2022-01-13 07:29:41 +00:00
|
|
|
use crate::cnf;
|
2023-06-20 22:50:26 +00:00
|
|
|
use crate::dbs::Notification;
|
2022-01-13 07:29:41 +00:00
|
|
|
use crate::err::Error;
|
2023-07-29 18:47:25 +00:00
|
|
|
use crate::iam::{Action, Auth, ResourceKind, Role};
|
|
|
|
use crate::sql::Base;
|
2023-06-20 22:50:26 +00:00
|
|
|
use channel::Sender;
|
2022-02-06 21:06:52 +00:00
|
|
|
use std::sync::Arc;
|
2022-01-13 07:29:41 +00:00
|
|
|
|
2022-11-23 09:42:59 +00:00
|
|
|
/// An Options is passed around when processing a set of query
|
|
|
|
/// statements. An Options contains specific information for how
|
|
|
|
/// to process each particular statement, including the record
|
|
|
|
/// version to retrieve, whether futures should be processed, and
|
|
|
|
/// whether field/event/table queries should be processed (useful
|
|
|
|
/// when importing data, where these queries might fail).
|
2023-06-20 22:50:26 +00:00
|
|
|
#[derive(Clone, Debug)]
|
2022-02-06 21:06:52 +00:00
|
|
|
pub struct Options {
|
2023-06-20 22:50:26 +00:00
|
|
|
/// Current Node ID
|
2023-07-24 16:15:45 +00:00
|
|
|
id: Option<uuid::Uuid>,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Currently selected NS
|
2023-07-05 21:26:13 +00:00
|
|
|
ns: Option<Arc<str>>,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Currently selected DB
|
2023-07-05 21:26:13 +00:00
|
|
|
db: Option<Arc<str>>,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Approximately how large is the current call stack?
|
2022-10-06 16:35:03 +00:00
|
|
|
dive: u8,
|
2023-07-05 21:26:13 +00:00
|
|
|
/// Connection authentication data
|
|
|
|
pub auth: Arc<Auth>,
|
2023-07-29 18:47:25 +00:00
|
|
|
/// Is authentication enabled?
|
|
|
|
pub auth_enabled: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Whether live queries are allowed?
|
2022-06-27 16:01:39 +00:00
|
|
|
pub live: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we force tables/events to re-run?
|
2022-02-06 21:06:52 +00:00
|
|
|
pub force: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we run permissions checks?
|
2022-04-01 09:39:19 +00:00
|
|
|
pub perms: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we error if tables don't exist?
|
2022-08-25 13:49:33 +00:00
|
|
|
pub strict: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we process field queries?
|
2022-02-06 21:06:52 +00:00
|
|
|
pub fields: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we process event queries?
|
2022-02-06 21:06:52 +00:00
|
|
|
pub events: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we process table queries?
|
2022-02-06 21:06:52 +00:00
|
|
|
pub tables: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we process index queries?
|
2022-08-25 13:49:33 +00:00
|
|
|
pub indexes: bool,
|
2023-04-29 23:23:19 +00:00
|
|
|
/// Should we process function futures?
|
2022-02-06 21:06:52 +00:00
|
|
|
pub futures: bool,
|
2023-07-05 21:26:13 +00:00
|
|
|
/// The channel over which we send notifications
|
|
|
|
pub sender: Option<Sender<Notification>>,
|
2022-01-13 07:29:41 +00:00
|
|
|
}
|
|
|
|
|
2022-02-06 21:06:52 +00:00
|
|
|
impl Default for Options {
|
2022-01-13 07:29:41 +00:00
|
|
|
fn default() -> Self {
|
2023-07-05 21:26:13 +00:00
|
|
|
Options::new()
|
2022-01-13 07:29:41 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-02-06 21:06:52 +00:00
|
|
|
impl Options {
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new() -> Options {
|
2022-01-13 07:29:41 +00:00
|
|
|
Options {
|
2023-07-05 21:26:13 +00:00
|
|
|
id: None,
|
2022-02-06 21:06:52 +00:00
|
|
|
ns: None,
|
|
|
|
db: None,
|
2022-01-13 07:29:41 +00:00
|
|
|
dive: 0,
|
2022-06-27 16:01:39 +00:00
|
|
|
live: false,
|
2022-04-01 09:39:19 +00:00
|
|
|
perms: true,
|
2022-01-13 07:29:41 +00:00
|
|
|
force: false,
|
2022-08-25 13:49:33 +00:00
|
|
|
strict: false,
|
2022-01-13 07:29:41 +00:00
|
|
|
fields: true,
|
|
|
|
events: true,
|
|
|
|
tables: true,
|
2022-08-25 13:49:33 +00:00
|
|
|
indexes: true,
|
2022-01-13 07:29:41 +00:00
|
|
|
futures: false,
|
2023-07-29 18:47:25 +00:00
|
|
|
auth_enabled: true,
|
2023-07-05 21:26:13 +00:00
|
|
|
sender: None,
|
2023-07-29 18:47:25 +00:00
|
|
|
auth: Arc::new(Auth::default()),
|
2022-01-13 07:29:41 +00:00
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-07-05 21:26:13 +00:00
|
|
|
// --------------------------------------------------
|
|
|
|
|
|
|
|
/// Specify which Namespace should be used for
|
|
|
|
/// code which uses this `Options` object.
