Setup CRUD permissions check (#74)

* Create IsAuthorOf permission group struct

* Create story permission groups

* Create IsSelf permission group struct

* Create user permission groups

* Create delete operation permission groups

* Fix imports post-refactor

* Update CheckPermissions signature

* Create permission groups for listing of resources

* Add permissions check to stories controllers

* Add permissions check to user controllers

* Fix role getter in usergroups middleware

* Implement user role authorization checker

Author: RichDom2185

controller/stories/delete.go

@@ -8,8 +8,10 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/sirupsen/logrus"
 	"github.com/source-academy/stories-backend/controller"
+	"github.com/source-academy/stories-backend/internal/auth"
 	"github.com/source-academy/stories-backend/internal/database"
 	apierrors "github.com/source-academy/stories-backend/internal/errors"
+	storypermissiongroups "github.com/source-academy/stories-backend/internal/permissiongroups/stories"
 	"github.com/source-academy/stories-backend/model"
 	storyviews "github.com/source-academy/stories-backend/view/stories"
 )
@@ -23,6 +25,14 @@ func HandleDelete(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	err = auth.CheckPermissions(r, storypermissiongroups.Delete(uint(storyID)))
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error deleting story: %v", err),
+		}
+	}
+
 	// TODO: Prevents cross-tenant story viewing
 	//       when user is a member of multiple stories groups.
 	//       Not implemented yet as deletion is protected with more

controller/stories/stories.go

@@ -11,15 +11,25 @@ import (
 	"github.com/sirupsen/logrus"
 
 	"github.com/source-academy/stories-backend/controller"
+	"github.com/source-academy/stories-backend/internal/auth"
 	"github.com/source-academy/stories-backend/internal/database"
 	apierrors "github.com/source-academy/stories-backend/internal/errors"
+	storypermissiongroups "github.com/source-academy/stories-backend/internal/permissiongroups/stories"
 	"github.com/source-academy/stories-backend/internal/usergroups"
 	"github.com/source-academy/stories-backend/model"
 	storyparams "github.com/source-academy/stories-backend/params/stories"
 	storyviews "github.com/source-academy/stories-backend/view/stories"
 )
 
 func HandleList(w http.ResponseWriter, r *http.Request) error {
+	err := auth.CheckPermissions(r, storypermissiongroups.List())
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error listing stories: %v", err),
+		}
+	}
+
 	// Get DB instance
 	db, err := database.GetDBFrom(r)
 	if err != nil {
@@ -53,6 +63,14 @@ func HandleRead(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	err = auth.CheckPermissions(r, storypermissiongroups.Read())
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error reading story: %v", err),
+		}
+	}
+
 	// Get DB instance
 	db, err := database.GetDBFrom(r)
 	if err != nil {
@@ -90,6 +108,14 @@ func HandleRead(w http.ResponseWriter, r *http.Request) error {
 }
 
 func HandleCreate(w http.ResponseWriter, r *http.Request) error {
+	err := auth.CheckPermissions(r, storypermissiongroups.Create())
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error creating story: %v", err),
+		}
+	}
+
 	var params storyparams.Create
 	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
 		e, ok := err.(*json.UnmarshalTypeError)
@@ -106,7 +132,7 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	err := params.Validate()
+	err = params.Validate()
 	if err != nil {
 		logrus.Error(err)
 		return apierrors.ClientUnprocessableEntityError{

controller/stories/update.go

@@ -9,8 +9,10 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/sirupsen/logrus"
 	"github.com/source-academy/stories-backend/controller"
+	"github.com/source-academy/stories-backend/internal/auth"
 	"github.com/source-academy/stories-backend/internal/database"
 	apierrors "github.com/source-academy/stories-backend/internal/errors"
+	storypermissiongroups "github.com/source-academy/stories-backend/internal/permissiongroups/stories"
 	"github.com/source-academy/stories-backend/model"
 	storyparams "github.com/source-academy/stories-backend/params/stories"
 	storyviews "github.com/source-academy/stories-backend/view/stories"
@@ -25,6 +27,14 @@ func HandleUpdate(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	err = auth.CheckPermissions(r, storypermissiongroups.Update(uint(storyID)))
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error updating story: %v", err),
+		}
+	}
+
 	// Extra params won't do anything, e.g. authorID can't be changed.
 	// TODO: Error on extra params?
 	var params storyparams.Update

