2022-10-30 10:28:14 +02:00
|
|
|
package apis
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
2022-11-17 14:17:10 +02:00
|
|
|
"strings"
|
2022-10-30 10:28:14 +02:00
|
|
|
|
|
|
|
"github.com/labstack/echo/v5"
|
|
|
|
"github.com/pocketbase/dbx"
|
|
|
|
"github.com/pocketbase/pocketbase/daos"
|
|
|
|
"github.com/pocketbase/pocketbase/models"
|
|
|
|
"github.com/pocketbase/pocketbase/resolvers"
|
|
|
|
"github.com/pocketbase/pocketbase/tools/rest"
|
|
|
|
"github.com/pocketbase/pocketbase/tools/search"
|
|
|
|
)
|
|
|
|
|
2022-11-17 14:17:10 +02:00
|
|
|
const ContextRequestDataKey = "requestData"
|
2022-10-30 10:28:14 +02:00
|
|
|
|
2022-11-18 13:32:32 +02:00
|
|
|
// Deprecated: Will be removed after v0.9. Use apis.RequestData(c) instead.
|
|
|
|
func GetRequestData(c echo.Context) *models.RequestData {
|
|
|
|
return RequestData(c)
|
|
|
|
}
|
|
|
|
|
|
|
|
// RequestData exports cached common request data fields
|
2022-11-17 14:17:10 +02:00
|
|
|
// (query, body, logged auth state, etc.) from the provided context.
|
2022-11-18 13:32:32 +02:00
|
|
|
func RequestData(c echo.Context) *models.RequestData {
|
|
|
|
// return cached to avoid copying the body multiple times
|
2022-11-17 14:17:10 +02:00
|
|
|
if v := c.Get(ContextRequestDataKey); v != nil {
|
2022-11-18 13:32:32 +02:00
|
|
|
if data, ok := v.(*models.RequestData); ok {
|
2022-11-17 14:17:10 +02:00
|
|
|
return data
|
|
|
|
}
|
|
|
|
}
|
2022-10-30 10:28:14 +02:00
|
|
|
|
2022-11-18 13:32:32 +02:00
|
|
|
result := &models.RequestData{
|
2022-11-17 14:17:10 +02:00
|
|
|
Method: c.Request().Method,
|
|
|
|
Query: map[string]any{},
|
|
|
|
Data: map[string]any{},
|
|
|
|
}
|
2022-10-30 10:28:14 +02:00
|
|
|
|
2022-11-17 14:17:10 +02:00
|
|
|
result.AuthRecord, _ = c.Get(ContextAuthRecordKey).(*models.Record)
|
|
|
|
result.Admin, _ = c.Get(ContextAdminKey).(*models.Admin)
|
|
|
|
echo.BindQueryParams(c, &result.Query)
|
|
|
|
rest.BindBody(c, &result.Data)
|
2022-10-30 10:28:14 +02:00
|
|
|
|
2022-11-17 14:17:10 +02:00
|
|
|
c.Set(ContextRequestDataKey, result)
|
2022-10-30 10:28:14 +02:00
|
|
|
|
|
|
|
return result
|
|
|
|
}
|
|
|
|
|
2022-11-17 14:17:10 +02:00
|
|
|
// EnrichRecord parses the request context and enrich the provided record:
|
|
|
|
// - expands relations (if defaultExpands and/or ?expand query param is set)
|
|
|
|
// - ensures that the emails of the auth record and its expanded auth relations
|
|
|
|
// are visibe only for the current logged admin, record owner or record with manage access
|
|
|
|
func EnrichRecord(c echo.Context, dao *daos.Dao, record *models.Record, defaultExpands ...string) error {
|
|
|
|
return EnrichRecords(c, dao, []*models.Record{record}, defaultExpands...)
