Implementation of basic permission checks.

2016-03-11 14:13:40 +01:00
parent 2c49209b8e
commit 96685d2bed
9 changed files with 128 additions and 11 deletions
@@ -41,6 +41,10 @@ public slots:
                QMessageBox::critical(this, "Database error", msg.toStdString().c_str());
                m_saved = false;
            });
+            this->connect(service(), &IService::permissionDenied, [this](QString permission) {
+                QMessageBox::critical(this, "Permission denied", permission.toStdString().c_str());
+                m_saved = false;
+            });
            this->connect(service(), &IService::dataChanged, [this]() {
                m_saved = true;
            });
@@ -155,7 +155,9 @@ public:

    void setData(QList<QSharedPointer<T> > list)
    {
+        beginResetModel();
        m_list = list;
+        endResetModel();
    }

 protected:
@@ -50,7 +50,8 @@ SOURCES += \
    data/system.cpp \
    settings/globalsettings.cpp \
    settingsform.cpp \
-    settings/globalsettingsform.cpp
+    settings/globalsettingsform.cpp \
+    permissionevaluator.cpp

 HEADERS += core.h\
        core_global.h \
@@ -100,7 +101,8 @@ HEADERS += core.h\
    settings/globalsettings.h \
    settingsform.h \
    settings/globalsettingsform.h \
-    formbinder.h
+    formbinder.h \
+    permissionevaluator.h

 unix {
    target.path = /usr/lib
@@ -60,6 +60,11 @@ void IMetaDataPlugin::init(const QJsonObject &metaData)
    {
        pluginUi->setPluginId(pluginId());
    }
+
+    if (m_service != NULL)
+    {
+        m_service->setPluginId(pluginId());
+    }
 }

 void IMetaDataPlugin::parseMetaData(const QJsonObject &metaData)
@@ -2,11 +2,14 @@

 IService::IService(QObject *parent) : QObject(parent)
 {
-
 }

 IService::~IService()
 {
-
+}
+
+void IService::setPluginId(const QString &pluginId)
+{
+    m_pluginId = pluginId;
 }

@@ -14,6 +14,8 @@ public:
    explicit IService(QObject *parent = 0);
    virtual ~IService();

+    void setPluginId(const QString &pluginId);
+
 signals:
    void dbError(QString errMsg);
    void dbErrorRead(QString errMsg);
@@ -23,8 +25,12 @@ signals:
    void dataChanged();
    void updateDenied();
    void readDenied();
+    void permissionDenied(QString permission);

 public slots:
+
+protected:
+    QString m_pluginId;
 };

 #endif // ISERVICE_H
@@ -0,0 +1,43 @@
+#include "permissionevaluator.h"
+
+#include <QSharedPointer>
+
+#include "data/core-data.h"
+#include "context.h"
+
+PermissionEvaluator::PermissionEvaluator(QObject *parent)
+    :QObject(parent)
+{
+}
+
+PermissionEvaluator::~PermissionEvaluator()
+{   
+}
+
+bool PermissionEvaluator::hasPermission(const QString &pluginId, const QString &permission)
+{
+    if (Context::instance().currentUser()->isAdmin())
+    {
+        return true;
+    }
+
+    bool ret;
+    QList<QSharedPointer<Role> > roles = Context::instance().currentUser()->listRoles();
+
+    ret = std::find_if(ALL(roles), [&pluginId, &permission](QSharedPointer<Role> role) -> bool {
+        foreach (QSharedPointer<Permission> perm, role->listPermissions()) {
+            if (perm->pluginId() == pluginId && perm->permissionName() == permission) {
+                return true;
+            }
+        }
+        return false;
+    }) != roles.end();
+
+    if (!ret)
+    {
+        emit permissionDenied(permission);
+    }
+
+    return ret;
+}
+
@@ -0,0 +1,23 @@
+#ifndef PERMISSIONEVALUATOR_H
+#define PERMISSIONEVALUATOR_H
+
+#include <QObject>
+#include <QString>
+
+#include "core_global.h"
+
+class CORESHARED_EXPORT PermissionEvaluator : public QObject
+{
+    Q_OBJECT
+
+public:
+    explicit PermissionEvaluator(QObject *parent = NULL);
+    ~PermissionEvaluator();
+
+    bool hasPermission(const QString &pluginId, const QString &permission);
+
+signals:
+    void permissionDenied(QString permission);
+};
+
+#endif // PERMISSIONEVALUATOR_H
@@ -13,6 +13,7 @@
 #include "core_global.h"
 #include "context.h"
 #include "iservice.h"
+#include "permissionevaluator.h"

 #include "transaction.h"

@@ -27,12 +28,17 @@ public:
    }

    QList<QSharedPointer<T> > all(const QString &where = "") {
+        QList<QSharedPointer<T> > ret;
+
+        if (!checkPermission(PERM_READ)) {
+            return ret;
+        }
+
        odb::database *db = Context::instance().db();

        Q_ASSERT(db);

        Transaction tx;
-        QList<QSharedPointer<T> > ret;

        try
        {
@@ -62,6 +68,10 @@ public:
    }

    void save(QSharedPointer<T> entity) {
+        if (!checkPermission(PERM_ADD)) {
+            return;
+        }
+
        odb::database *db = Context::instance().db();

        Q_ASSERT(db);
@@ -84,6 +94,10 @@ public:
    }

    void update(QSharedPointer<T> entity) {
+        if (!checkPermission(PERM_EDIT)) {
+            return;
+        }
+
        odb::database *db = Context::instance().db();

        Q_ASSERT(db);
@@ -106,12 +120,17 @@ public:
    }

    QSharedPointer<T> loadById(int id) {
+        QSharedPointer<T> entity;
+
+        if (!checkPermission(PERM_READ)) {
+            return entity;
+        }
+
        odb::database *db = Context::instance().db();

        Q_ASSERT(db);

        Transaction tx;
-        QSharedPointer<T> entity;

        try
        {
@@ -137,6 +156,10 @@ public:
    }

    void erase(QSharedPointer<T> entity) {
+        if (!checkPermission(PERM_DELETE)) {
+            return;
+        }
+
        odb::database *db = Context::instance().db();

        Q_ASSERT(db);
@@ -155,12 +178,18 @@ public:
        }
    }

-    void setPluginId(const QString &pluginId) {
-        m_pluginId = pluginId;
-    }
+protected:
+    bool checkPermission(const QString &permission) {
+        if (!m_pluginId.isEmpty()) {
+            PermissionEvaluator ev;
+            if (!ev.hasPermission(m_pluginId, permission)) {
+                emit permissionDenied(permission);
+                return false;
+            }
+        }

-private:
-    QString m_pluginId;
+        return true;
+    }
 };

 #endif // SERVICE_H