adds test; permissions fix

modrinth · Nov 18, 2023 · 358e13f · 358e13f
1 parent 74973e7
commit 358e13f
Show file tree

Hide file tree

Showing 4 changed files with 289 additions and 27 deletions.
diff --git a/src/routes/v3/analytics_get.rs b/src/routes/v3/analytics_get.rs
@@ -1,8 +1,10 @@
 use super::ApiError;
+use crate::database;
 use crate::database::redis::RedisPool;
+use crate::models::teams::ProjectPermissions;
 use crate::{
-    auth::{filter_authorized_projects, filter_authorized_versions, get_user_from_headers},
-    database::models::{project_item, user_item, version_item},
+    auth::get_user_from_headers,
+    database::models::user_item,
     models::{
         ids::{
             base62_impl::{parse_base62, to_base62},
@@ -351,23 +353,24 @@ pub async fn revenue_get(
         .try_into()
         .map_err(|_| ApiError::InvalidInput("Invalid resolution_minutes".to_string()))?;
     // Get the revenue data
+    let project_ids = project_ids.unwrap_or_default();
     let payouts_values = sqlx::query!(
         "
         SELECT mod_id, SUM(amount) amount_sum, DATE_BIN($4::interval, created, TIMESTAMP '2001-01-01') AS interval_start
         FROM payouts_values
         WHERE mod_id = ANY($1) AND created BETWEEN $2 AND $3
         GROUP by mod_id, interval_start ORDER BY interval_start
         ",
-        &project_ids.unwrap_or_default().into_iter().map(|x| x.0 as i64).collect::<Vec<_>>(),
+        &project_ids.iter().map(|x| x.0 as i64).collect::<Vec<_>>(),
         start_date,
         end_date,
         duration,
     )
         .fetch_all(&**pool)
         .await?;
 
-    let mut hm = HashMap::new();
-    for value in payouts_values {
+        let mut hm : HashMap<_, _> = project_ids.into_iter().map(|x| (x.to_string(), HashMap::new())).collect::<HashMap<_, _>>();
+        for value in payouts_values {
         if let Some(mod_id) = value.mod_id {
             if let Some(amount) = value.amount_sum {
                 if let Some(interval_start) = value.interval_start {
@@ -559,10 +562,10 @@ async fn filter_allowed_ids(
         ));
     }
 
-    // If no project_ids or version_ids are provided, we default to all projects the user has access to
+    // If no project_ids or version_ids are provided, we default to all projects the user has *public* access to
     if project_ids.is_none() && version_ids.is_none() {
         project_ids = Some(
-            user_item::User::get_projects(user.id.into(), &***pool, redis)
+            user_item::User::get_projects(user.id.into(), &***pool, &redis)
                 .await?
                 .into_iter()
                 .map(|x| ProjectId::from(x).to_string())
@@ -572,35 +575,142 @@ async fn filter_allowed_ids(
 
     // Convert String list to list of ProjectIds or VersionIds
     // - Filter out unauthorized projects/versions
+    let project_ids = if let Some(project_strings) = project_ids {
+        let projects_data =
+            database::models::Project::get_many(&project_strings,  &***pool, &redis).await?;
 