|
|
|
|
pub fn set_ns(&mut self, ns: Option<Arc<str>>) {
|
|
|
|
self.ns = ns
|
2023-06-20 22:50:26 +00:00
|
|
|
}
|
|
|
|
|
2023-07-05 21:26:13 +00:00
|
|
|
/// Specify which Database should be used for
|
|
|
|
/// code which uses this `Options` object.
|
|
|
|
pub fn set_db(&mut self, db: Option<Arc<str>>) {
|
|
|
|
self.db = db
|
2022-02-06 21:06:52 +00:00
|
|
|
}
|
|
|
|
|
2023-07-05 21:26:13 +00:00
|
|
|
// --------------------------------------------------
|
|
|
|
|
2023-08-19 09:01:37 +00:00
|
|
|
/// Set all the required options from a single point.
|
|
|
|
/// The system expects these values to always be set, so this should be called for all
|
|
|
|
/// instances when there is doubt.
|
|
|
|
pub fn with_required(
|
|
|
|
mut self,
|
|
|
|
node_id: uuid::Uuid,
|
|
|
|
ns: Option<Arc<str>>,
|
|
|
|
db: Option<Arc<str>>,
|
|
|
|
auth: Arc<Auth>,
|
|
|
|
) -> Self {
|
|
|
|
self.id = Some(node_id);
|
|
|
|
self.ns = ns;
|
|
|
|
self.db = db;
|
|
|
|
self.auth = auth;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
2023-07-05 21:26:13 +00:00
|
|
|
/// Set the Node ID for subsequent code which uses
|
|
|
|
/// this `Options`, with support for chaining.
|
2023-07-24 16:15:45 +00:00
|
|
|
pub fn with_id(mut self, id: uuid::Uuid) -> Self {
|
2023-07-05 21:26:13 +00:00
|
|
|
self.id = Some(id);
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Specify which Namespace should be used for code which
|
|
|
|
/// uses this `Options`, with support for chaining.
|
|
|
|
pub fn with_ns(mut self, ns: Option<Arc<str>>) -> Self {
|
|
|
|
self.ns = ns;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Specify which Database should be used for code which
|
|
|
|
/// uses this `Options`, with support for chaining.
|
|
|
|
pub fn with_db(mut self, db: Option<Arc<str>>) -> Self {
|
|
|
|
self.db = db;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Specify the authentication options for subsequent
|
|
|
|
/// code which uses this `Options`, with chaining.
|
|
|
|
pub fn with_auth(mut self, auth: Arc<Auth>) -> Self {
|
|
|
|
self.auth = auth;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Specify whether live queries are supported for
|
|
|
|
/// code which uses this `Options`, with chaining.
|
|
|
|
pub fn with_live(mut self, live: bool) -> Self {
|
|
|
|
self.live = live;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Specify whether permissions should be run for
|
|
|
|
/// code which uses this `Options`, with chaining.