controller/users/create.go

@@ -7,14 +7,24 @@ import (
 
 	"github.com/sirupsen/logrus"
 	"github.com/source-academy/stories-backend/controller"
+	"github.com/source-academy/stories-backend/internal/auth"
 	"github.com/source-academy/stories-backend/internal/database"
 	apierrors "github.com/source-academy/stories-backend/internal/errors"
+	userpermissiongroups "github.com/source-academy/stories-backend/internal/permissiongroups/users"
 	"github.com/source-academy/stories-backend/model"
 	userparams "github.com/source-academy/stories-backend/params/users"
 	userviews "github.com/source-academy/stories-backend/view/users"
 )
 
 func HandleCreate(w http.ResponseWriter, r *http.Request) error {
+	err := auth.CheckPermissions(r, userpermissiongroups.Create())
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error creating user: %v", err),
+		}
+	}
+
 	var params userparams.Create
 	if err := json.NewDecoder(r.Body).Decode(&params); err != nil {
 		e, ok := err.(*json.UnmarshalTypeError)
@@ -31,7 +41,7 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
-	err := params.Validate()
+	err = params.Validate()
 	if err != nil {
 		logrus.Error(err)
 		return apierrors.ClientUnprocessableEntityError{
@@ -60,6 +70,14 @@ func HandleCreate(w http.ResponseWriter, r *http.Request) error {
 }
 
 func HandleBatchCreate(w http.ResponseWriter, r *http.Request) error {
+	err := auth.CheckPermissions(r, userpermissiongroups.Create())
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error batch creating users: %v", err),
+		}
+	}
+
 	var usersparams userparams.BatchCreate
 	if err := json.NewDecoder(r.Body).Decode(&usersparams); err != nil {
 		e, ok := err.(*json.UnmarshalTypeError)

controller/users/delete.go

@@ -8,13 +8,23 @@ import (
 	"github.com/go-chi/chi/v5"
 	"github.com/sirupsen/logrus"
 	"github.com/source-academy/stories-backend/controller"
+	"github.com/source-academy/stories-backend/internal/auth"
 	"github.com/source-academy/stories-backend/internal/database"
 	apierrors "github.com/source-academy/stories-backend/internal/errors"
+	userpermissiongroups "github.com/source-academy/stories-backend/internal/permissiongroups/users"
 	"github.com/source-academy/stories-backend/model"
 	userviews "github.com/source-academy/stories-backend/view/users"
 )
 
 func HandleDelete(w http.ResponseWriter, r *http.Request) error {
+	err := auth.CheckPermissions(r, userpermissiongroups.Delete())
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error deleting user: %v", err),
+		}
+	}
+
 	userIDStr := chi.URLParam(r, "userID")
 	userID, err := strconv.Atoi(userIDStr)
 	if err != nil {

controller/users/list.go

@@ -1,16 +1,28 @@
 package users
 
 import (
+	"fmt"
 	"net/http"
 
 	"github.com/sirupsen/logrus"
 	"github.com/source-academy/stories-backend/controller"
+	"github.com/source-academy/stories-backend/internal/auth"
 	"github.com/source-academy/stories-backend/internal/database"
+	apierrors "github.com/source-academy/stories-backend/internal/errors"
+	userpermissiongroups "github.com/source-academy/stories-backend/internal/permissiongroups/users"
 	"github.com/source-academy/stories-backend/model"
 	userviews "github.com/source-academy/stories-backend/view/users"
 )
 
 func HandleList(w http.ResponseWriter, r *http.Request) error {
+	err := auth.CheckPermissions(r, userpermissiongroups.List())
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error listing users: %v", err),
+		}
+	}
+
 	// Get DB instance
 	db, err := database.GetDBFrom(r)
 	if err != nil {

controller/users/read.go

@@ -11,6 +11,7 @@ import (
 	"github.com/source-academy/stories-backend/internal/auth"
 	"github.com/source-academy/stories-backend/internal/database"
 	apierrors "github.com/source-academy/stories-backend/internal/errors"
+	userpermissiongroups "github.com/source-academy/stories-backend/internal/permissiongroups/users"
 	"github.com/source-academy/stories-backend/model"
 	userviews "github.com/source-academy/stories-backend/view/users"
 )
@@ -24,6 +25,14 @@ func HandleRead(w http.ResponseWriter, r *http.Request) error {
 		}
 	}
 
