[#200] Add authorization on forms related events

akvo · Feb 3, 2020 · de553ae · de553ae
1 parent c1d4f75
commit de553ae
Show file tree

Hide file tree

Showing 17 changed files with 37 additions and 1,014 deletions.
diff --git a/api/src/clojure/org/akvo/flow_api/boundary/user.clj b/api/src/clojure/org/akvo/flow_api/boundary/user.clj
@@ -17,15 +17,14 @@
 
 (defn id-by-email [{:keys [user-cache unknown-user-cache] :as this} instance-id email]
   (or
-    (get-id user-cache instance-id email)
-    (when-not (has? unknown-user-cache instance-id email)
-      (ds/with-remote-api this instance-id
-        (let [id (user/id email)
-              which-cache (if id user-cache unknown-user-cache)]
-          (put-id which-cache instance-id email id)
-          id)))))
+   (get-id user-cache instance-id email)
+   (when-not (has? unknown-user-cache instance-id email)
+     (let [id (user/id email)
+           which-cache (if id user-cache unknown-user-cache)]
+       (put-id which-cache instance-id email id)
+       id))))
 
 (defn id-by-email-or-throw-error [remote-api instance-id email]
   (or
     (id-by-email remote-api instance-id email)
-    (anomaly/unauthorized "User does not exist" {:email email})))
+    (anomaly/unauthorized "User does not exist" {:email email})))
diff --git a/api/src/clojure/org/akvo/flow_api/datastore/survey.clj b/api/src/clojure/org/akvo/flow_api/datastore/survey.clj
@@ -20,10 +20,9 @@
 (defn cached-list-ids [{:keys [survey-list-cache] :as remote-api} instance user-id]
   (if-let [survey-list (cache/lookup @(:cache survey-list-cache) [instance user-id])]
     survey-list
-    (ds/with-remote-api remote-api instance
-      (let [survey-list (doall (list-ids user-id))]
-        (swap! (:cache survey-list-cache) cache/miss [instance user-id] survey-list)
-        survey-list))))
+    (let [survey-list (doall (list-ids user-id))]
+      (swap! (:cache survey-list-cache) cache/miss [instance user-id] survey-list)
+      survey-list)))
 
 (defn list-by-folder [user-id folder-id]
   (->>
@@ -102,6 +101,7 @@
        :created-at (ds/created-at survey)
        :modified-at (ds/modified-at survey)})))
 
+
 (defn keep-allowed-to-see [surveys-to-permission surveys-allowed-per-instance]
   (let [instance->survey-set (into {}
                                (map (fn [{:keys [instance-id survey-ids]}]
@@ -111,3 +111,8 @@
       (fn [{:keys [instance-id survey-id]}]
         (contains? (get instance->survey-set instance-id) survey-id))
       surveys-to-permission)))
+
+(defn list-authorized-forms [user-id]
+  (let [form-dao (com.gallatinsystems.survey.dao.SurveyDAO.)
+        all-forms (.list form-dao "all")]
+    (.filterByUserAuthorizationObjectId form-dao all-forms user-id)))
diff --git a/api/src/clojure/org/akvo/flow_api/endpoint/flumenfly.clj b/api/src/clojure/org/akvo/flow_api/endpoint/flumenfly.clj
@@ -3,9 +3,11 @@
             [clojure.spec.alpha :as s]
             [clojure.walk]
             [compojure.core :refer [routes POST]]
+            [org.akvo.flow-api.datastore :as ds]
             [org.akvo.flow-api.boundary.survey :as survey]
             [org.akvo.flow-api.middleware.resolve-alias]
             [org.akvo.flow-api.boundary.resolve-alias :as resolve-alias]
+            [org.akvo.flow-api.middleware.resolve-alias :refer [wrap-resolve-alias]]
             [org.akvo.flow-api.middleware.jdo-persistent-manager :as jdo-pm]
             [ring.util.response :refer [response]]
             [org.akvo.flow-api.endpoint.spec :as spec]))
@@ -36,12 +38,14 @@
 
