OrgGo
/
Mainflux.mainflux
mirror of https://github.com/mainflux/mainflux.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Fix List Group Members Not To Include Owned Things (#1877) 

Signed-off-by: rodneyosodo <blackd0t@protonmail.com>
This commit is contained in:
b1ackd0t 2023-08-04 15:58:07 +03:00 committed by GitHub
parent 1d80301455
commit d29e8b42de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
4 changed files with 12 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

3
things/clients/postgres/clients.go
View File

@ -167,7 +167,8 @@ func (repo clientRepo) Members(ctx context.Context, groupID string, pm mfclients
aq := ""
// If not admin, the client needs to have a g_list action on the group or they are the owner.
if pm.Subject != "" {
aq = `AND EXISTS (SELECT 1 FROM policies WHERE policies.subject = :subject AND policies.object = :group_id AND :action=ANY(actions)) OR c.owner_id = :subject`
aq = `AND (EXISTS (SELECT 1 FROM policies p WHERE p.subject = :subject AND :action=ANY(actions))
OR EXISTS (SELECT 1 FROM groups g WHERE g.owner_id = :subject AND g.id = :group_id))`
}
q := fmt.Sprintf(`SELECT c.id, c.name, c.tags, c.metadata, c.identity, c.secret, c.status, c.created_at FROM clients c

13
users/clients/postgres/clients.go
View File

@ -179,7 +179,9 @@ func (repo clientRepo) Members(ctx context.Context, groupID string, pm mfclients
aq := ""
// If not admin, the client needs to have a g_list action on the group or they are the owner.
if pm.Subject != "" {
aq = `AND EXISTS (SELECT 1 FROM policies WHERE policies.subject = :subject AND :action=ANY(actions)) OR c.owner_id = :subject`
aq = `AND (EXISTS (SELECT 1 FROM policies p WHERE p.subject = :subject AND :action=ANY(actions))
OR EXISTS (SELECT 1 FROM groups g WHERE g.owner_id = :subject AND g.id = :group_id))
AND c.id != :subject`
}
q := fmt.Sprintf(`SELECT c.id, c.name, c.tags, c.metadata, c.identity, c.status,
c.created_at, c.updated_at FROM clients c
@ -210,7 +212,10 @@ func (repo clientRepo) Members(ctx context.Context, groupID string, pm mfclients
items = append(items, c)
}
cq := fmt.Sprintf(`SELECT COUNT(*) FROM clients c INNER JOIN policies ON c.id=policies.subject %s AND policies.object = :group_id;`, emq)
cq := fmt.Sprintf(`SELECT COUNT(*) FROM clients c INNER JOIN policies ON c.id=policies.subject %s AND policies.object = :group_id`, emq)
if pm.Subject != "" {
cq = fmt.Sprintf("%s AND c.id != :subject", cq)
}
total, err := postgres.Total(ctx, repo.db, cq, dbPage)
if err != nil {
@ -439,11 +444,11 @@ func pageQuery(pm mfclients.Page) (string, error) {
// For listing clients that the specified client owns and that are shared with the specified client
if pm.Owner != "" && pm.SharedBy != "" {
query = append(query, "(c.owner_id = :owner_id OR (policies.object IN (SELECT object FROM policies WHERE subject = :shared_by AND :action=ANY(actions))))")
query = append(query, "(c.owner_id = :owner_id OR (policies.object IN (SELECT object FROM policies WHERE subject = :shared_by AND :action=ANY(actions)))) AND c.id != :shared_by")
}
// For listing clients that the specified client is shared with
if pm.SharedBy != "" && pm.Owner == "" {
query = append(query, "c.owner_id != :shared_by AND (policies.object IN (SELECT object FROM policies WHERE subject = :shared_by AND :action=ANY(actions)))")
query = append(query, "c.owner_id != :shared_by AND (policies.object IN (SELECT object FROM policies WHERE subject = :shared_by AND :action=ANY(actions))) AND c.id != :shared_by")
}
if len(query) > 0 {
emq = fmt.Sprintf("WHERE %s", strings.Join(query, " AND "))

2
users/clients/postgres/clients_test.go
View File

@ -586,7 +586,7 @@ func TestGroupsMembers(t *testing.T) {
mp, err := crepo.Members(context.Background(), tc.ID, mfclients.Page{Total: 10, Offset: 0, Limit: 10, Status: mfclients.AllStatus, Subject: clientB.ID, Action: "g_list"})
assert.True(t, errors.Contains(err, tc.err), fmt.Sprintf("%s: expected %s got %s\n", desc, tc.err, err))
if tc.ID == group.ID {
assert.ElementsMatch(t, mp.Members, []mfclients.Client{clientA, clientB}, fmt.Sprintf("%s: expected %v got %v\n", desc, []mfclients.Client{clientA, clientB}, mp.Members))
assert.ElementsMatch(t, mp.Members, []mfclients.Client{clientA}, fmt.Sprintf("%s: expected %v got %v\n", desc, []mfclients.Client{clientA, clientB}, mp.Members))
}
}
}

8
users/clients/service.go
View File

@ -199,14 +199,6 @@ func (svc service) ListClients(ctx context.Context, token string, pm mfclients.P
if err != nil {
return mfclients.ClientsPage{}, err
}
for i, client := range clients.Clients {
if client.ID == id {
clients.Clients = append(clients.Clients[:i], clients.Clients[i+1:]...)
if clients.Total != 0 {
clients.Total--
}
}
}
return clients, nil
}