-    let project_ids = if let Some(project_ids) = project_ids {
-        // Submitted project_ids are filtered by the user's permissions
-        let ids = project_ids
+        let team_ids = projects_data
             .iter()
-            .map(|id| Ok(ProjectId(parse_base62(id)?).into()))
-            .collect::<Result<Vec<_>, ApiError>>()?;
-        let projects = project_item::Project::get_many_ids(&ids, &***pool, redis).await?;
-        let ids: Vec<ProjectId> = filter_authorized_projects(projects, &Some(user.clone()), pool)
-            .await?
-            .into_iter()
-            .map(|x| x.id)
-            .collect::<Vec<_>>();
+            .map(|x| x.inner.team_id)
+            .collect::<Vec<database::models::TeamId>>();
+        let team_members =
+            database::models::TeamMember::get_from_team_full_many(&team_ids, &***pool, &redis).await?;
+
+        let organization_ids = projects_data
+            .iter()
+            .filter_map(|x| x.inner.organization_id)
+            .collect::<Vec<database::models::OrganizationId>>();
+        let organizations =
+            database::models::Organization::get_many_ids(&organization_ids, &***pool, &redis).await?;
+
+        let organization_team_ids = organizations
+            .iter()
+            .map(|x| x.team_id)
+            .collect::<Vec<database::models::TeamId>>();
+        let organization_team_members = database::models::TeamMember::get_from_team_full_many(
+            &organization_team_ids,
+            &***pool,
+            &redis,
+        )
+        .await?;
+
+        let ids = projects_data.into_iter().filter(|project| {
+            let team_member = team_members
+                .iter()
+                .find(|x| x.team_id == project.inner.team_id && x.user_id == user.id.into());
+
+            let organization = project
+                .inner
+                .organization_id
+                .and_then(|oid| organizations.iter().find(|x| x.id == oid));
+
+            let organization_team_member = if let Some(organization) = organization {
+                organization_team_members
+                    .iter()
+                    .find(|x| x.team_id == organization.team_id && x.user_id == user.id.into())
+            } else {
+                None
+            };
+
+            let permissions = ProjectPermissions::get_permissions_by_role(
+                &user.role,
+                &team_member.cloned(),
+                &organization_team_member.cloned(),
+            )
+            .unwrap_or_default();
+
+            permissions.contains(ProjectPermissions::VIEW_ANALYTICS)
+        }).map(|x| x.inner.id.into()).collect::<Vec<_>>();
+
         Some(ids)
     } else {
         None
     };
+
     let version_ids = if let Some(version_ids) = version_ids {
         // Submitted version_ids are filtered by the user's permissions
         let ids = version_ids
             .iter()
             .map(|id| Ok(VersionId(parse_base62(id)?).into()))
             .collect::<Result<Vec<_>, ApiError>>()?;
-        let versions = version_item::Version::get_many(&ids, &***pool, redis).await?;
-        let ids: Vec<VersionId> = filter_authorized_versions(versions, &Some(user), pool)
-            .await?
+        let versions_data =
+            database::models::Version::get_many(&ids, &***pool, &redis).await?;
+        let project_ids = versions_data
+            .iter()
+            .map(|x| x.inner.project_id)
+            .collect::<Vec<database::models::ProjectId>>();
+
+        let projects_data =
+            database::models::Project::get_many_ids(&project_ids,  &***pool, &redis).await?;
+
+        let team_ids = projects_data
+            .iter()
+            .map(|x| x.inner.team_id)
+            .collect::<Vec<database::models::TeamId>>();
+        let team_members =
+            database::models::TeamMember::get_from_team_full_many(&team_ids, &***pool, &redis).await?;
+
+        let organization_ids = projects_data
+            .iter()
+            .filter_map(|x| x.inner.organization_id)
+            .collect::<Vec<database::models::OrganizationId>>();
+        let organizations =
+            database::models::Organization::get_many_ids(&organization_ids, &***pool, &redis).await?;
+
+        let organization_team_ids = organizations
+            .iter().map(|x| x.team_id)
+            .collect::<Vec<database::models::TeamId>>();
+        let organization_team_members = database::models::TeamMember::get_from_team_full_many(
+            &organization_team_ids,
+            &***pool,
+            &redis,
+        )
+        .await?;
+
+        let ids = projects_data.into_iter().filter(|project| {
+            let team_member = team_members
+                .iter()
+                .find(|x| x.team_id == project.inner.team_id && x.user_id == user.id.into());
+
+            let organization = project
+                .inner
+                .organization_id
+                .and_then(|oid| organizations.iter().find(|x| x.id == oid));
+
+            let organization_team_member = if let Some(organization) = organization {
+                organization_team_members
+                    .iter()
+                    .find(|x| x.team_id == organization.team_id && x.user_id == user.id.into())
+            } else {
+                None
+            };
+
+            let permissions = ProjectPermissions::get_permissions_by_role(
+                &user.role,
+                &team_member.cloned(),
+                &organization_team_member.cloned(),
+            )
+            .unwrap_or_default();
+
+            permissions.contains(ProjectPermissions::VIEW_ANALYTICS)
+        }).map(|x| x.inner.id).collect::<Vec<_>>();
+
+        let ids = versions_data
             .into_iter()
-            .map(|x| x.id)
+            .filter(|version| ids.contains(&version.inner.project_id))
+            .map(|x| x.inner.id.into())
             .collect::<Vec<_>>();
+
         Some(ids)
     } else {
         None

diff --git a/tests/analytics.rs b/tests/analytics.rs
@@ -1,8 +1,11 @@
+use actix_web::test;
 use chrono::{DateTime, Duration, Utc};
-use common::database::*;
+use common::permissions::PermissionsTest;
+use common::{database::*, permissions::PermissionsTestContext};
 use common::environment::TestEnvironment;
 use itertools::Itertools;
 use labrinth::models::ids::base62_impl::parse_base62;
+use labrinth::models::teams::ProjectPermissions;
 use rust_decimal::{prelude::ToPrimitive, Decimal};
 
