GKaszewski/libertas
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add user roles and storage quota management

Browse Source
This commit is contained in:
Gabriel Kaszewski
2025-11-02 17:17:13 +01:00
parent 596313b8c5
commit f49d9179f5
10 changed files with 183 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
libertas_api/migrations/20251102152326_add_user_roles_and_quotas.sql Normal file
View File

@@ -0,0 +1,4 @@
ALTER TABLE users
ADD COLUMN role TEXT NOT NULL DEFAULT 'user',
ADD COLUMN storage_quota BIGINT NOT NULL DEFAULT 10737418240, -- 10 GiB default
ADD COLUMN storage_used BIGINT NOT NULL DEFAULT 0;

7
libertas_api/src/factory.rs
View File

@@ -32,9 +32,14 @@ pub async fn build_app_state(config: Config) -> CoreResult<AppState> {
let hasher = Arc::new(Argon2Hasher::default());
let tokenizer = Arc::new(JwtGenerator::new(config.jwt_secret.clone()));
let user_service = Arc::new(UserServiceImpl::new(user_repo, hasher, tokenizer.clone()));
let user_service = Arc::new(UserServiceImpl::new(
user_repo.clone(),
hasher,
tokenizer.clone(),
));
let media_service = Arc::new(MediaServiceImpl::new(
media_repo.clone(),
user_repo.clone(),
config.clone(),
nats_client.clone(),
));

18
libertas_api/src/services/album_service.rs
View File

@@ -3,6 +3,7 @@ use std::sync::Arc;
use async_trait::async_trait;
use chrono::Utc;
use libertas_core::{
authz,
error::{CoreError, CoreResult},
models::Album,
repositories::{AlbumRepository, MediaRepository},
@@ -65,9 +66,7 @@ impl AlbumService for AlbumServiceImpl {
.await?
.ok_or(CoreError::NotFound("Album".to_string(), album_id))?;
// Security check: Only owner (for now) can see album details
if album.owner_id != user_id {
// Later, this would also check share permissions
if !authz::is_owner(user_id, &album) {
return Err(CoreError::Auth("Access denied to album".to_string()));
}
@@ -75,12 +74,16 @@ impl AlbumService for AlbumServiceImpl {
}
async fn add_media_to_album(&self, data: AddMediaToAlbumData, user_id: Uuid) -> CoreResult<()> {
// 1. Verify the user owns the album
if !self.is_album_owner(user_id, data.album_id).await? {
let album = self
.album_repo
.find_by_id(data.album_id)
.await?
.ok_or(CoreError::NotFound("Album".to_string(), data.album_id))?;
if !authz::is_owner(user_id, &album) {
return Err(CoreError::Auth("User does not own this album".to_string()));
}
// 2. Bonus: Verify the user owns all media items
for media_id in &data.media_ids {
let media = self
.media_repo
@@ -88,7 +91,7 @@ impl AlbumService for AlbumServiceImpl {
.await?
.ok_or(CoreError::NotFound("Media".to_string(), *media_id))?;
if media.owner_id != user_id {
if !authz::is_owner(user_id, &media) {
return Err(CoreError::Auth(format!(
"Access denied to media item {}",
media_id
@@ -96,7 +99,6 @@ impl AlbumService for AlbumServiceImpl {
}
}
// 3. Call the repository to add them
self.album_repo
.add_media_to_album(data.album_id, &data.media_ids)
.await

