Merge pull request #275 from neinteractiveliterature/can-manage-oauth-applications

nbudin · web-flow · commit bbbe7299b21c · 2023-11-04T14:17:53.000-07:00
Implement can_manage_oauth_applications (actual feature doesn't work …
diff --git a/crates/intercode_entities/src/generated/oauth_applications.rs b/crates/intercode_entities/src/generated/oauth_applications.rs
@@ -2,7 +2,7 @@
 
 use sea_orm::entity::prelude::*;
 
-#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq)]
+#[derive(Clone, Debug, PartialEq, DeriveEntityModel, Eq, Default)]
 #[sea_orm(table_name = "oauth_applications")]
 pub struct Model {
   #[sea_orm(primary_key)]
diff --git a/crates/intercode_users/src/partial_objects/ability_users_fields.rs b/crates/intercode_users/src/partial_objects/ability_users_fields.rs
@@ -1,7 +1,7 @@
 use std::sync::Arc;
 
 use async_graphql::*;
-use intercode_entities::{staff_positions, user_con_profiles, users};
+use intercode_entities::{oauth_applications, staff_positions, user_con_profiles, users};
 use intercode_graphql_core::{lax_id::LaxId, query_data::QueryData};
 use intercode_graphql_loaders::LoaderManager;
 use intercode_policies::{
@@ -11,7 +11,7 @@ use intercode_policies::{
 };
 use seawater::loaders::ExpectModel;
 
-use crate::policies::{StaffPositionPolicy, UserAction, UserPolicy};
+use crate::policies::{OAuthApplicationPolicy, StaffPositionPolicy, UserAction, UserPolicy};
 
 pub struct AbilityUsersFields {
   authorization_info: Arc<AuthorizationInfo>,
@@ -54,9 +54,16 @@ impl AbilityUsersFields {
 #[Object]
 impl AbilityUsersFields {
   #[graphql(name = "can_manage_oauth_applications")]
-  async fn can_manage_oauth_applications(&self) -> bool {
-    // TODO
-    false
+  async fn can_manage_oauth_applications(&self) -> Result<bool> {
+    let authorization_info = self.authorization_info.as_ref();
+    Ok(
+      OAuthApplicationPolicy::action_permitted(
+        authorization_info,
+        &ReadManageAction::Manage,
+        &oauth_applications::Model::default(),
+      )
+      .await?,
+    )
   }
 
   #[graphql(name = "can_manage_staff_positions")]
diff --git a/crates/intercode_users/src/policies/mod.rs b/crates/intercode_users/src/policies/mod.rs
@@ -1,5 +1,7 @@
+mod oauth_application_policy;
 mod staff_position_policy;
 mod user_policy;
 
+pub use oauth_application_policy::*;
 pub use staff_position_policy::*;
 pub use user_policy::*;
diff --git a/crates/intercode_users/src/policies/oauth_application_policy.rs b/crates/intercode_users/src/policies/oauth_application_policy.rs
@@ -0,0 +1,28 @@
+use axum::async_trait;
+use intercode_entities::oauth_applications;
+use intercode_policies::{AuthorizationInfo, Policy, ReadManageAction};
+use sea_orm::DbErr;
+
+pub struct OAuthApplicationPolicy;
+
+#[async_trait]
+impl Policy<AuthorizationInfo, oauth_applications::Model> for OAuthApplicationPolicy {
+  type Action = ReadManageAction;
+  type Error = DbErr;
+
+  async fn action_permitted(
+    principal: &AuthorizationInfo,
+    action: &ReadManageAction,
+    _resource: &oauth_applications::Model,
+  ) -> Result<bool, Self::Error> {
+    // Only accessible by site admins, and only with a real cookie session (so no oauth_scope)
+    if principal.oauth_scope.is_some() {
+      return Ok(false);
+    }
+
+    match action {
+      ReadManageAction::Read => Ok(principal.site_admin_read()),
+      ReadManageAction::Manage => Ok(principal.site_admin_manage()),
+    }
+  }
+}
