Add 'project' to user table, add 'manager' role, conditional web render

- Addresses issues #40 #45 #82 - Reworked Navigation Header for all roles - 'Manager' role added, can be assigned a project-id in config by admins - BREAKING! -> Added 'project' column in SQLite3 table 'user' - Manager-Assigned project will be added to all graphql filters: Only show Jobs and Users of given project - 'My Jobs' Tab for all Roles - Switched from Bool "isAdmin" to integer authLevels - Removed critical data frontend logging - Reworked repo.query.SecurityCheck()
2025-07-23 21:01:40 +02:00 · 2023-01-27 18:36:58 +01:00
parent 834f9d9085
commit b2aed2f16b
33 changed files with 433 additions and 92 deletions
--- a/internal/repository/job.go
+++ b/internal/repository/job.go
@@ -295,8 +295,12 @@ func (r *JobRepository) CountGroupedJobs(ctx context.Context, aggreg model.Aggre
 		}
 	}

-	q := sq.Select("job."+string(aggreg), count).From("job").GroupBy("job." + string(aggreg)).OrderBy("count DESC")
-	q = SecurityCheck(ctx, q)
+	q, qerr := SecurityCheck(ctx, sq.Select("job."+string(aggreg), count).From("job").GroupBy("job." + string(aggreg)).OrderBy("count DESC"))
+
+	if qerr != nil {
+		return nil, qerr
+	}
+
 	for _, f := range filters {
 		q = BuildWhereClause(f, q)
 	}
--- a/internal/repository/query.go
+++ b/internal/repository/query.go
@@ -26,8 +26,11 @@ func (r *JobRepository) QueryJobs(
 	page *model.PageRequest,
 	order *model.OrderByInput) ([]*schema.Job, error) {

-	query := sq.Select(jobColumns...).From("job")
-	query = SecurityCheck(ctx, query)
+	query, qerr := SecurityCheck(ctx, sq.Select(jobColumns...).From("job"))
+
+	if qerr != nil {
+		return nil, qerr
+	}

 	if order != nil {
 		field := toSnakeCase(order.Field)
@@ -79,8 +82,12 @@ func (r *JobRepository) CountJobs(
 	filters []*model.JobFilter) (int, error) {

 	// count all jobs:
-	query := sq.Select("count(*)").From("job")
-	query = SecurityCheck(ctx, query)
+	query, qerr := SecurityCheck(ctx, sq.Select("count(*)").From("job"))
+
+	if qerr != nil {
+		return 0, qerr
+	}
+
 	for _, f := range filters {
 		query = BuildWhereClause(f, query)
 	}
@@ -92,13 +99,18 @@ func (r *JobRepository) CountJobs(
 	return count, nil
 }

-func SecurityCheck(ctx context.Context, query sq.SelectBuilder) sq.SelectBuilder {
+func SecurityCheck(ctx context.Context, query sq.SelectBuilder) (queryOut sq.SelectBuilder, err error) {
 	user := auth.GetUser(ctx)
-	if user == nil || user.HasAnyRole([]string{auth.RoleAdmin, auth.RoleApi, auth.RoleSupport}) {
-		return query
+	if user == nil || user.HasAnyRole([]string{auth.RoleAdmin, auth.RoleSupport, auth.RoleApi}) {
+		return query, nil
+	} else if (user.HasRole(auth.RoleManager)) { // Manager (Might be doublefiltered by frontend: should not matter)
+		return query.Where("job.project = ?", user.Project), nil
+	} else if (user.HasRole(auth.RoleUser)) { // User
+		return query.Where("job.user = ?", user.Username), nil
+	} else { // Unauthorized
+		var qnil sq.SelectBuilder
+		return qnil, errors.New(fmt.Sprintf("User '%s' with unknown roles! [%#v]\n", user.Username, user.Roles))
 	}
-
-	return query.Where("job.user = ?", user.Username)
 }

 // Build a sq.SelectBuilder out of a schema.JobFilter.