From 0d2e20e9e4fa378be984f8deb9348ecdbfbaad97 Mon Sep 17 00:00:00 2001
From: Christoph Kluge <christoph.kluge@fau.de>
Date: Mon, 12 Jun 2023 11:35:16 +0200
Subject: [PATCH] Handle users with no roles as "user role"

-for backwards compatibility
---
 internal/repository/query.go                  | 14 +++++--
 internal/repository/tags.go                   |  9 +++--
 web/frontend/src/Header.svelte                |  4 +-
 web/frontend/src/filters/UserOrProject.svelte | 39 +++++++++----------
 4 files changed, 36 insertions(+), 30 deletions(-)

diff --git a/internal/repository/query.go b/internal/repository/query.go
index 27378ac..32ecea0 100644
--- a/internal/repository/query.go
+++ b/internal/repository/query.go
@@ -204,7 +204,10 @@ func (r *JobRepository) CountJobs(
 
 func SecurityCheck(ctx context.Context, query sq.SelectBuilder) (queryOut sq.SelectBuilder, err error) {
 	user := auth.GetUser(ctx)
-	if user == nil || user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleApi}) { // Admin & Co. : All jobs
+	if user == nil {
+		var qnil sq.SelectBuilder
+		return qnil, fmt.Errorf("user context is nil!")
+	} else if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport}) { // Admin & Co. : All jobs
 		return query, nil
 	} else if user.HasRole(auth.RoleManager) { // Manager : Add filter for managed projects' jobs only + personal jobs
 		if len(user.Projects) != 0 {
@@ -215,9 +218,12 @@ func SecurityCheck(ctx context.Context, query sq.SelectBuilder) (queryOut sq.Sel
 		}
 	} else if user.HasRole(auth.RoleUser) { // User : Only personal jobs
 		return query.Where("job.user = ?", user.Username), nil
-	} else { // Unauthorized : Error
-		var qnil sq.SelectBuilder
-		return qnil, fmt.Errorf("user '%s' with unknown roles [%#v]", user.Username, user.Roles)
+	} else {
+		// Shortterm compatibility: Return User-Query if no roles:
+		return query.Where("job.user = ?", user.Username), nil
+		// // On the longterm: Return Error instead of fallback:
+		// var qnil sq.SelectBuilder
+		// return qnil, fmt.Errorf("user '%s' with unknown roles [%#v]", user.Username, user.Roles)
 	}
 }
 
diff --git a/internal/repository/tags.go b/internal/repository/tags.go
index ce076ff..943d8b1 100644
--- a/internal/repository/tags.go
+++ b/internal/repository/tags.go
@@ -88,12 +88,15 @@ func (r *JobRepository) CountTags(user *auth.User) (tags []schema.Tag, counts ma
 		LeftJoin("jobtag jt ON t.id = jt.tag_id").
 		GroupBy("t.tag_name")
 
-	if user != nil && user.HasRole(auth.RoleUser) { // USER: Only count own jobs
-		q = q.Where("jt.job_id IN (SELECT id FROM job WHERE job.user = ?)", user.Username)
+	if user != nil && user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport}) { // ADMIN || SUPPORT: Count all jobs
+		log.Info("CountTags: User Admin or Support -> Count all Jobs for Tags")
+		// Unchanged: Needs to be own case still, due to UserRole/NoRole compatibility handling in else case
 	} else if user != nil && user.HasRole(auth.RoleManager) { // MANAGER: Count own jobs plus project's jobs
 		// Build ("project1", "project2", ...) list of variable length directly in SQL string
 		q = q.Where("jt.job_id IN (SELECT id FROM job WHERE job.user = ? OR job.project IN (\""+strings.Join(user.Projects, "\",\"")+"\"))", user.Username)
-	} // else: ADMIN || SUPPORT: Count all jobs
+	} else { // USER OR NO ROLE (Compatibility): Only count own jobs
+		q = q.Where("jt.job_id IN (SELECT id FROM job WHERE job.user = ?)", user.Username)
+	}
 
 	rows, err := q.RunWith(r.stmtCache).Query()
 	if err != nil {
diff --git a/web/frontend/src/Header.svelte b/web/frontend/src/Header.svelte
index 227a9d4..b291f22 100644
--- a/web/frontend/src/Header.svelte
+++ b/web/frontend/src/Header.svelte
@@ -65,12 +65,10 @@
                 {#each managerviews as item}
                     <NavLink href={item.href} active={window.location.pathname == item.href}><Icon name={item.icon}/> {item.title}</NavLink>
                 {/each}
-            {:else if authlevel == roles.user}
+            {:else} <!-- Compatibility: Handle "user role" or "no role" as identical-->
                 {#each userviews as item}
                     <NavLink href={item.href} active={window.location.pathname == item.href}><Icon name={item.icon}/> {item.title}</NavLink>
                 {/each}
-            {:else}
-                <p>API User or Unauthorized!</p>
             {/if}
             {#each viewsPerCluster.filter(item => item.requiredRole <= authlevel) as item}
                 <NavItem>
diff --git a/web/frontend/src/filters/UserOrProject.svelte b/web/frontend/src/filters/UserOrProject.svelte
index f1186ea..8235863 100644
--- a/web/frontend/src/filters/UserOrProject.svelte
+++ b/web/frontend/src/filters/UserOrProject.svelte
@@ -23,19 +23,9 @@
     }
 
     let timeoutId = null
+    // Compatibility: Handle "user role" and "no role" identically
     function termChanged(sleep = throttle) {
-        if (authlevel == roles.user) {
-            project = term
-
-            if (timeoutId != null)
-                clearTimeout(timeoutId)
-
-            timeoutId = setTimeout(() => {
-                dispatch('update', {
-                    project
-                })
-            }, sleep)
-        } else if (authlevel >= roles.manager) {
+        if (authlevel >= roles.manager) {
             if (mode == 'user')
                 user = term
             else
@@ -50,17 +40,21 @@
                     project
                 })
             }, sleep)
+        } else {
+            project = term
+            if (timeoutId != null)
+                clearTimeout(timeoutId)
+
+            timeoutId = setTimeout(() => {
+                dispatch('update', {
+                    project
+                })
+            }, sleep)
         }
     }
 </script>
 
-{#if authlevel == roles.user}
-    <InputGroup>
-        <Input
-            type="text" bind:value={term} on:change={() => termChanged()} on:keyup={(event) => termChanged(event.key == 'Enter' ? 0 : throttle)} placeholder='filter project...'
-        />
-    </InputGroup>
-{:else if authlevel >= roles.manager}
+{#if authlevel >= roles.manager}
     <InputGroup>
         <select style="max-width: 175px;" class="form-select"
             bind:value={mode} on:change={modeChanged}>
@@ -72,5 +66,10 @@
             placeholder={mode == 'user' ? 'filter username...' : 'filter project...'} />
     </InputGroup>
 {:else}
-    Unauthorized
+    <!-- Compatibility: Handle "user role" and "no role" identically-->
+    <InputGroup>
+        <Input
+            type="text" bind:value={term} on:change={() => termChanged()} on:keyup={(event) => termChanged(event.key == 'Enter' ? 0 : throttle)} placeholder='filter project...'
+        />
+    </InputGroup>
 {/if}