diff --git a/src/Gargantext/API.hs b/src/Gargantext/API.hs
index 7621c1dd325249a2f80fe3f7a11f19d316ceaab6..d6e4585f096f2c43ee3c20d0cade1ffe2529bb1f 100644
--- a/src/Gargantext/API.hs
+++ b/src/Gargantext/API.hs
@@ -248,10 +248,12 @@ type GargAPI' =
:> QueryParam "limit" Int
:> QueryParam "order" OrderBy
:> SearchAPI
-
+
+ -- TODO move to NodeAPI?
:<|> "graph" :> Summary "Graph endpoint"
:> Capture "id" NodeId :> GraphAPI
-
+
+ -- TODO move to NodeAPI?
-- Tree endpoint
:<|> "tree" :> Summary "Tree endpoint"
:> Capture "id" NodeId :> TreeAPI
diff --git a/src/Gargantext/API/Count.hs b/src/Gargantext/API/Count.hs
index 3fddf7f2bb7e165ba0f5f9c54d03f0f62f89b585..b1d454a8cb82078ba29ada714d82d6ef325b0e7b 100644
--- a/src/Gargantext/API/Count.hs
+++ b/src/Gargantext/API/Count.hs
@@ -44,6 +44,8 @@ import Gargantext.Prelude
import Gargantext.Core.Utils.Prefix (unPrefix)
-----------------------------------------------------------------------
+-- TODO-ACCESS: CanCount
+-- TODO-EVENTS: No events as this is a read only query.
type CountAPI = Post '[JSON] Counts
-----------------------------------------------------------------------
diff --git a/src/Gargantext/API/Node.hs b/src/Gargantext/API/Node.hs
index 30762c86ff89097d6afbed863b11a02c5e46aa93..7b09bb1a72507aae7dcdc93f3335892820d945f9 100644
--- a/src/Gargantext/API/Node.hs
+++ b/src/Gargantext/API/Node.hs
@@ -75,7 +75,11 @@ import Test.QuickCheck.Arbitrary (Arbitrary, arbitrary)
type GargServer api = forall env m. CmdM env ServantErr m => ServerT api m
-------------------------------------------------------------------
--- | TODO : access by admin only
+-- TODO-ACCESS: access by admin only.
+-- At first let's just have an isAdmin check.
+-- Later: check userId CanDeleteNodes Nothing
+-- TODO-EVENTS: DeletedNodes [NodeId]
+-- {"tag": "DeletedNodes", "nodes": [Int*]}
type NodesAPI = Delete '[JSON] Int
-- | Delete Nodes
@@ -85,8 +89,13 @@ nodesAPI :: [NodeId] -> GargServer NodesAPI
nodesAPI ids = deleteNodes ids
------------------------------------------------------------------------
--- | TODO: access by admin only
--- To manager the Users roots
+-- | TODO-ACCESS: access by admin only.
+-- At first let's just have an isAdmin check.
+-- Later: CanAccessAnyNode or (CanGetAnyNode, CanPutAnyNode)
+-- To manage the Users roots
+-- TODO-EVENTS:
+-- PutNode ?
+-- TODO needs design discussion.
type Roots = Get '[JSON] [NodeAny]
:<|> Put '[JSON] Int -- TODO
@@ -97,10 +106,21 @@ roots = (liftIO (putStrLn ( "/user" :: Text)) >> getNodesWithParentId 0 Nothing)
-------------------------------------------------------------------
-- | Node API Types management
--- TODO : access by users
+-- TODO-ACCESS : access by users
+-- No ownership check is needed if we strictly follow the capability model.
+--
+-- CanGetNode (Node, Children, TableApi, TableNgramsApiGet, PairingApi, ChartApi,
+-- SearchAPI)
+-- CanRenameNode (or part of CanEditNode?)
+-- CanCreateChildren (PostNodeApi)
+-- CanEditNode / CanPutNode TODO not implemented yet
+-- CanDeleteNode
+-- CanPatch (TableNgramsApi)
+-- CanFavorite
+-- CanMoveToTrash
type NodeAPI a = Get '[JSON] (Node a)
:<|> "rename" :> RenameApi
- :<|> PostNodeApi
+ :<|> PostNodeApi -- TODO move to children POST
:<|> Put '[JSON] Int
:<|> Delete '[JSON] Int
:<|> "children" :> ChildrenApi a
@@ -121,6 +141,8 @@ type NodeAPI a = Get '[JSON] (Node a)
:> QueryParam "order" OrderBy
:> SearchAPI
+-- TODO-ACCESS: check userId CanRenameNode nodeId
+-- TODO-EVENTS: NodeRenamed RenameNode or re-use some more general NodeEdited...
type RenameApi = Summary " Rename Node"
:> ReqBody '[JSON] RenameNode
:> Put '[JSON] [Int]
@@ -248,6 +270,8 @@ type ChartApi = Summary " Chart API"
-- :<|> "query" :> Capture "string" Text :> Get '[JSON] Text
------------------------------------------------------------------------
+-- TODO-ACCESS: CanGetNode
+-- TODO-EVENTS: No events as this is a read only query.
