fix history access (#74)

* wip Signed-off-by: Sarah Funkhouser <[email protected]> * feat: fixup access to history Signed-off-by: Sarah Funkhouser <[email protected]> --------- Signed-off-by: Sarah Funkhouser <[email protected]>
theopenlane · Jan 13, 2025 · a570baa · a570baa
1 parent e507dd9
commit a570baa
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 52 deletions.
diff --git a/history/generateschemas.go b/history/generateschemas.go
@@ -64,6 +64,10 @@ type authzPolicyInfo struct {
 	OrgOwned bool
 	// UserOwned is a boolean that tells the extension that the schema is user owned, used by the history interceptor
 	UserOwned bool
+	// SelfAccess is a boolean that tells the extension that the schema is self access, used by the history interceptor
+	SelfAccess bool
+	// ObjectOwner is a string that tells the extension that the schema is object owned, used by the history interceptor
+	ObjectOwner string
 }
 
 var (
@@ -245,8 +249,22 @@ func (t *templateInfo) getAuthzPolicyInfo(schema *load.Schema) error {
 	// default to schema name if object type is not set
 	if annotations.ObjectType == "" {
 		t.AuthzPolicy.ObjectType = strcase.SnakeCase(schema.Name)
+
+		// if the object type is empty, default to self access
+		t.AuthzPolicy.SelfAccess = true
 	} else {
 		t.AuthzPolicy.ObjectType = annotations.ObjectType
+
+		switch strings.ToLower(annotations.ObjectType) {
+		case "user":
+			t.AuthzPolicy.UserOwned = true
+		case "organization":
+			t.AuthzPolicy.OrgOwned = true
+		case strings.ToLower(schema.Name):
+			t.AuthzPolicy.SelfAccess = true
+		default:
+			t.AuthzPolicy.ObjectOwner = t.AuthzPolicy.ObjectType
+		}
 	}
 
 	// the id is now the `ref` field on the history table
@@ -256,45 +274,9 @@ func (t *templateInfo) getAuthzPolicyInfo(schema *load.Schema) error {
 		t.AuthzPolicy.IDField = annotations.IDField
 	}
 
-	t.AuthzPolicy.OrgOwned = isOrgOwned(schema)
-
-	t.AuthzPolicy.UserOwned = isUserOwned(schema)
-
 	return nil
 }
 
-// isOrgOwned checks if the schema is org owned and returns true if it is
-func isOrgOwned(schema *load.Schema) bool {
-	for _, f := range schema.Fields {
-		// all org owned objects are mixed in
-		if !f.Position.MixedIn {
-			continue
-		}
-
-		if f.Name == "owner_id" {
-			return strings.Contains(f.Comment, "organization")
-		}
-	}
-
-	return false
-}
-
-// isUserOwned checks if the schema is user owned and returns true if it is
-func isUserOwned(schema *load.Schema) bool {
-	for _, f := range schema.Fields {
-		// all org owned objects are mixed in
-		if !f.Position.MixedIn {
-			continue
-		}
-
-		if f.Name == "owner_id" {
-			return strings.Contains(f.Comment, "user")
-		}
-	}
-
-	return false
-}
-
 // getAuthzAnnotation looks for the entfga Authz annotation in the schema
 // and unmarshals the annotations
 func getAuthzAnnotation(schema *load.Schema) (a entfga.Annotations, err error) {

diff --git a/history/generateschemas_test.go b/history/generateschemas_test.go
@@ -78,6 +78,7 @@ func TestGetAuthzPolicyInfo(t *testing.T) {
 				ObjectType:      "user",
 				NillableIDField: false,
 				IDField:         "Ref",
+				UserOwned:       true,
 			},
 		},
 		{
@@ -87,6 +88,7 @@ func TestGetAuthzPolicyInfo(t *testing.T) {
 				ObjectType:      "action_plan",
 				NillableIDField: false,
 				IDField:         "Ref",
+				SelfAccess:      true,
 			},
 		},
 		{
@@ -96,6 +98,7 @@ func TestGetAuthzPolicyInfo(t *testing.T) {
 				ObjectType:      "organization",
 				NillableIDField: false,
 				IDField:         "OwnerID",
+				OrgOwned:        true,
 			},
 		},
 		{
@@ -105,6 +108,7 @@ func TestGetAuthzPolicyInfo(t *testing.T) {
 				ObjectType:      "todo",
 				NillableIDField: true,
 				IDField:         "Ref",
+				SelfAccess:      true,
 			},
 		},
 	}

diff --git a/history/template_test.go b/history/template_test.go
@@ -39,7 +39,7 @@ func TestExtractUpdatedByKey(t *testing.T) {
 	}
 }
 
-func TestExxtractUpdatedByValueType(t *testing.T) {
+func TestExtractUpdatedByValueType(t *testing.T) {
 	tests := []struct {
 		name string
 		val  any

diff --git a/history/templates/schema.tmpl b/history/templates/schema.tmpl
@@ -117,21 +117,11 @@ func ({{ $name }}) Indexes() []ent.Index {
 // Interceptors of the {{ $name }}
 func ({{ $name }}) Interceptors() []ent.Interceptor {
 	return []ent.Interceptor{
-		interceptors.HistoryAccess("{{ .AuthzPolicy.AllowedRelation }}", {{ .AuthzPolicy.OrgOwned }},  {{ .AuthzPolicy.UserOwned }}),
-	}
-}
-{{- end }}
-
-{{- if .AuthzPolicy.ObjectType }}
-// Policy of the {{ $name }}
-func ({{ $name }}) Policy() ent.Policy {
-	return privacy.Policy{
-		Query: privacy.QueryPolicy{
-			privacy.{{ $name }}QueryRuleFunc(func(ctx context.Context, q *generated.{{ $name }}Query) error {
-				return q.CheckAccess(ctx)
-			}),
-			privacy.AlwaysDenyRule(),
-		},
+		{{- if .AuthzPolicy.SelfAccess }}
+		interceptors.FilterListQuery(),
+		{{- else }}
+		interceptors.HistoryAccess("{{ .AuthzPolicy.AllowedRelation }}", {{ .AuthzPolicy.OrgOwned }},  {{ .AuthzPolicy.UserOwned }}, "{{ .AuthzPolicy.ObjectOwner }}"),
+		{{- end }}
 	}
 }
 {{- end }}