39
libertas_api/src/services/media_service.rs
View File

@@ -4,10 +4,11 @@ use async_trait::async_trait;
use chrono::Datelike;
use futures::stream::StreamExt;
use libertas_core::{
authz,
config::Config,
error::{CoreError, CoreResult},
models::Media,
repositories::MediaRepository,
repositories::{MediaRepository, UserRepository},
schema::UploadMediaData,
services::MediaService,
};
@@ -18,6 +19,7 @@ use uuid::Uuid;
pub struct MediaServiceImpl {
repo: Arc<dyn MediaRepository>,
user_repo: Arc<dyn UserRepository>,
config: Config,
nats_client: async_nats::Client,
}
@@ -25,11 +27,13 @@ pub struct MediaServiceImpl {
impl MediaServiceImpl {
pub fn new(
repo: Arc<dyn MediaRepository>,
user_repo: Arc<dyn UserRepository>,
config: Config,
nats_client: async_nats::Client,
) -> Self {
Self {
repo,
user_repo,
config,
nats_client,
}
@@ -39,6 +43,12 @@ impl MediaServiceImpl {
#[async_trait]
impl MediaService for MediaServiceImpl {
async fn upload_media(&self, mut data: UploadMediaData<'_>) -> CoreResult<Media> {
let user = self
.user_repo
.find_by_id(data.owner_id)
.await?
.ok_or(CoreError::NotFound("User".to_string(), data.owner_id))?;
let mut hasher = Sha256::new();
let mut file_bytes = Vec::new();
@@ -47,6 +57,14 @@ impl MediaService for MediaServiceImpl {
hasher.update(&chunk);
file_bytes.extend_from_slice(&chunk);
}
let file_size = file_bytes.len() as i64;
if user.storage_used + file_size > user.storage_quota {
return Err(CoreError::Auth(format!(
"Storage quota exceeded. Used: {}, Quota: {}",
user.storage_used, user.storage_quota
)));
}
let hash = format!("{:x}", hasher.finalize());
@@ -97,6 +115,9 @@ impl MediaService for MediaServiceImpl {
};
self.repo.create(&media_model).await?;
self.user_repo
.update_storage_used(user.id, file_size)
.await?;
let job_payload = json!({ "media_id": media_model.id });
self.nats_client
@@ -114,7 +135,13 @@ impl MediaService for MediaServiceImpl {
.await?
.ok_or(CoreError::NotFound("Media".to_string(), id))?;
if media.owner_id != user_id {
let user = self
.user_repo
.find_by_id(user_id)
.await?
.ok_or(CoreError::NotFound("User".to_string(), user_id))?;
if !authz::is_owner(user_id, &media) && !authz::is_admin(&user) {
return Err(CoreError::Auth("Access denied".to_string()));
}
@@ -132,7 +159,13 @@ impl MediaService for MediaServiceImpl {
.await?
.ok_or(CoreError::NotFound("Media".to_string(), id))?;
if media.owner_id != user_id {
let user = self
.user_repo
.find_by_id(user_id)
.await?
.ok_or(CoreError::NotFound("User".to_string(), user_id))?;
if !authz::is_owner(user_id, &media) && !authz::is_admin(&user) {
return Err(CoreError::Auth("Access denied".to_string()));
}

5
libertas_api/src/services/user_service.rs
View File

@@ -3,7 +3,7 @@ use std::sync::Arc;
use async_trait::async_trait;
use libertas_core::{
error::{CoreError, CoreResult},
models::User,
models::{Role, User},
repositories::UserRepository,
schema::{CreateUserData, LoginUserData},
services::UserService,
@@ -57,6 +57,9 @@ impl UserService for UserServiceImpl {
hashed_password,
created_at: chrono::Utc::now(),
updated_at: chrono::Utc::now(),
role: Role::User,
storage_quota: 10 * 1024 * 1024 * 1024, // 10 GB
storage_used: 0,
};
self.repo.create(user.clone()).await?;

25
libertas_core/src/authz.rs Normal file
View File

@@ -0,0 +1,25 @@
use uuid::Uuid;
use crate::models::{Album, Media, Role, User};
pub trait Ownable {
fn owner_id(&self) -> Uuid;
}
impl Ownable for Media {
fn owner_id(&self) -> Uuid {
self.owner_id
}
}
impl Ownable for Album {
fn owner_id(&self) -> Uuid {
self.owner_id
}
}
pub fn is_admin(user: &User) -> bool {
user.role == Role::Admin
}
pub fn is_owner(user_id: Uuid, entity: &impl Ownable) -> bool {
user_id == entity.owner_id()
}

1
libertas_core/src/lib.rs
View File

@@ -1,3 +1,4 @@
pub mod authz;
pub mod config;
pub mod error;
pub mod models;

23
libertas_core/src/models.rs
View File

@@ -1,3 +1,20 @@
#[derive(Debug, Clone, PartialEq, Eq, sqlx::Type)]
#[sqlx(rename_all = "lowercase")]
#[sqlx(type_name = "TEXT")]
pub enum Role {
User,
Admin,
}
impl Role {
pub fn as_str(&self) -> &'static str {
match self {
Role::User => "user",
Role::Admin => "admin",
}
}
}
pub struct Media {
pub id: uuid::Uuid,
pub owner_id: uuid::Uuid,
@@ -11,7 +28,7 @@ pub struct Media {
pub height: Option<i32>,
}
#[derive(Clone)]
#[derive(Clone, sqlx::FromRow)]
pub struct User {
pub id: uuid::Uuid,
pub username: String,
@@ -19,6 +36,10 @@ pub struct User {
pub hashed_password: String,
pub created_at: chrono::DateTime<chrono::Utc>,
pub updated_at: chrono::DateTime<chrono::Utc>,
pub role: Role,
pub storage_quota: i64, // in bytes
pub storage_used: i64, // in bytes
}
pub struct Album {

