From ba4f3c7e1571f13fdfc7c59c7a3a85409d659ede Mon Sep 17 00:00:00 2001 From: Tobie Morgan Hitchcock Date: Wed, 30 May 2018 13:25:42 +0100 Subject: [PATCH] Simplify permissions fetching code --- db/fetch.go | 12 ++++++++++++ db/iterator.go | 7 ------- db/socket.go | 41 ++++++++--------------------------------- 3 files changed, 20 insertions(+), 40 deletions(-) diff --git a/db/fetch.go b/db/fetch.go index cd9b059c..c9247331 100644 --- a/db/fetch.go +++ b/db/fetch.go @@ -393,6 +393,18 @@ func (e *executor) fetchArray(ctx context.Context, val []interface{}, doc *data. func (e *executor) fetchPerms(ctx context.Context, val sql.Expr, tb *sql.Ident) error { + // If the table does exist we reset the + // context to DB level so that no other + // embedded permissions are checked on + // records within these permissions. + + ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) + + // We then try to process the relevant + // permissions expression, but only if + // the specified expression doesn't + // reference any document fields. + res, err := e.fetch(ctx, val, ign) // If we receive an 'ident failed' error diff --git a/db/iterator.go b/db/iterator.go index d286bc0c..1aa135f7 100644 --- a/db/iterator.go +++ b/db/iterator.go @@ -492,13 +492,6 @@ func (i *iterator) processPerms(ctx context.Context, nsv, dbv, tbv string) { return } - // If the table does exist we reset the - // context to DB level so that no other - // embedded permissions are checked on - // records within these permissions. - - ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) - // If the table does exist we then try // to process the relevant permissions // expression, but only if they don't diff --git a/db/socket.go b/db/socket.go index edf5a564..b81527d9 100644 --- a/db/socket.go +++ b/db/socket.go @@ -176,42 +176,17 @@ func (s *socket) check(e *executor, ctx context.Context, ns, db, tb string) (err return err } - // Once we have the table we reset the - // context to DB level so that no other - // embedded permissions are checked on - // records within these permissions. - - ctx = context.WithValue(ctx, ctxKeyKind, cnf.AuthDB) - - // If the table does exist we then try - // to process the relevant permissions - // expression, but only if they don't - // reference any document fields. - - var val interface{} + // If the table has any permissions + // specified, then let's check if this + // query is allowed access to the table. switch p := tbv.Perms.(type) { case *sql.PermExpression: - val, err = e.fetch(ctx, p.Select, ign) + return e.fetchPerms(ctx, p.Select, tbv.Name) default: return &PermsError{table: tb} } - // If we receive an 'ident failed' error - // it is because the table permission - // expression contains a field check, - // and therefore we must check each - // record individually to see if it can - // be accessed or not. - - if err != queryIdentFailed { - if val, ok := val.(bool); ok && !val { - return &PermsError{table: tb} - } - } - - return nil - } func (s *socket) deregister(id string) { @@ -284,9 +259,9 @@ func (s *socket) executeLive(e *executor, ctx context.Context, stm *sql.LiveStat case *sql.Table: - if err = s.check(e, ctx, stm.NS, stm.DB, what.TB); err != nil { + /*if err = s.check(e, ctx, stm.NS, stm.DB, what.TB); err != nil { return nil, err - } + }*/ key := &keys.LV{KV: stm.KV, NS: stm.NS, DB: stm.DB, TB: what.TB, LV: stm.ID} if _, err = e.dbo.Put(ctx, 0, key.Encode(), stm.Encode()); err != nil { @@ -295,9 +270,9 @@ func (s *socket) executeLive(e *executor, ctx context.Context, stm *sql.LiveStat case *sql.Ident: - if err = s.check(e, ctx, stm.NS, stm.DB, what.ID); err != nil { + /*if err = s.check(e, ctx, stm.NS, stm.DB, what.ID); err != nil { return nil, err - } + }*/ key := &keys.LV{KV: stm.KV, NS: stm.NS, DB: stm.DB, TB: what.ID, LV: stm.ID} if _, err = e.dbo.Put(ctx, 0, key.Encode(), stm.Encode()); err != nil {