+	err = auth.CheckPermissions(r, userpermissiongroups.Read(uint(userID)))
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error reading user: %v", err),
+		}
+	}
+
 	// Get DB instance
 	db, err := database.GetDBFrom(r)
 	if err != nil {
@@ -47,6 +56,14 @@ func HandleReadSelf(w http.ResponseWriter, r *http.Request) error {
 		return err
 	}
 
+	err = auth.CheckPermissions(r, userpermissiongroups.Read(uint(*userID)))
+	if err != nil {
+		logrus.Error(err)
+		return apierrors.ClientForbiddenError{
+			Message: fmt.Sprintf("Error reading user: %v", err),
+		}
+	}
+
 	// Get DB instance
 	db, err := database.GetDBFrom(r)
 	if err != nil {

internal/auth/permission.go

@@ -1,14 +1,19 @@
 package auth
 
 import (
+	"errors"
 	"net/http"
 
 	"github.com/source-academy/stories-backend/internal/permissions"
 )
 
-func CheckPermissions(r *http.Request, requestedActionPermissions ...permissions.PermissionGroup) (bool, error) {
+func CheckPermissions(r *http.Request, requestedActionPermissions ...permissions.PermissionGroup) error {
 	requiredPermissions := permissions.AllOf{
 		Groups: requestedActionPermissions,
 	}
-	return requiredPermissions.IsAuthorized(r), nil
+	isAuthorized := requiredPermissions.IsAuthorized(r)
+	if !isAuthorized {
+		return errors.New("You are not authorized to perform this action.")
+	}
+	return nil
 }

internal/permissiongroups/stories/author.go

@@ -0,0 +1,32 @@
+package storypermissiongroups
+
+import (
+	"net/http"
+
+	"github.com/source-academy/stories-backend/internal/auth"
+	"github.com/source-academy/stories-backend/internal/database"
+	"github.com/source-academy/stories-backend/model"
+)
+
+type IsAuthorOf struct {
+	StoryID uint
+}
+
+func (p IsAuthorOf) IsAuthorized(r *http.Request) bool {
+	userID, err := auth.GetUserIDFrom(r)
+	if err != nil {
+		return false
+	}
+
+	db, err := database.GetDBFrom(r)
+	if err != nil {
+		return false
+	}
+
+	story, err := model.GetStoryByID(db, int(p.StoryID))
+	if err != nil {
+		return false
+	}
+
+	return story.AuthorID == uint(*userID)
+}

internal/permissiongroups/stories/stories.go

@@ -0,0 +1,41 @@
+package storypermissiongroups
+
+import (
+	"github.com/source-academy/stories-backend/internal/permissions"
+	userpermissions "github.com/source-academy/stories-backend/internal/permissions/users"
+)
+
+func List() permissions.PermissionGroup {
+	return userpermissions.
+		GetRolePermission(userpermissions.CanReadStories)
+}
+
+func Create() permissions.PermissionGroup {
+	return userpermissions.
+		GetRolePermission(userpermissions.CanCreateStories)
+}
+
+func Read() permissions.PermissionGroup {
+	return userpermissions.
+		GetRolePermission(userpermissions.CanReadStories)
+}
+
+func Update(storyID uint) permissions.PermissionGroup {
+	return permissions.AnyOf{
+		Groups: []permissions.PermissionGroup{
+			userpermissions.
+				GetRolePermission(userpermissions.CanUpdateStories),
+			IsAuthorOf{StoryID: storyID},
+		},
+	}
+}
+
+func Delete(storyID uint) permissions.PermissionGroup {
+	return permissions.AnyOf{
+		Groups: []permissions.PermissionGroup{
+			userpermissions.
+				GetRolePermission(userpermissions.CanDeleteStories),
+			IsAuthorOf{StoryID: storyID},
+		},
+	}
+}