Protect the TreeAPI

fb894d00 · Alfredo Di Napoli · 4e054277 · fb894d00 · fb894d00 · fb894d00
Commit fb894d00 authored Oct 02, 2023 by Alfredo Di Napoli
Hide whitespace changes
Inline Side-by-side

Showing with 23 additions and 5 deletions

Auth.hs src/Gargantext/API/Admin/Auth.hs +17 -0

Routes.hs src/Gargantext/API/Routes.hs +5 -4

Private.hs test/Test/API/Private.hs +1 -1

No files found.
--- a/src/Gargantext/API/Admin/Auth.hs
+++ b/src/Gargantext/API/Admin/Auth.hs
@@ -31,6 +31,7 @@ And you have the main viz
 module Gargantext.API.Admin.Auth
  ( auth
  , withPolicy
+  , withPolicyT
  , forgotPassword
  , forgotPasswordAsync
  , withAccess
@@ -177,6 +178,22 @@ withPolicy ur checks m mgr = case mgr of
      Allow     -> m
      Deny err  -> throwError $ GargServerError $ err

+withPolicyT :: forall env m api. (
+                 GargServerC env GargError m
+               , HasServer api '[]
+               )
+            => Proxy api
+            -> Proxy m
+            -> AuthenticatedUser
+            -> BoolExpr AccessCheck
+            -> ServerT api m
+            -> AccessPolicyManager
+            -> ServerT api m
+withPolicyT p _ ur checks m0 mgr = hoistServer p f m0
+  where
+    f :: forall a. m a -> m a
+    f m = withPolicy ur checks m mgr
+
 {- | Collaborative Schema
 User at his root can create Teams Folder
 User can create Team in Teams Folder.

--- a/src/Gargantext/API/Routes.hs
+++ b/src/Gargantext/API/Routes.hs
@@ -14,6 +14,7 @@ Portability : POSIX
 {-# LANGUAGE ScopedTypeVariables  #-}
 {-# LANGUAGE TypeFamilies         #-}
 {-# LANGUAGE TypeOperators        #-}
+{-# LANGUAGE TypeApplications     #-}

 module Gargantext.API.Routes
      where
@@ -27,7 +28,7 @@ import Servant.Auth as SA
 import Servant.Auth.Swagger ()
 import Servant.Swagger.UI

-import Gargantext.API.Admin.Auth (ForgotPasswordAPI, ForgotPasswordAsyncAPI, withAccess)
+import Gargantext.API.Admin.Auth (ForgotPasswordAPI, ForgotPasswordAsyncAPI, withAccess, withPolicyT)
 import Gargantext.API.Admin.Auth.Types (AuthRequest, AuthResponse, AuthenticatedUser(..), PathId(..))
 import Gargantext.API.Admin.EnvTypes (Env, GargJob(..))
 import Gargantext.API.Admin.FrontEnd (FrontEndAPI)
@@ -55,6 +56,7 @@ import qualified Gargantext.API.Node.Corpus.New            as New
 import qualified Gargantext.API.Node.Document.Export       as DocumentExport
 import qualified Gargantext.API.Node.Document.Export.Types as DocumentExport
 import qualified Gargantext.API.Public                     as Public
+import Gargantext.API.Auth.PolicyCheck


 type GargAPI = MkGargAPI (GargAPIVersion GargAPI')
@@ -170,7 +172,7 @@ type GargPrivateAPI' =
           -- Tree endpoint
           :<|> "tree"    :> Summary "Tree endpoint"
                          :> Capture "tree_id" NodeId
-                          :> TreeAPI
+                          :> PolicyChecked TreeAPI
           -- Flat tree endpoint
           :<|> "treeflat" :> Summary "Flat tree endpoint"
                           :> Capture "tree_id" NodeId
@@ -262,8 +264,7 @@ serverPrivateGargAPI' authenticatedUser@(AuthenticatedUser (NodeId uid))
     :<|> withAccess (Proxy :: Proxy GraphAPI)       Proxy authenticatedUser
          <$> PathNode <*> graphAPI uid -- TODO: mock

-     :<|> withAccess (Proxy :: Proxy TreeAPI)        Proxy authenticatedUser
-          <$> PathNode <*> treeAPI
+     :<|> (\nodeId -> withPolicyT (Proxy @TreeAPI) Proxy authenticatedUser (nodeChecks nodeId) (treeAPI nodeId))

     :<|> withAccess (Proxy :: Proxy TreeFlatAPI)    Proxy authenticatedUser
          <$> PathNode <*> treeFlatAPI

--- a/test/Test/API/Private.hs
+++ b/test/Test/API/Private.hs
@@ -143,4 +143,4 @@ tests = sequential $ aroundAll withTestDBAndPort $ do
        withApplication app $ do
          withValidLogin port "alice" (GargPassword "alice") $ \token -> do
            protected token "GET" (mkUrl port "/tree/1") ""
-              `shouldRespondWith` [json| {} |]
+              `shouldRespondWith` 403