|
|
|
|
pub fn with_perms(mut self, perms: bool) -> Self {
|
|
|
|
self.perms = perms;
|
|
|
|
self
|
2022-02-06 21:06:52 +00:00
|
|
|
}
|
|
|
|
|
2022-10-06 16:35:03 +00:00
|
|
|
///
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn with_force(mut self, force: bool) -> Self {
|
|
|
|
self.force = force;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
///
|
|
|
|
pub fn with_strict(mut self, strict: bool) -> Self {
|
|
|
|
self.strict = strict;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
///
|
|
|
|
pub fn with_fields(mut self, fields: bool) -> Self {
|
|
|
|
self.fields = fields;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
///
|
|
|
|
pub fn with_events(mut self, events: bool) -> Self {
|
|
|
|
self.events = events;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
///
|
|
|
|
pub fn with_tables(mut self, tables: bool) -> Self {
|
|
|
|
self.tables = tables;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
///
|
|
|
|
pub fn with_indexes(mut self, indexes: bool) -> Self {
|
|
|
|
self.indexes = indexes;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
|
|
|
///
|
|
|
|
pub fn with_futures(mut self, futures: bool) -> Self {
|
|
|
|
self.futures = futures;
|
|
|
|
self
|
2022-01-13 07:29:41 +00:00
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn with_import(mut self, import: bool) -> Self {
|
|
|
|
self.fields = !import;
|
|
|
|
self.events = !import;
|
|
|
|
self.tables = !import;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
2023-07-29 18:47:25 +00:00
|
|
|
/// Create a new Options object with auth enabled
|
|
|
|
pub fn with_auth_enabled(mut self, auth_enabled: bool) -> Self {
|
|
|
|
self.auth_enabled = auth_enabled;
|
|
|
|
self
|
|
|
|
}
|
|
|
|
|
2023-07-05 21:26:13 +00:00
|
|
|
// --------------------------------------------------
|
|
|
|
|
|
|
|
/// Create a new Options object for a subquery
|
|
|
|
pub fn new_with_perms(&self, perms: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-02-06 21:06:52 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
perms,
|
2022-01-13 07:29:41 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_force(&self, force: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-04-01 09:39:19 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
force,
|
2022-04-01 09:39:19 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_strict(&self, strict: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-02-06 21:06:52 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
strict,
|
2022-01-13 07:29:41 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_fields(&self, fields: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-02-06 21:06:52 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
fields,
|
2022-01-13 07:29:41 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_events(&self, events: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-02-06 21:06:52 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
events,
|
2022-01-13 07:29:41 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_tables(&self, tables: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-08-25 13:49:33 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
tables,
|
2022-08-25 13:49:33 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_indexes(&self, indexes: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-02-06 21:06:52 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
indexes,
|
2022-01-13 07:29:41 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_futures(&self, futures: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-07-27 13:05:28 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
futures,
|
2022-07-27 13:05:28 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2022-09-16 08:55:18 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_import(&self, import: bool) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
sender: self.sender.clone(),
|
2022-02-06 21:06:52 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
fields: !import,
|
|
|
|
events: !import,
|
|
|
|
tables: !import,
|
2022-01-13 07:29:41 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-06-20 22:50:26 +00:00
|
|
|
/// Create a new Options object for a subquery
|
2023-07-05 21:26:13 +00:00
|
|
|
pub fn new_with_sender(&self, sender: Sender<Notification>) -> Self {
|
|
|
|
Self {
|
2023-06-20 22:50:26 +00:00
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
2023-07-05 21:26:13 +00:00
|
|
|
sender: Some(sender),
|
2023-06-20 22:50:26 +00:00
|
|
|
..*self
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-07-29 18:47:25 +00:00
|
|
|
// Get currently selected base
|
|
|
|
pub fn selected_base(&self) -> Result<Base, Error> {
|
|
|
|
match (self.ns.as_ref(), self.db.as_ref()) {
|
|
|
|
(None, None) => Ok(Base::Root),
|
|
|
|
(Some(_), None) => Ok(Base::Ns),
|
|
|
|
(Some(_), Some(_)) => Ok(Base::Db),
|
|
|
|
(None, Some(_)) => Err(Error::NsEmpty),
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2023-07-05 21:26:13 +00:00
|
|
|
/// Create a new Options object for a function/subquery/future/etc.
|
|
|
|
///
|
|
|
|
/// The parameter is the approximate cost of the operation (more concretely, the size of the