|
|
|
|
}
|
|
|
|
|
|
|
|
// EnrichRecords parses the request context and enriches the provided records:
|
|
|
|
// - expands relations (if defaultExpands and/or ?expand query param is set)
|
|
|
|
// - ensures that the emails of the auth records and their expanded auth relations
|
|
|
|
// are visibe only for the current logged admin, record owner or record with manage access
|
|
|
|
func EnrichRecords(c echo.Context, dao *daos.Dao, records []*models.Record, defaultExpands ...string) error {
|
2022-11-18 13:32:32 +02:00
|
|
|
requestData := RequestData(c)
|
2022-11-17 14:17:10 +02:00
|
|
|
|
|
|
|
if err := autoIgnoreAuthRecordsEmailVisibility(dao, records, requestData); err != nil {
|
|
|
|
return fmt.Errorf("Failed to resolve email visibility: %v", err)
|
|
|
|
}
|
|
|
|
|
|
|
|
expands := defaultExpands
|
|
|
|
expands = append(expands, strings.Split(c.QueryParam(expandQueryParam), ",")...)
|
|
|
|
if len(expands) == 0 {
|
|
|
|
return nil // nothing to expand
|
|
|
|
}
|
|
|
|
|
|
|
|
errs := dao.ExpandRecords(records, expands, expandFetch(dao, requestData))
|
|
|
|
if len(errs) > 0 {
|
|
|
|
return fmt.Errorf("Failed to expand: %v", errs)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2022-10-30 10:28:14 +02:00
|
|
|
// expandFetch is the records fetch function that is used to expand related records.
|
|
|
|
func expandFetch(
|
|
|
|
dao *daos.Dao,
|
2022-11-18 13:32:32 +02:00
|
|
|
requestData *models.RequestData,
|
2022-10-30 10:28:14 +02:00
|
|
|
) daos.ExpandFetchFunc {
|
|
|
|
return func(relCollection *models.Collection, relIds []string) ([]*models.Record, error) {
|
|
|
|
records, err := dao.FindRecordsByIds(relCollection.Id, relIds, func(q *dbx.SelectQuery) error {
|
2022-11-17 14:17:10 +02:00
|
|
|
if requestData.Admin != nil {
|
2022-10-30 10:28:14 +02:00
|
|
|
return nil // admins can access everything
|
|
|
|
}
|
|
|
|
|
|
|
|
if relCollection.ViewRule == nil {
|
|
|
|
return fmt.Errorf("Only admins can view collection %q records", relCollection.Name)
|
|
|
|
}
|
|
|
|
|
|
|
|
if *relCollection.ViewRule != "" {
|
|
|
|
resolver := resolvers.NewRecordFieldResolver(dao, relCollection, requestData, true)
|
|
|
|
expr, err := search.FilterData(*(relCollection.ViewRule)).BuildExpr(resolver)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
resolver.UpdateQuery(q)
|
|
|
|
q.AndWhere(expr)
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
})
|
|
|
|
|
|
|
|
if err == nil && len(records) > 0 {
|
2022-11-17 14:17:10 +02:00
|
|
|
autoIgnoreAuthRecordsEmailVisibility(dao, records, requestData)
|
2022-10-30 10:28:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return records, err
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// autoIgnoreAuthRecordsEmailVisibility ignores the email visibility check for
|
|
|
|
// the provided record if the current auth model is admin, owner or a "manager".
|
|
|
|
//
|
|
|
|
// Note: Expects all records to be from the same auth collection!
