User".to_string(), user_id))?;

-        if !authz::is_owner(user_id, &media) && !authz::is_admin(&user) {
-            return Err(CoreError::Auth("Access denied".to_string()));
+        if authz::is_owner(user_id, &media) || authz::is_admin(&user) {
+            return Ok(media);
        }

-        Ok(media)
+        let is_shared = self
+            .album_share_repo
+            .is_media_in_shared_album(id, user_id)
+            .await?;
+
+        if is_shared {
+            return Ok(media);
+        }
+
+        Err(CoreError::Auth("Access denied".to_string()))
    }

    async fn list_user_media(&self, user_id: Uuid) -> CoreResult<Vec<Media>> {
@@ -165,10 +177,19 @@ impl MediaService for MediaServiceImpl {
            .await?
            .ok_or(CoreError::NotFound("User".to_string(), user_id))?;

-        if !authz::is_owner(user_id, &media) && !authz::is_admin(&user) {
-            return Err(CoreError::Auth("Access denied".to_string()));
+        if authz::is_owner(user_id, &media) || authz::is_admin(&user) {
+            return Ok(media.storage_path);
        }

-        Ok(media.storage_path)
+        let is_shared = self
+            .album_share_repo
+            .is_media_in_shared_album(id, user_id)
+            .await?;
+
+        if is_shared {
+            return Ok(media.storage_path);
+        }
+
+        Err(CoreError::Auth("Access denied".to_string()))
    }
 }