 (defn endpoint* [{:keys [remote-api akvo-flow-server-config]}]
   (routes
-    (POST "/check_permissions" {:keys [email body]}
-      (surveys akvo-flow-server-config remote-api email body))))
+    (POST "/check_permissions" {:keys [email body] :as req}
+      (ds/with-remote-api remote-api (:instance-id req)
+        (surveys akvo-flow-server-config remote-api email body)))))
 
-(defn endpoint [deps]
+(defn endpoint [{:keys [akvo-flow-server-config] :as deps}]
   (-> (endpoint* deps)
-    (jdo-pm/wrap-close-persistent-manager)))
+      (wrap-resolve-alias akvo-flow-server-config)
+      (jdo-pm/wrap-close-persistent-manager)))
 
 (comment
   (->

diff --git a/api/src/clojure/org/akvo/flow_api/endpoint/sync.clj b/api/src/clojure/org/akvo/flow_api/endpoint/sync.clj
@@ -40,8 +40,9 @@
   [offset db instance-id remote-api req]
   (let [alias (:alias req)
         api-root (utils/get-api-root req)
+        email (:email req)
         changes (->
-                 (unilog/process-unilog-events offset db instance-id remote-api)
+                 (unilog/process-unilog-events offset db instance-id remote-api email)
                  (select-keys [:form-instance-changed
                                :form-instance-deleted
                                :form-changed

diff --git a/api/src/clojure/org/akvo/flow_api/unilog/unilog.clj b/api/src/clojure/org/akvo/flow_api/unilog/unilog.clj
@@ -9,6 +9,7 @@
             [org.akvo.flow-api.boundary.survey :as survey]
             [org.akvo.flow-api.datastore.survey :as su]
             [org.akvo.flow-api.datastore.data-point :as data-point]
+            [clojure.set :as set]
             [clojure.spec.alpha :as s]
             [cheshire.core :as json]
             [com.stuartsierra.component :as component]))
@@ -142,18 +143,26 @@
                                       ["SELECT id AS offset FROM event_log WHERE id = ?" offset]))]
         (boolean (:offset result)))))
 
-(defn process-unilog-events [offset db instance-id remote-api]
+(defn process-unilog-events [offset db instance-id remote-api email]
   (ds/with-remote-api remote-api instance-id
     (let [ds (DatastoreServiceFactory/getDatastoreService)
           events (process-new-events
                    (jdbc/reducible-query db
                                          ["SELECT id, payload::text AS payload FROM event_log WHERE id > ? ORDER BY id ASC LIMIT 300" offset]
                                          {:auto-commit? false :fetch-size 300}))
+
+          user-id (user/id-by-email-or-throw-error remote-api instance-id email)
+          authorized-forms-ids (set (map #(ds/id %) (su/list-authorized-forms user-id)))
+          authorized-forms-to-load (set/intersection authorized-forms-ids (:forms-to-load events))
+          _ (prn "user-id" user-id)
+          _ (prn "authorized" authorized-forms-ids)
+          _ (prn "to-load" (:forms-to-load events))
+          _ (prn "authorized-to-load" authorized-forms-to-load)
           form-id->form (reduce (fn [acc form-id]
                                   (assoc acc form-id (su/get-form-definition (long form-id)
                                                                              {:include-survey-id? true})))
                                 {}
-                                (:forms-to-load events))
+                                authorized-forms-to-load)
           events-2 (after-forms-loaded events form-id->form) ;; TODO: get form definition from cache
           form-instances (doall
                            (mapcat

diff --git a/api/test/clojure/org/akvo/flow_api/akvo_flow_server_config_test.clj b/api/test/clojure/org/akvo/flow_api/akvo_flow_server_config_test.clj
diff --git a/api/test/clojure/org/akvo/flow_api/appengine-web.xml b/api/test/clojure/org/akvo/flow_api/appengine-web.xml
diff --git a/api/test/clojure/org/akvo/flow_api/datastore/data_point_test.clj b/api/test/clojure/org/akvo/flow_api/datastore/data_point_test.clj