 mod common;
@@ -70,6 +73,7 @@ pub async fn analytics_revenue() {
     let analytics = api
         .get_analytics_revenue_deserialized(
             vec![&alpha_project_id],
+            false,
             None,
             None,
             None,
@@ -99,6 +103,7 @@ pub async fn analytics_revenue() {
     let analytics = api
         .get_analytics_revenue_deserialized(
             vec![&alpha_project_id],
+            false,
             Some(Utc::now() - Duration::days(801)),
             None,
             None,
@@ -133,3 +138,95 @@ fn to_f64_rounded_up(d: Decimal) -> f64 {
 fn to_f64_vec_rounded_up(d: Vec<Decimal>) -> Vec<f64> {
     d.into_iter().map(to_f64_rounded_up).collect_vec()
 }
+
+
+#[actix_rt::test]
+pub async fn permissions_analytics_revenue() {
+    let test_env = TestEnvironment::build(None).await;
+
+    let alpha_project_id = test_env
+        .dummy
+        .as_ref()
+        .unwrap()
+        .project_alpha
+        .project_id
+        .clone();
+    let alpha_version_id = test_env
+        .dummy
+        .as_ref()
+        .unwrap()
+        .project_alpha
+        .version_id
+        .clone();
+    let alpha_team_id = test_env
+        .dummy
+        .as_ref()
+        .unwrap()
+        .project_alpha
+        .team_id
+        .clone();
+
+    let view_analytics = ProjectPermissions::VIEW_ANALYTICS;
+
+    // first, do check with a project
+    let req_gen = |ctx: &PermissionsTestContext| {
+        let projects_string = serde_json::to_string(&vec![ctx.project_id]).unwrap();
+        let projects_string = urlencoding::encode(&projects_string);
+        test::TestRequest::get()
+            .uri(&format!(
+                "/v3/analytics/revenue?project_ids={projects_string}&resolution_minutes=5",
+            ))
+        };
+
+    PermissionsTest::new(&test_env)
+        .with_failure_codes(vec![200, 401])
+        .with_200_json_checks(
+            // On failure, should have 0 projects returned
+            |value : &serde_json::Value| {
+                let value = value.as_object().unwrap();
+                assert_eq!(value.len(), 0);
+            },
+            // On success, should have 1 project returned
+            |value : &serde_json::Value| {
+                let value = value.as_object().unwrap();
+                assert_eq!(value.len(), 1);
+            },
+        )
+        .simple_project_permissions_test(view_analytics, req_gen)
+        .await
+        .unwrap();
+
+    // Now with a version
+    // Need to use alpha
+    let req_gen = |_: &PermissionsTestContext| {
+        let versions_string = serde_json::to_string(&vec![alpha_version_id.clone()]).unwrap();
+        let versions_string = urlencoding::encode(&versions_string);
+        test::TestRequest::get()
+            .uri(&format!(
+                "/v3/analytics/revenue?version_ids={versions_string}&resolution_minutes=5",
+            ))
+        };
+
+    PermissionsTest::new(&test_env)
+        .with_failure_codes(vec![200, 401])
+        .with_existing_project(&alpha_project_id, &alpha_team_id)
+        .with_user(FRIEND_USER_ID, FRIEND_USER_PAT, true)
+        .with_200_json_checks(
+            // On failure, should have 0 versions returned
+            |value : &serde_json::Value| {
+                let value = value.as_object().unwrap();
+                assert_eq!(value.len(), 0);
+            },
+            // On success, should have 1 versions returned
+            |value : &serde_json::Value| {
+                let value = value.as_object().unwrap();
+                assert_eq!(value.len(), 1);
+            },
+        )
+        .simple_project_permissions_test(view_analytics, req_gen)
+        .await
+        .unwrap();
+
+    // Cleanup test db
+    test_env.cleanup().await;
+}
diff --git a/tests/common/api_v3/project.rs b/tests/common/api_v3/project.rs
@@ -204,13 +204,21 @@ impl ApiV3 {
     pub async fn get_analytics_revenue(
         &self,
         id_or_slugs: Vec<&str>,
+        ids_are_version_ids: bool,
         start_date: Option<DateTime<Utc>>,
         end_date: Option<DateTime<Utc>>,
         resolution_minutes: Option<u32>,
         pat: &str,
     ) -> ServiceResponse {
-        let projects_string = serde_json::to_string(&id_or_slugs).unwrap();
-        let projects_string = urlencoding::encode(&projects_string);
+        let pv_string = if ids_are_version_ids {
+            let version_string: String = serde_json::to_string(&id_or_slugs).unwrap();
+            let version_string = urlencoding::encode(&version_string);
+            format!("version_ids={}", version_string)
+        } else {
+            let projects_string: String = serde_json::to_string(&id_or_slugs).unwrap();
+            let projects_string = urlencoding::encode(&projects_string);    
+            format!("project_ids={}", projects_string)
+        };
 
         let mut extra_args = String::new();
         if let Some(start_date) = start_date {
@@ -231,7 +239,7 @@ impl ApiV3 {
 
         let req = test::TestRequest::get()
             .uri(&format!(
-                "/v3/analytics/revenue?{projects_string}{extra_args}",
+                "/v3/analytics/revenue?{pv_string}{extra_args}",
             ))
             .append_header(("Authorization", pat))
             .to_request();
@@ -242,13 +250,21 @@ impl ApiV3 {
     pub async fn get_analytics_revenue_deserialized(
         &self,
         id_or_slugs: Vec<&str>,
+        ids_are_version_ids: bool,
         start_date: Option<DateTime<Utc>>,
         end_date: Option<DateTime<Utc>>,
         resolution_minutes: Option<u32>,
         pat: &str,
     ) -> HashMap<String, HashMap<i64, Decimal>> {
         let resp = self
-            .get_analytics_revenue(id_or_slugs, start_date, end_date, resolution_minutes, pat)
+            .get_analytics_revenue(
+                id_or_slugs,
+                ids_are_version_ids,
+                start_date,
+                end_date,
+                resolution_minutes,
+                pat,
+            )
             .await;
         assert_eq!(resp.status(), 200);
         test::read_body_json(resp).await