fix(resources): check edit permission level

Author: ycdzj

src/permissions/permission-level.enum.ts

@@ -5,3 +5,18 @@ export enum PermissionLevel {
   CAN_EDIT = 'can_edit',
   FULL_ACCESS = 'full_access',
 }
+
+const order = [
+  PermissionLevel.NO_ACCESS,
+  PermissionLevel.CAN_VIEW,
+  PermissionLevel.CAN_COMMENT,
+  PermissionLevel.CAN_EDIT,
+  PermissionLevel.FULL_ACCESS,
+];
+
+export function comparePermissionLevel(
+  a: PermissionLevel,
+  b: PermissionLevel,
+): number {
+  return order.indexOf(a) - order.indexOf(b);
+}

src/permissions/permissions.service.ts

@@ -4,7 +4,10 @@ import { DataSource, EntityManager, IsNull, Repository } from 'typeorm';
 import { PermissionDto } from './dto/permission.dto';
 import { ListRespDto, UserPermissionDto } from './dto/list-resp.dto';
 import { plainToInstance } from 'class-transformer';
-import { PermissionLevel } from './permission-level.enum';
+import {
+  comparePermissionLevel,
+  PermissionLevel,
+} from './permission-level.enum';
 import { UserPermission } from './entities/user-permission.entity';
 import { GroupPermission } from './entities/group-permission.entity';
 import { Resource } from 'src/resources/resources.entity';
@@ -334,20 +337,21 @@ export class PermissionsService {
     namespaceId: string,
     resourceId: string,
     userId: string,
+    level: PermissionLevel = PermissionLevel.CAN_VIEW,
   ) {
     const globalLevel = await this.getGlobalPermissionLevel(
       namespaceId,
       resourceId,
     );
-    if (globalLevel != PermissionLevel.NO_ACCESS) {
+    if (comparePermissionLevel(globalLevel, level) >= 0) {
       return true;
     }
     const userPermi = await this.getUserPermission(
       namespaceId,
       resourceId,
       userId,
     );
-    if (userPermi.level != PermissionLevel.NO_ACCESS) {
+    if (comparePermissionLevel(userPermi.level, level) >= 0) {
       return true;
     }
     const groups = await this.groupUserRepository.find({
@@ -363,7 +367,7 @@ export class PermissionsService {
         resourceId,
         group.group.id,
       );
-      if (groupLevel != PermissionLevel.NO_ACCESS) {
+      if (comparePermissionLevel(groupLevel, level) >= 0) {
         return true;
       }
     }

src/resources/resources.controller.ts

@@ -84,7 +84,14 @@ export class ResourcesController {
     if (!hasPermission) {
       throw new ForbiddenException('Not authorized');
     }
-    return await this.resourcesService.get(resourceId);
+    const canEdit = await this.permissionsService.userHasPermission(
+      namespaceId,
+      resourceId,
+      req.user.id,
+      PermissionLevel.CAN_EDIT,
+    );
+    const resource = await this.resourcesService.get(resourceId);
+    return { ...resource, canEdit };
   }
 
   @Patch(':resourceId')
@@ -98,6 +105,7 @@ export class ResourcesController {
       namespaceId,
       resourceId,
       req.user.id,
+      PermissionLevel.CAN_EDIT,
     );
     if (!hasPermission) {
       throw new ForbiddenException('Not authorized');
@@ -115,6 +123,7 @@ export class ResourcesController {
       namespaceId,
       resourceId,
       req.user.id,
+      PermissionLevel.CAN_EDIT,
     );
     if (!hasPermission) {
       throw new ForbiddenException('Not authorized');