|
|
|
|
/// stack frame it uses relative to a simple function call). When in doubt, use a value of 1.
|
|
|
|
pub fn dive(&self, cost: u8) -> Result<Self, Error> {
|
|
|
|
let dive = self.dive.saturating_add(cost);
|
|
|
|
if dive <= *cnf::MAX_COMPUTATION_DEPTH {
|
|
|
|
Ok(Self {
|
|
|
|
sender: self.sender.clone(),
|
|
|
|
auth: self.auth.clone(),
|
|
|
|
ns: self.ns.clone(),
|
|
|
|
db: self.db.clone(),
|
|
|
|
dive,
|
|
|
|
..*self
|
|
|
|
})
|
|
|
|
} else {
|
|
|
|
Err(Error::ComputationDepthExceeded)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
// --------------------------------------------------
|
|
|
|
|
|
|
|
/// Get current Node ID
|
2023-07-24 16:15:45 +00:00
|
|
|
pub fn id(&self) -> Result<uuid::Uuid, Error> {
|
2023-07-05 21:26:13 +00:00
|
|
|
self.id.ok_or(Error::Unreachable)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Get currently selected NS
|
|
|
|
pub fn ns(&self) -> &str {
|
|
|
|
self.ns.as_ref().map(AsRef::as_ref).unwrap()
|
|
|
|
// self.ns.as_ref().map(AsRef::as_ref).ok_or(Error::Unreachable)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Get currently selected DB
|
|
|
|
pub fn db(&self) -> &str {
|
|
|
|
self.db.as_ref().map(AsRef::as_ref).unwrap()
|
|
|
|
// self.db.as_ref().map(AsRef::as_ref).ok_or(Error::Unreachable)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Check whether this request supports realtime queries
|
2022-06-27 16:01:39 +00:00
|
|
|
pub fn realtime(&self) -> Result<(), Error> {
|
|
|
|
if !self.live {
|
|
|
|
return Err(Error::RealtimeDisabled);
|
|
|
|
}
|
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2023-07-29 18:47:25 +00:00
|
|
|
// Validate Options for Namespace
|
|
|
|
pub fn valid_for_ns(&self) -> Result<(), Error> {
|
|
|
|
if self.ns.is_none() {
|
|
|
|
return Err(Error::NsEmpty);
|
2022-02-06 21:06:52 +00:00
|
|
|
}
|
2022-07-26 09:06:33 +00:00
|
|
|
Ok(())
|
|
|
|
}
|
|
|
|
|
2023-07-29 18:47:25 +00:00
|
|
|
// Validate Options for Database
|
|
|
|
pub fn valid_for_db(&self) -> Result<(), Error> {
|
|
|
|
self.valid_for_ns()?;
|
|
|
|
|
|
|
|
if self.db.is_none() {
|
2022-03-06 10:58:59 +00:00
|
|
|
return Err(Error::DbEmpty);
|
2022-01-13 07:29:41 +00:00
|
|
|
}
|
2022-02-06 21:06:52 +00:00
|
|
|
Ok(())
|
2022-01-13 07:29:41 +00:00
|
|
|
}
|
2023-07-29 18:47:25 +00:00
|
|
|
|
|
|
|
/// Check if the current auth is allowed to perform an action on a given resource
|
|
|
|
pub fn is_allowed(&self, action: Action, res: ResourceKind, base: &Base) -> Result<(), Error> {
|
|
|
|
// If auth is disabled, allow all actions for anonymous users
|
|
|
|
if !self.auth_enabled && self.auth.is_anon() {
|
|
|
|
return Ok(());
|
|
|
|
}
|
|
|
|
|
|
|
|
let res = match base {
|
|
|
|
Base::Root => res.on_root(),
|
|
|
|
Base::Ns => {
|
|
|
|
self.valid_for_ns()?;
|
|
|
|
res.on_ns(self.ns())
|
|
|
|
}
|
|
|
|
Base::Db => {
|
|
|
|
self.valid_for_db()?;
|
|
|
|
res.on_db(self.ns(), self.db())
|
|
|
|
}
|
|
|
|
Base::Sc(sc) => {
|
|
|
|
self.valid_for_db()?;
|
|
|
|
res.on_scope(self.ns(), self.db(), sc)
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
self.auth.is_allowed(action, &res).map_err(Error::IamError)
|
|
|
|
}
|
|
|
|
|
|
|
|
/// Whether or not to check table permissions
|
|
|
|
///
|
|
|
|
/// TODO: This method is called a lot during data operations, so we decided to bypass the system's authorization mechanism.
|
|
|
|
/// This is a temporary solution, until we optimize the new authorization system.
|
|
|
|
pub fn check_perms(&self, action: Action) -> bool {
|
|
|
|
// If permissions are disabled, don't check permissions
|
|
|
|
if !self.perms {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// If auth is disabled and actor is anonymous, don't check permissions
|
|
|
|
if !self.auth_enabled && self.auth.is_anon() {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
// Is the actor allowed to view?
|
|
|
|
let can_view =
|
|
|
|
[Role::Viewer, Role::Editor, Role::Owner].iter().any(|r| self.auth.has_role(r));
|
|
|
|
// Is the actor allowed to edit?
|
|
|
|
let can_edit = [Role::Editor, Role::Owner].iter().any(|r| self.auth.has_role(r));
|
|
|
|
// Is the target database in the actor's level?
|
|
|
|
let db_in_actor_level = self.auth.is_root()
|
|
|
|
|| self.auth.is_ns() && self.auth.level().ns().unwrap() == self.ns()
|
|
|
|
|| self.auth.is_db()
|
|
|
|
&& self.auth.level().ns().unwrap() == self.ns()
|
|
|
|
&& self.auth.level().db().unwrap() == self.db();
|
|
|
|
|
|
|
|
// Is the actor allowed to do the action on the selected database?
|
|
|
|
let is_allowed = match action {
|
|
|
|
Action::View => {
|
|
|
|
// Today all users have at least View permissions, so if the target database belongs to the user's level, don't check permissions
|
|
|
|
can_view && db_in_actor_level
|
|
|
|
}
|
|
|
|
Action::Edit => {
|
|
|
|
// Editor and Owner roles are allowed to edit, but only if the target database belongs to the user's level
|
|
|
|
can_edit && db_in_actor_level
|
|
|
|
}
|
|
|
|
};
|
|
|
|
|
|
|
|
// Check permissions if the autor is not already allowed to do the action
|
|
|
|
!is_allowed
|
|
|
|
}
|
2022-01-13 07:29:41 +00:00
|
|
|
}
|