|
|
|
|
func autoIgnoreAuthRecordsEmailVisibility(
|
|
|
|
dao *daos.Dao,
|
|
|
|
records []*models.Record,
|
2022-11-18 13:32:32 +02:00
|
|
|
requestData *models.RequestData,
|
2022-10-30 10:28:14 +02:00
|
|
|
) error {
|
|
|
|
if len(records) == 0 || !records[0].Collection().IsAuth() {
|
|
|
|
return nil // nothing to check
|
|
|
|
}
|
|
|
|
|
2022-11-17 14:17:10 +02:00
|
|
|
if requestData.Admin != nil {
|
2022-10-30 10:28:14 +02:00
|
|
|
for _, rec := range records {
|
|
|
|
rec.IgnoreEmailVisibility(true)
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
collection := records[0].Collection()
|
|
|
|
|
|
|
|
mappedRecords := make(map[string]*models.Record, len(records))
|
2022-11-26 09:05:52 +02:00
|
|
|
recordIds := make([]any, len(records))
|
|
|
|
for i, rec := range records {
|
2022-10-30 10:28:14 +02:00
|
|
|
mappedRecords[rec.Id] = rec
|
2022-11-26 09:05:52 +02:00
|
|
|
recordIds[i] = rec.Id
|
2022-10-30 10:28:14 +02:00
|
|
|
}
|
|
|
|
|
2022-11-17 14:17:10 +02:00
|
|
|
if requestData != nil && requestData.AuthRecord != nil && mappedRecords[requestData.AuthRecord.Id] != nil {
|
|
|
|
mappedRecords[requestData.AuthRecord.Id].IgnoreEmailVisibility(true)
|
2022-10-30 10:28:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
authOptions := collection.AuthOptions()
|
|
|
|
if authOptions.ManageRule == nil || *authOptions.ManageRule == "" {
|
|
|
|
return nil // no manage rule to check
|
|
|
|
}
|
|
|
|
|
|
|
|
// fetch the ids of the managed records
|
|
|
|
// ---
|
|
|
|
managedIds := []string{}
|
|
|
|
|
|
|
|
query := dao.RecordQuery(collection).
|
|
|
|
Select(dao.DB().QuoteSimpleColumnName(collection.Name) + ".id").
|
|
|
|
AndWhere(dbx.In(dao.DB().QuoteSimpleColumnName(collection.Name)+".id", recordIds...))
|
|
|
|
|
|
|
|
resolver := resolvers.NewRecordFieldResolver(dao, collection, requestData, true)
|
|
|
|
expr, err := search.FilterData(*authOptions.ManageRule).BuildExpr(resolver)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
resolver.UpdateQuery(query)
|
|
|
|
query.AndWhere(expr)
|
|
|
|
|
|
|
|
if err := query.Column(&managedIds); err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
// ---
|
|
|
|
|
|
|
|
// ignore the email visibility check for the managed records
|
|
|
|
for _, id := range managedIds {
|
|
|
|
if rec, ok := mappedRecords[id]; ok {
|
|
|
|
rec.IgnoreEmailVisibility(true)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
// hasAuthManageAccess checks whether the client is allowed to have full
|
|
|
|
// [forms.RecordUpsert] auth management permissions
|
|
|
|
// (aka. allowing to change system auth fields without oldPassword).
|
|
|
|
func hasAuthManageAccess(
|
|
|
|
dao *daos.Dao,
|
|
|
|
record *models.Record,
|
2022-11-18 13:32:32 +02:00
|
|
|
requestData *models.RequestData,
|
2022-10-30 10:28:14 +02:00
|
|
|
) bool {
|
|
|
|
if !record.Collection().IsAuth() {
|
|
|
|
return false
|
|
|
|
}
|
|
|
|
|
|
|
|
manageRule := record.Collection().AuthOptions().ManageRule
|
|
|
|
|
|
|
|
if manageRule == nil || *manageRule == "" {
|
|
|
|
return false // only for admins (manageRule can't be empty)
|
|
|
|
}
|
|
|
|
|
2022-11-17 14:17:10 +02:00
|
|
|
if requestData == nil || requestData.AuthRecord == nil {
|
2022-10-30 10:28:14 +02:00
|
|
|
return false // no auth record
|
|
|
|
}
|
|
|
|
|
|
|
|
ruleFunc := func(q *dbx.SelectQuery) error {
|
|
|
|
resolver := resolvers.NewRecordFieldResolver(dao, record.Collection(), requestData, true)
|
|
|
|
expr, err := search.FilterData(*manageRule).BuildExpr(resolver)
|
|
|
|
if err != nil {
|
|
|
|
return err
|
|
|
|
}
|
|
|
|
resolver.UpdateQuery(q)
|
|
|
|
q.AndWhere(expr)
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
|
|
|
_, findErr := dao.FindRecordById(record.Collection().Id, record.Id, ruleFunc)
|
|
|
|
|
|
|
|
return findErr == nil
|
|
|
|
}
|