feat: check permissions in realtime code and frontend

Signed-off-by: Philip Molares <philip.molares@udo.edu> Signed-off-by: Tilman Vatteroth <git@tilmanvatteroth.de>
2025-05-23 03:27:05 -04:00 · 2023-03-26 14:51:18 +02:00 · 2023-03-26 14:51:18 +02:00 · c2f41118b6
commit c2f41118b6
parent 24f1b2a361
27 changed files with 287 additions and 66 deletions
--- a/commons/src/utils/permissions.spec.ts
+++ b/commons/src/utils/permissions.spec.ts
@ -0,0 +1,87 @@
+/*
+ * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { userCanEdit, userIsOwner } from './permissions.js'
+import { NotePermissions, SpecialGroup } from './permissions.types.js'
+import { describe, expect, it } from '@jest/globals'
+
+describe('Permissions', () => {
+  const testPermissions: NotePermissions = {
+    owner: 'owner',
+    sharedToUsers: [
+      {
+        username: 'logged_in',
+        canEdit: true
+      }
+    ],
+    sharedToGroups: [
+      {
+        groupName: SpecialGroup.EVERYONE,
+        canEdit: true
+      },
+      {
+        groupName: SpecialGroup.LOGGED_IN,
+        canEdit: true
+      }
+    ]
+  }
+  describe('userIsOwner', () => {
+    it('returns true, if user is owner', () => {
+      expect(userIsOwner(testPermissions, 'owner')).toBeTruthy()
+    })
+    it('returns false, if user is not ownerr', () => {
+      expect(userIsOwner(testPermissions, 'not_owner')).toBeFalsy()
+    })
+    it('returns false, if user is undefined', () => {
+      expect(userIsOwner(testPermissions, undefined)).toBeFalsy()
+    })
+  })
+
+  describe('userCanEdit', () => {
+    it('returns true, if user is owner', () => {
+      expect(userCanEdit(testPermissions, 'owner')).toBeTruthy()
+    })
+    it('returns true, if user is logged in and this is user specifically may edit', () => {
+      expect(
+        userCanEdit({ ...testPermissions, sharedToGroups: [] }, 'logged_in')
+      ).toBeTruthy()
+    })
+    it('returns true, if user is logged in and loggedIn users may edit', () => {
+      expect(
+        userCanEdit({ ...testPermissions, sharedToUsers: [] }, 'logged_in')
+      ).toBeTruthy()
+    })
+    it('returns true, if user is guest and guests are allowed to edit', () => {
+      expect(
+        userCanEdit({ ...testPermissions, sharedToUsers: [] }, undefined)
+      ).toBeTruthy()
+    })
+    it('returns false, if user is logged in and loggedIn users may not edit', () => {
+      expect(
+        userCanEdit(
+          { ...testPermissions, sharedToUsers: [], sharedToGroups: [] },
+          'logged_in'
+        )
+      ).toBeFalsy()
+    })
+    it('returns false, if user is guest and guests are not allowed to edit', () => {
+      expect(
+        userCanEdit(
+          {
+            ...testPermissions,
+            sharedToUsers: [],
+            sharedToGroups: [
+              {
+                groupName: SpecialGroup.LOGGED_IN,
+                canEdit: true
+              }
+            ]
+          },
+          undefined
+        )
+      ).toBeFalsy()
+    })
+  })
+})
--- a/commons/src/utils/permissions.ts
+++ b/commons/src/utils/permissions.ts
@ -0,0 +1,51 @@
+/*
+ * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+import { NotePermissions, SpecialGroup } from './permissions.types.js'
+
+/**
+ * Checks if the given user is the owner of a note.
+ *
+ * @param permissions The permissions of the note to check
+ * @param user The username of the user
+ * @return True if the user is the owner of the note
+ */
+export const userIsOwner = (
+  permissions: NotePermissions,
+  user?: string
+): boolean => {
+  return !!user && permissions.owner === user
+}
+
+/**
+ * Checks if the given user may edit a note.
+ *
+ * @param permissions The permissions of the note to check
+ * @param user The username of the user
+ * @return True if the user has the permission to edit the note
+ */
+export const userCanEdit = (
+  permissions: NotePermissions,
+  user?: string
+): boolean => {
+  const isOwner = userIsOwner(permissions, user)
+  const mayWriteViaUserPermission = permissions.sharedToUsers.some(
+    (value) => value.canEdit && value.username === user
+  )
+  const mayWriteViaGroupPermission =
+    !!user &&
+    permissions.sharedToGroups.some(
+      (value) => value.groupName === SpecialGroup.LOGGED_IN && value.canEdit
+    )
+  const everyoneMayWriteViaGroupPermission = permissions.sharedToGroups.some(
+    (value) => value.groupName === SpecialGroup.EVERYONE && value.canEdit
+  )
+  return (
+    isOwner ||
+    mayWriteViaUserPermission ||
+    mayWriteViaGroupPermission ||
+    everyoneMayWriteViaGroupPermission
+  )
+}
--- a/commons/src/utils/permissions.types.ts
+++ b/commons/src/utils/permissions.types.ts
@ -0,0 +1,31 @@
+/*
+ * SPDX-FileCopyrightText: 2023 The HedgeDoc developers (see AUTHORS file)
+ *
+ * SPDX-License-Identifier: AGPL-3.0-only
+ */
+
+export interface NotePermissions {
+  owner: string | null
+  sharedToUsers: NoteUserPermissionEntry[]
+  sharedToGroups: NoteGroupPermissionEntry[]
+}
+
+export interface NoteUserPermissionEntry {
+  username: string
+  canEdit: boolean
+}
+
+export interface NoteGroupPermissionEntry {
+  groupName: string
+  canEdit: boolean
+}
+export enum AccessLevel {
+  NONE,
+  READ_ONLY,
+  WRITEABLE
+}
+
+export enum SpecialGroup {
+  EVERYONE = '_EVERYONE',
+  LOGGED_IN = '_LOGGED_IN'
+}