~netlandish/links: Protecting specific mutations for Admin Write

2 files changed, 22 insertions(+), 29 deletions(-)

M api/graph/schema.resolvers.go
M models/organization.go

M api/graph/schema.resolvers.go => api/graph/schema.resolvers.go +16 -28

@@ 412,7 412,7 @@ func (r *mutationResolver) AddMember(ctx context.Context, input *model.MemberInp
 		return nil, nil
 	}
 	org := orgs[0]
-	if org.OwnerID != int(currentUser.ID) {
+	if !org.CanAdminWrite(ctx, currentUser) {
 		validator.Error(lt.Translate("This user is not allowed to perform this action")).
 			WithCode(valid.ErrNotFoundCode)
 		return nil, nil


@@ 676,20 676,11 @@ func (r *mutationResolver) UpdateLink(ctx context.Context, input *model.UpdateLi
 	}
 	orgLink := orgLinks[0]
 
-	orgs, err := user.GetOrgs(ctx, models.OrgUserPermissionWrite)
+	org, err := user.GetOrgsID(ctx, models.OrgUserPermissionWrite, orgLink.OrgID)
 	if err != nil {
 		return nil, err
 	}
-
-	var canEdit bool
-	var org *models.Organization
-	for _, o := range orgs {
-		if o.ID == orgLink.OrgID {
-			canEdit = true
-			org = o
-		}
-	}
-	if !canEdit {
+	if org == nil {
 		validator.Error(lt.Translate("Element Not Found")).
 			WithCode(valid.ErrNotFoundCode)
 		return nil, nil


@@ 1457,19 1448,11 @@ func (r *mutationResolver) UpdateOrganization(ctx context.Context, input *model.
 		return nil, nil
 	}
 
-	opts := &database.FilterOptions{
-		Filter: sq.And{
-			sq.Eq{"o.slug": input.CurrentSlug},
-			sq.Eq{"o.owner_id": user.ID},
-		},
-		Limit: 1,
-	}
-	orgs, err := models.GetOrganizations(ctx, opts)
+	org, err := user.GetOrgsSlug(ctx, models.OrgUserPermissionAdminWrite, input.CurrentSlug)
 	if err != nil {
 		return nil, err
 	}
-
-	if len(orgs) == 0 {
+	if org == nil {
 		validator.Error(
 			lt.Translate("Organization Not Found")).
 			WithField("name").


@@ 1477,13 1460,18 @@ func (r *mutationResolver) UpdateOrganization(ctx context.Context, input *model.
 		return nil, nil
 	}
 
-	org := orgs[0]
-
 	// If the org name changed, validate it
+	var (
+		opts *database.FilterOptions
+		orgs []*models.Organization
+	)
 	if input.Name != org.Name {
 		opts = &database.FilterOptions{
-			Filter: sq.Eq{"o.name": input.Name},
-			Limit:  1,
+			Filter: sq.And{
+				sq.Eq{"o.name": input.Name},
+				sq.Eq{"o.owner_id": user.ID},
+			},
+			Limit: 1,
 		}
 		orgs, err = models.GetOrganizations(ctx, opts)
 		if err != nil {


@@ 1688,7 1676,7 @@ func (r *mutationResolver) AddDomain(ctx context.Context, input model.DomainInpu
 		return nil, nil
 	}
 
-	org, err := user.GetOrgsSlug(ctx, models.OrgUserPermissionWrite, input.OrgSlug)
+	org, err := user.GetOrgsSlug(ctx, models.OrgUserPermissionAdminWrite, input.OrgSlug)
 	if err != nil {
 		return nil, err
 	}


@@ 2202,7 2190,7 @@ func (r *mutationResolver) DeleteDomain(ctx context.Context, id int) (*model.Del
 			return nil, nil
 		}
 
-		org, err := user.GetOrgsID(ctx, models.OrgUserPermissionWrite, int(domain.OrgID.Int64))
+		org, err := user.GetOrgsID(ctx, models.OrgUserPermissionAdminWrite, int(domain.OrgID.Int64))
 		if err != nil {
 			return nil, err
 		}

M models/organization.go => models/organization.go +6 -1

@@ 226,11 226,16 @@ func (o *Organization) CanRead(ctx context.Context, user *User) bool {
 	return o.permCheck(ctx, user, OrgUserPermissionRead)
 }
 
-// CanWrite checks if provided user has read access to organization
+// CanWrite checks if provided user has write access to organization
 func (o *Organization) CanWrite(ctx context.Context, user *User) bool {
 	return o.permCheck(ctx, user, OrgUserPermissionWrite)
 }
 
+// CanAdminWrite checks if provided user has admin write access to organization
+func (o *Organization) CanAdminWrite(ctx context.Context, user *User) bool {
+	return o.permCheck(ctx, user, OrgUserPermissionAdminWrite)
+}
+
 func (o *Organization) IsRestricted(restrictedStatus []int) bool {
 	status := o.Settings.Billing.Status
 	for _, i := range restrictedStatus {