woodpecker/server/resource/perm/manager.go

package perm

import (
	"database/sql"
	"time"

	"github.com/drone/drone/server/resource/repo"
	"github.com/drone/drone/server/resource/user"
	"github.com/russross/meddler"
)

type PermManager interface {
	// Grant will grant the user read, write and admin persmissions
	// to the specified repository.
	Grant(u *user.User, r *repo.Repo, read, write, admin bool) error

	// Revoke will revoke all user permissions to the specified repository.
	Revoke(u *user.User, r *repo.Repo) error

	// Read returns true if the specified user has read
	// access to the repository.
	Read(u *user.User, r *repo.Repo) (bool, error)

	// Write returns true if the specified user has write
	// access to the repository.
	Write(u *user.User, r *repo.Repo) (bool, error)

	// Admin returns true if the specified user is an
	// administrator of the repository.
	Admin(u *user.User, r *repo.Repo) (bool, error)
}

// permManager manages user permissions to access repositories.
type permManager struct {
	*sql.DB
}

// SQL query to retrieve a user's permission to
// access a repository.
const findQuery = `
SELECT *
FROM perms
WHERE user_id=?
AND   repo_id=?
LIMIT 1
`

// SQL statement to delete a permission.
const deleteStmt = `
DELETE FROM perms WHERE user_id=? AND repo_id=?
`

// NewManager initiales a new PermManager intended to
// manage user permission and access control.
func NewManager(db *sql.DB) PermManager {
	return &permManager{db}
}

// Grant will grant the user read, write and admin persmissions
// to the specified repository.
func (db *permManager) Grant(u *user.User, r *repo.Repo, read, write, admin bool) error {
	// attempt to get existing permissions from the database
	perm, err := db.find(u, r)
	if err != nil && err != sql.ErrNoRows {
		return err
	}

	// if this is a new permission set the user ID,
	// repository ID and created timestamp.
	if perm.ID == 0 {
		perm.UserID = u.ID
		perm.RepoID = r.ID
		perm.Created = time.Now().Unix()
	}

	// set all the permission values
	perm.Read = read
	perm.Write = write
	perm.Admin = admin
	perm.Updated = time.Now().Unix()

	// update the database
	return meddler.Save(db, "perms", perm)
}

// Revoke will revoke all user permissions to the specified repository.
func (db *permManager) Revoke(u *user.User, r *repo.Repo) error {
	_, err := db.Exec(deleteStmt, u.ID, r.ID)
	return err
}

func (db *permManager) Read(u *user.User, r *repo.Repo) (bool, error) {
	switch {
	// if the repo is public, grant access.
	case r.Private == false:
		return true, nil
	// if the repo is private and the user is nil, deny access
	case r.Private == true && u == nil:
		return false, nil
	// if the user is a system admin, grant access
	case u.Admin == true:
		return true, nil
	}

	// get the permissions from the database
	perm, err := db.find(u, r)
	return perm.Read, err
}

func (db *permManager) Write(u *user.User, r *repo.Repo) (bool, error) {
	switch {
	// if the user is nil, deny access
	case u == nil:
		return false, nil
	// if the user is a system admin, grant access
	case u.Admin == true:
		return true, nil
	}

	// get the permissions from the database
	perm, err := db.find(u, r)
	return perm.Write, err
}

func (db *permManager) Admin(u *user.User, r *repo.Repo) (bool, error) {
	switch {
	// if the user is nil, deny access
	case u == nil:
		return false, nil
	// if the user is a system admin, grant access
	case u.Admin == true:
		return true, nil
	}

	// get the permissions from the database
	perm, err := db.find(u, r)
	return perm.Admin, err
}

func (db *permManager) find(u *user.User, r *repo.Repo) (*perm, error) {
	var dst = perm{}
	var err = meddler.QueryRow(db, &dst, findQuery, u.ID, r.ID)
	return &dst, err
}