package database import ( "database/sql" "time" "github.com/drone/drone/shared/model" "github.com/russross/meddler" ) type PermManager interface { // Grant will grant the user read, write and admin persmissions // to the specified repository. Grant(u *model.User, r *model.Repo, read, write, admin bool) error // Revoke will revoke all user permissions to the specified repository. Revoke(u *model.User, r *model.Repo) error // Find returns the user's permission to access the specified repository. Find(u *model.User, r *model.Repo) *model.Perm // Read returns true if the specified user has read // access to the repository. Read(u *model.User, r *model.Repo) (bool, error) // Write returns true if the specified user has write // access to the repository. Write(u *model.User, r *model.Repo) (bool, error) // Admin returns true if the specified user is an // administrator of the repository. Admin(u *model.User, r *model.Repo) (bool, error) // Member returns true if the specified user is a // collaborator on the repository. Member(u *model.User, r *model.Repo) (bool, error) } // permManager manages user permissions to access repositories. type permManager struct { *sql.DB } // SQL query to retrieve a user's permission to // access a repository. const findPermQuery = ` SELECT * FROM perms WHERE user_id=? AND repo_id=? LIMIT 1 ` // SQL statement to delete a permission. const deletePermStmt = ` DELETE FROM perms WHERE user_id=? AND repo_id=? ` // NewManager initiales a new PermManager intended to // manage user permission and access control. func NewPermManager(db *sql.DB) PermManager { return &permManager{db} } // Grant will grant the user read, write and admin persmissions // to the specified repository. func (db *permManager) Grant(u *model.User, r *model.Repo, read, write, admin bool) error { // attempt to get existing permissions from the database perm, err := db.find(u, r) if err != nil && err != sql.ErrNoRows { return err } // if this is a new permission set the user ID, // repository ID and created timestamp. if perm.ID == 0 { perm.UserID = u.ID perm.RepoID = r.ID perm.Created = time.Now().Unix() } // set all the permission values perm.Read = read perm.Write = write perm.Admin = admin perm.Updated = time.Now().Unix() // update the database return meddler.Save(db, "perms", perm) } // Revoke will revoke all user permissions to the specified repository. func (db *permManager) Revoke(u *model.User, r *model.Repo) error { _, err := db.Exec(deletePermStmt, u.ID, r.ID) return err } func (db *permManager) Find(u *model.User, r *model.Repo) *model.Perm { // if the user is a gues they should only be granted // read access to public repositories. switch { case u == nil && r.Private: return &model.Perm{ Read: false, Write: false, Admin: false} case u == nil && !r.Private: return &model.Perm{ Read: true, Write: false, Admin: false} } // if the user is authenticated we'll retireive the // permission details from the database. perm, err := db.find(u, r) if err != nil { return perm } switch { // if the user is a system admin grant super access. case u.Admin == true: perm.Read = true perm.Write = true perm.Admin = true // if the repo is public, grant read access only. case r.Private == false: perm.Read = true } return perm } func (db *permManager) Read(u *model.User, r *model.Repo) (bool, error) { switch { // if the repo is public, grant access. case r.Private == false: return true, nil // if the repo is private and the user is nil, deny access case r.Private == true && u == nil: return false, nil // if the user is a system admin, grant access case u.Admin == true: return true, nil } // get the permissions from the database perm, err := db.find(u, r) return perm.Read, err } func (db *permManager) Write(u *model.User, r *model.Repo) (bool, error) { switch { // if the user is nil, deny access case u == nil: return false, nil // if the user is a system admin, grant access case u.Admin == true: return true, nil } // get the permissions from the database perm, err := db.find(u, r) return perm.Write, err } func (db *permManager) Admin(u *model.User, r *model.Repo) (bool, error) { switch { // if the user is nil, deny access case u == nil: return false, nil // if the user is a system admin, grant access case u.Admin == true: return true, nil } // get the permissions from the database perm, err := db.find(u, r) return perm.Admin, err } func (db *permManager) Member(u *model.User, r *model.Repo) (bool, error) { switch { // if the user is nil, deny access case u == nil: return false, nil case u.ID == r.UserID: return true, nil } // get the permissions from the database perm, err := db.find(u, r) return perm.Read, err } func (db *permManager) find(u *model.User, r *model.Repo) (*model.Perm, error) { var dst = model.Perm{} var err = meddler.QueryRow(db, &dst, findPermQuery, u.ID, r.ID) return &dst, err }