Added POST /users/{user}/permissions

2018-04-01 21:03:39 +02:00 · 2018-04-01 21:03:39 +02:00 · ff41604aa2
parent 706011edd6
commit ff41604aa2
4 changed files with 115 additions and 0 deletions
--- a/backend/src/controllers/Permissions.php
+++ b/backend/src/controllers/Permissions.php
@ -41,4 +41,33 @@ class Permissions
            'results' => $results
        ], 200);
    }
+
+    public function postNew(Request $req, Response $res, array $args)
+    {
+        $ac = new \Operations\AccessControl($this->c);
+        if (!$ac->isAdmin($req->getAttribute('userId'))) {
+            $this->logger->info('Non admin user tries to add permissions');
+            return $res->withJson(['error' => 'You must be admin to use this feature'], 403);
+        }
+
+        $body = $req->getParsedBody();
+
+        if (!array_key_exists('domainId', $body)) {
+            $this->logger->debug('One of the required fields is missing');
+            return $res->withJson(['error' => 'One of the required fields is missing'], 422);
+        }
+
+        $user = intval($args['user']);
+
+        $permissions = new \Operations\Permissions($this->c);
+
+        try {
+            $permissions->addPermission($user, $body['domainId']);
+
+            $this->logger->info('Permission was added:', ['by' => $req->getAttribute('userId'), 'user' => $user, 'domain' => $body['domainId']]);
+            return $res->withStatus(204);
+        } catch (\Exceptions\NotFoundException $e) {
+            return $res->withJson(['error' => 'Either domain or user were not found'], 404);
+        }
+    }
 }
--- a/backend/src/operations/Permissions.php
+++ b/backend/src/operations/Permissions.php
@ -65,4 +65,46 @@ class Permissions

        return $data;
    }
+
+    /**
+     * Add a new permission
+     * 
+     * @param   $userId     User id
+     * @param   $domainId   Domain for which access should be granted
+     * 
+     * @return  void
+     */
+    public function addPermission(int $userId, int $domainId) : void
+    {
+        $this->db->beginTransaction();
+
+        $query = $this->db->prepare('SELECT id FROM users WHERE id=:userId');
+        $query->bindValue(':userId', $userId, \PDO::PARAM_INT);
+        $query->execute();
+        if ($query->fetch() === false) {
+            $this->db->rollBack();
+            throw new \Exceptions\NotFoundException();
+        }
+
+        $query = $this->db->prepare('SELECT id FROM domains WHERE id=:domainId');
+        $query->bindValue(':domainId', $domainId, \PDO::PARAM_INT);
+        $query->execute();
+        if ($query->fetch() === false) {
+            $this->db->rollBack();
+            throw new \Exceptions\NotFoundException();
+        }
+
+        $query = $this->db->prepare('SELECT * FROM permissions WHERE domain_id=:domainId AND user_id=:userId');
+        $query->bindValue(':domainId', $domainId, \PDO::PARAM_INT);
+        $query->bindValue(':userId', $userId, \PDO::PARAM_INT);
+        $query->execute();
+        if ($query->fetch() === false) {
+            $query = $this->db->prepare('INSERT INTO permissions (domain_id,user_id) VALUES (:domainId, :userId)');
+            $query->bindValue(':domainId', $domainId, \PDO::PARAM_INT);
+            $query->bindValue(':userId', $userId, \PDO::PARAM_INT);
+            $query->execute();
+        }
+
+        $this->db->commit();
+    }
 }
--- a/backend/src/public/index.php
+++ b/backend/src/public/index.php
@ -49,6 +49,7 @@ $app->group('/v1', function () {
        $this->put('/records/{recordId}/credentials/{credentialId}', '\Controllers\Credentials:put');

        $this->get('/users/{user}/permissions', '\Controllers\Permissions:getList');
+        $this->post('/users/{user}/permissions', '\Controllers\Permissions:postNew');
    })->add('\Middlewares\Authentication');
 });

--- a/backend/test/tests/permissions.js
+++ b/backend/test/tests/permissions.js
@ -33,6 +33,39 @@ test.run(async function () {
            }
        ], 'Get permissions result fail');

+        //Add permission with missing field
+        var res = await req({
+            url: '/users/2/permissions',
+            method: 'post',
+            data: {
+                foo: 100
+            }
+        });
+
+        assert.equal(res.status, 422, 'Add of permission should fail for missing field.');
+
+        //Add permission which exists
+        var res = await req({
+            url: '/users/2/permissions',
+            method: 'post',
+            data: {
+                domainId: 1
+            }
+        });
+
+        assert.equal(res.status, 204, 'Add of permission should succeed for existing permission.');
+
+        //Add permission which does not exist
+        var res = await req({
+            url: '/users/2/permissions',
+            method: 'post',
+            data: {
+                domainId: 3
+            }
+        });
+
+        assert.equal(res.status, 204, 'Add of permission should succeed for not existing permission.');
+

    });

@ -43,5 +76,15 @@ test.run(async function () {
        });

        assert.equal(res.status, 403, 'Get of permissions should fail for user.');
+
+        var res = await req({
+            url: '/users/2/permissions',
+            method: 'post',
+            data: {
+                domainId: 100
+            }
+        });
+
+        assert.equal(res.status, 403, 'Add of permission should fail for user.');
    });
 });