type GraphAPI = Get '[JSON] Graph
graphAPI :: NodeId -> GargServer GraphAPI
@@ -302,6 +326,8 @@ instance HasTreeError ServantErr where
mk TooManyRoots = err500 { errBody = e <> "Too many root nodes" }
type TreeAPI = Get '[JSON] (Tree NodeTree)
+-- TODO-ACCESS: CanTree or CanGetNode
+-- TODO-EVENTS: No events as this is a read only query.
treeAPI :: NodeId -> GargServer TreeAPI
treeAPI = treeDB
diff --git a/src/Gargantext/API/Search.hs b/src/Gargantext/API/Search.hs
index 5fbc25879aae867b65b2d4587862206bce10b837..f1ca4c06e75b1c5cd6316b88be21629358eb5167 100644
--- a/src/Gargantext/API/Search.hs
+++ b/src/Gargantext/API/Search.hs
@@ -85,6 +85,8 @@ instance ToSchema SearchResults where
defaultSchemaOptions {fieldLabelModifier = \fieldLabel -> drop 4 fieldLabel}
-----------------------------------------------------------------------
+-- TODO-ACCESS: CanSearch? or is it part of CanGetNode
+-- TODO-EVENTS: No event, this is a read-only query.
type SearchAPI = Post '[JSON] SearchResults
-----------------------------------------------------------------------
diff --git a/src/Gargantext/Database/Flow.hs b/src/Gargantext/Database/Flow.hs
index 187a54ed088eb4ce2f64a2fd87d48ad64f0c06e5..7d1baf18e723bf409f6a891ce9401ab14807551b 100644
--- a/src/Gargantext/Database/Flow.hs
+++ b/src/Gargantext/Database/Flow.hs
@@ -97,7 +97,13 @@ flowInsertAnnuaire name children = do
pure (ids, masterUserId, masterCorpusId, userId, userCorpusId)
-
+-- TODO-ACCESS:
+-- check userId CanFillUserCorpus userCorpusId
+-- check masterUserId CanFillMasterCorpus masterCorpusId
+--
+-- TODO-EVENTS:
+-- InsertedNgrams ?
+-- InsertedNodeNgrams ?
flowCorpus' :: HasNodeError err
=> NodeType -> [HyperdataDocument]
-> ([ReturnId], UserId, CorpusId, UserId, CorpusId)
diff --git a/src/Gargantext/Database/Node/Document/Insert.hs b/src/Gargantext/Database/Node/Document/Insert.hs
index c93337686302fb41034167340e5976a4d1030824..9783c8864df0c9176f20ca754ff8e69b0de7d2f1 100644
--- a/src/Gargantext/Database/Node/Document/Insert.hs
+++ b/src/Gargantext/Database/Node/Document/Insert.hs
@@ -113,6 +113,8 @@ import Database.PostgreSQL.Simple (formatQuery)
data ToDbData = ToDbDocument HyperdataDocument | ToDbContact HyperdataContact
+-- TODO-ACCESS: check uId CanInsertDoc pId && checkDocType nodeType
+-- TODO-EVENTS: InsertedNodes
insertDocuments :: UserId -> ParentId -> NodeType -> [ToDbData] -> Cmd err [ReturnId]
insertDocuments uId pId nodeType =
runPGSQuery queryInsert . Only . Values fields . prepare uId pId nodeType
diff --git a/src/Gargantext/Database/Schema/Ngrams.hs b/src/Gargantext/Database/Schema/Ngrams.hs
index 3119f585289c8208cc81ca36c6175495108995bb..67448531a84e0b82c6fe88f895f2ee9d74ed5428 100644
--- a/src/Gargantext/Database/Schema/Ngrams.hs
+++ b/src/Gargantext/Database/Schema/Ngrams.hs
@@ -193,9 +193,11 @@ indexNgramsTWith = fmap . indexNgramsWith
indexNgramsWith :: (NgramsTerms -> NgramsId) -> Ngrams -> NgramsIndexed
indexNgramsWith f n = NgramsIndexed n (f $ _ngramsTerms n)
+-- TODO-ACCESS: access must not be checked here but when insertNgrams is called.
insertNgrams :: [Ngrams] -> Cmd err (Map NgramsTerms NgramsId)
insertNgrams ns = fromList <$> map (\(NgramIds i t) -> (t, i)) <$> (insertNgrams' ns)
+-- TODO-ACCESS: access must not be checked here but when insertNgrams' is called.
insertNgrams' :: [Ngrams] -> Cmd err [NgramIds]
insertNgrams' ns = runPGSQuery queryInsertNgrams (PGS.Only $ Values fields ns)
where
diff --git a/src/Gargantext/Database/Schema/NodeNgram.hs b/src/Gargantext/Database/Schema/NodeNgram.hs
index 4e3f1fee10c3cc21237521f1b50aa1c8cbb63591..ce917fe999ee8884c37e1b83df45704a230f4e3a 100644
--- a/src/Gargantext/Database/Schema/NodeNgram.hs
+++ b/src/Gargantext/Database/Schema/NodeNgram.hs
@@ -288,6 +288,8 @@ data NodeNgramsUpdate = NodeNgramsUpdate
}
-- TODO wrap these updates in a transaction.
+-- TODO-ACCESS:
+-- * check userId CanUpdateNgrams userListId
updateNodeNgrams :: NodeNgramsUpdate -> Cmd err ()
updateNodeNgrams nnu = do
updateNodeNgrams' userListId $ _nnu_lists_update nnu