1
libertas_core/src/repositories.rs
View File

@@ -27,6 +27,7 @@ pub trait UserRepository: Send + Sync {
async fn find_by_email(&self, email: &str) -> CoreResult<Option<User>>;
async fn find_by_username(&self, username: &str) -> CoreResult<Option<User>>;
async fn find_by_id(&self, id: Uuid) -> CoreResult<Option<User>>;
async fn update_storage_used(&self, user_id: Uuid, bytes: i64) -> CoreResult<()>;
}
#[async_trait]

72
libertas_infra/src/repositories/user_repository.rs
View File

@@ -1,7 +1,7 @@
use async_trait::async_trait;
use libertas_core::{
error::{CoreError, CoreResult},
models::User,
models::{Role, User},
repositories::UserRepository,
};
use sqlx::{PgPool, SqlitePool, types::Uuid};
@@ -33,15 +33,18 @@ impl UserRepository for PostgresUserRepository {
async fn create(&self, user: User) -> CoreResult<()> {
sqlx::query!(
r#"
INSERT INTO users (id, username, email, hashed_password, created_at, updated_at)
VALUES ($1, $2, $3, $4, $5, $6)
INSERT INTO users (id, username, email, hashed_password, created_at, updated_at, role, storage_quota, storage_used)
VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9)
"#,
user.id,
user.username,
user.email,
user.hashed_password,
user.created_at,
user.updated_at
user.updated_at,
user.role.as_str(),
user.storage_quota,
user.storage_used
)
.execute(&self.pool)
.await
@@ -51,25 +54,75 @@ impl UserRepository for PostgresUserRepository {
}
async fn find_by_email(&self, email: &str) -> CoreResult<Option<User>> {
sqlx::query_as!(User, "SELECT * FROM users WHERE email = $1", email)
sqlx::query_as!(
User,
r#"
SELECT
id, username, email, hashed_password, created_at, updated_at,
role as "role: Role",
storage_quota, storage_used
FROM users
WHERE email = $1
"#,
email
)
.fetch_optional(&self.pool)
.await
.map_err(|e| CoreError::Database(e.to_string()))
}
async fn find_by_username(&self, username: &str) -> CoreResult<Option<User>> {
sqlx::query_as!(User, "SELECT * FROM users WHERE username = $1", username)
sqlx::query_as!(
User,
r#"
SELECT
id, username, email, hashed_password, created_at, updated_at,
role as "role: Role",
storage_quota, storage_used
FROM users
WHERE username = $1
"#,
username
)
.fetch_optional(&self.pool)
.await
.map_err(|e| CoreError::Database(e.to_string()))
}
async fn find_by_id(&self, id: Uuid) -> CoreResult<Option<User>> {
sqlx::query_as!(User, "SELECT * FROM users WHERE id = $1", id)
sqlx::query_as!(
User,
r#"
SELECT
id, username, email, hashed_password, created_at, updated_at,
role as "role: Role",
storage_quota, storage_used
FROM users
WHERE id = $1
"#,
id
)
.fetch_optional(&self.pool)
.await
.map_err(|e| CoreError::Database(e.to_string()))
}
async fn update_storage_used(&self, user_id: Uuid, bytes: i64) -> CoreResult<()> {
sqlx::query!(
r#"
UPDATE users
SET storage_used = storage_used + $1, updated_at = NOW()
WHERE id = $2
"#,
bytes,
user_id
)
.execute(&self.pool)
.await
.map_err(|e| CoreError::Database(e.to_string()))?;
Ok(())
}
}
#[async_trait]
@@ -93,4 +146,9 @@ impl UserRepository for SqliteUserRepository {
println!("SQLITE REPO: Finding user by id");
Ok(None)
}
async fn update_storage_used(&self, _user_id: Uuid, _bytes: i64) -> CoreResult<()> {
println!("SQLITE REPO: Updating user storage used");
Ok(())
}
}