Handle users with no roles as "user role"

-for backwards compatibility
2024-11-10 08:57:25 +01:00 · 2023-06-12 11:35:16 +02:00 · 2023-06-12 11:35:16 +02:00 · 0d2e20e9e4
commit 0d2e20e9e4
parent 21ec2bb51d
4 changed files with 36 additions and 30 deletions
--- a/internal/repository/query.go
+++ b/internal/repository/query.go
@ -204,7 +204,10 @@ func (r *JobRepository) CountJobs(

 func SecurityCheck(ctx context.Context, query sq.SelectBuilder) (queryOut sq.SelectBuilder, err error) {
 	user := auth.GetUser(ctx)
-	if user == nil || user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport, auth.RoleApi}) { // Admin & Co. : All jobs
+	if user == nil {
+		var qnil sq.SelectBuilder
+		return qnil, fmt.Errorf("user context is nil!")
+	} else if user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport}) { // Admin & Co. : All jobs
 		return query, nil
 	} else if user.HasRole(auth.RoleManager) { // Manager : Add filter for managed projects' jobs only + personal jobs
 		if len(user.Projects) != 0 {
@ -215,9 +218,12 @@ func SecurityCheck(ctx context.Context, query sq.SelectBuilder) (queryOut sq.Sel
 		}
 	} else if user.HasRole(auth.RoleUser) { // User : Only personal jobs
 		return query.Where("job.user = ?", user.Username), nil
-	} else { // Unauthorized : Error
-		var qnil sq.SelectBuilder
-		return qnil, fmt.Errorf("user '%s' with unknown roles [%#v]", user.Username, user.Roles)
+	} else {
+		// Shortterm compatibility: Return User-Query if no roles:
+		return query.Where("job.user = ?", user.Username), nil
+		// // On the longterm: Return Error instead of fallback:
+		// var qnil sq.SelectBuilder
+		// return qnil, fmt.Errorf("user '%s' with unknown roles [%#v]", user.Username, user.Roles)
 	}
 }

--- a/internal/repository/tags.go
+++ b/internal/repository/tags.go
@ -88,12 +88,15 @@ func (r *JobRepository) CountTags(user *auth.User) (tags []schema.Tag, counts ma
 		LeftJoin("jobtag jt ON t.id = jt.tag_id").
 		GroupBy("t.tag_name")

-	if user != nil && user.HasRole(auth.RoleUser) { // USER: Only count own jobs
-		q = q.Where("jt.job_id IN (SELECT id FROM job WHERE job.user = ?)", user.Username)
+	if user != nil && user.HasAnyRole([]auth.Role{auth.RoleAdmin, auth.RoleSupport}) { // ADMIN || SUPPORT: Count all jobs
+		log.Info("CountTags: User Admin or Support -> Count all Jobs for Tags")
+		// Unchanged: Needs to be own case still, due to UserRole/NoRole compatibility handling in else case
 	} else if user != nil && user.HasRole(auth.RoleManager) { // MANAGER: Count own jobs plus project's jobs
 		// Build ("project1", "project2", ...) list of variable length directly in SQL string
 		q = q.Where("jt.job_id IN (SELECT id FROM job WHERE job.user = ? OR job.project IN (\""+strings.Join(user.Projects, "\",\"")+"\"))", user.Username)
-	} // else: ADMIN || SUPPORT: Count all jobs
+	} else { // USER OR NO ROLE (Compatibility): Only count own jobs
+		q = q.Where("jt.job_id IN (SELECT id FROM job WHERE job.user = ?)", user.Username)
+	}

 	rows, err := q.RunWith(r.stmtCache).Query()
 	if err != nil {
--- a/web/frontend/src/Header.svelte
+++ b/web/frontend/src/Header.svelte
@ -65,12 +65,10 @@
                {#each managerviews as item}
                    <NavLink href={item.href} active={window.location.pathname == item.href}><Icon name={item.icon}/> {item.title}</NavLink>
                {/each}
-            {:else if authlevel == roles.user}
+            {:else} <!-- Compatibility: Handle "user role" or "no role" as identical-->
                {#each userviews as item}
                    <NavLink href={item.href} active={window.location.pathname == item.href}><Icon name={item.icon}/> {item.title}</NavLink>
                {/each}
-            {:else}
-                <p>API User or Unauthorized!</p>
            {/if}
            {#each viewsPerCluster.filter(item => item.requiredRole <= authlevel) as item}
                <NavItem>
--- a/web/frontend/src/filters/UserOrProject.svelte
+++ b/web/frontend/src/filters/UserOrProject.svelte
@ -23,19 +23,9 @@
    }

    let timeoutId = null
+    // Compatibility: Handle "user role" and "no role" identically
    function termChanged(sleep = throttle) {
-        if (authlevel == roles.user) {
-            project = term
-
-            if (timeoutId != null)
-                clearTimeout(timeoutId)
-
-            timeoutId = setTimeout(() => {
-                dispatch('update', {
-                    project
-                })
-            }, sleep)
-        } else if (authlevel >= roles.manager) {
+        if (authlevel >= roles.manager) {
            if (mode == 'user')
                user = term
            else
@ -50,17 +40,21 @@
                    project
                })
            }, sleep)
+        } else {
+            project = term
+            if (timeoutId != null)
+                clearTimeout(timeoutId)
+
+            timeoutId = setTimeout(() => {
+                dispatch('update', {
+                    project
+                })
+            }, sleep)
        }
    }
 </script>

-{#if authlevel == roles.user}
-    <InputGroup>
-        <Input
-            type="text" bind:value={term} on:change={() => termChanged()} on:keyup={(event) => termChanged(event.key == 'Enter' ? 0 : throttle)} placeholder='filter project...'
-        />
-    </InputGroup>
-{:else if authlevel >= roles.manager}
+{#if authlevel >= roles.manager}
    <InputGroup>
        <select style="max-width: 175px;" class="form-select"
            bind:value={mode} on:change={modeChanged}>
@ -72,5 +66,10 @@
            placeholder={mode == 'user' ? 'filter username...' : 'filter project...'} />
    </InputGroup>
 {:else}
-    Unauthorized
+    <!-- Compatibility: Handle "user role" and "no role" identically-->
+    <InputGroup>
+        <Input
+            type="text" bind:value={term} on:change={() => termChanged()} on:keyup={(event) => termChanged(event.key == 'Enter' ? 0 : throttle)} placeholder='filter project...'
+        />
+    </InputGroup>
 {/if}