Merge pull request #152 from Viva-con-Agua/tk/hotfix_message_permission

Tk/hotfix message permission

dao/connection.go

@@ -70,6 +70,8 @@ var (
 	ActitityUserPipe       = vmdb.NewPipeline()
 	UserPipe               = vmdb.NewPipeline()
 	UpdateCollection       *vmdb.Collection
+
+	TestLogin bool
 )
 
 func InitialDatabase() {
@@ -230,3 +232,7 @@ func InitialIDjango() {
 	IDjango.Key = vcago.Settings.String("IDJANGO_KEY", "n", "")
 	IDjango.Export = vcago.Settings.Bool("IDJANGO_EXPORT", "n", false)
 }
+
+func InitialTestLogin() {
+	TestLogin = vcago.Settings.Bool("API_TEST_LOGIN", "n", false)
+}

dao/message.go

@@ -17,7 +17,9 @@ func MessageInsert(ctx context.Context, i *models.MessageCreate, token *vcapool.
 	event := new(models.Event)
 	EventCollection.FindOne(ctx, bson.D{{Key: "_id", Value: i.RecipientGroup.EventID}}, event)
 
-	result = i.MessageSub(token).PermittedCreate(token, crew, event)
+	if result, err = models.PermittedMessageCreate(token, i.MessageSub(token), crew, event); err != nil {
+		return
+	}
 	if err = MessageCollection.InsertOne(ctx, result); err != nil {
 		return
 	}

handlers/token/login.go

@@ -24,7 +24,7 @@ var HydraClient = vcago.NewHydraClient()
 func (i *LoginHandler) Routes(group *echo.Group) {
 	group.Use(i.Context)
 	group.POST("/callback", i.Callback)
-	if vcago.Settings.Bool("API_TEST_LOGIN", "n", false) {
+	if dao.TestLogin {
 		group.POST("/testlogin", i.LoginAPI)
 	}
 	group.GET("/refresh", i.Refresh, refreshCookie)

models/message.go

@@ -193,30 +193,24 @@ func (i *RecipientGroup) FilterEvent() bson.D {
 	return filter.Bson()
 }
 
-func (i *Message) PermittedCreate(token *vcapool.AccessToken, crew *Crew, event *Event) *Message {
-	if !(token.Roles.Validate("employee;admin") || token.PoolRoles.Validate("network;operation;education")) {
-		if !(i.RecipientGroup.Type == "event" || token.ID == event.EventASPID) { // USER
-			i.MailboxID = token.MailboxID
-			i.From = token.Email
-		} else { // EVENT ASP
-			i.MailboxID = crew.MailboxID
-			if !(i.From == token.Email || i.From == crew.Email) {
-				i.From = token.Email
-			}
-		}
-	} else if !(token.Roles.Validate("employee;admin")) { // ASP
-		if i.MailboxID == crew.MailboxID {
-			i.RecipientGroup.CrewID = crew.ID
-			if !(i.From == token.Email || i.From == crew.Email) {
-				i.From = token.Email
-			}
+func PermittedMessageCreate(token *vcapool.AccessToken, i *Message, crew *Crew, event *Event) (message *Message, err error) {
+	message = i
+	if !token.Roles.Validate("employee;admin") {
+		if i.RecipientGroup.Type == "event" && token.ID == event.EventASPID {
+			// IF IS EVENT ASP -> Force Mailbox and From to CrewMailbox and CrewEmail
+			message.MailboxID = crew.MailboxID
+			message.From = crew.Email
+		} else if token.PoolRoles.Validate("network;operation;education") {
+			// IF IS CREW ASP -> Force Mailbox and From to CrewMailbox and CrewEmail
+			message.MailboxID = crew.MailboxID
+			message.From = crew.Email
 		} else {
-			i.MailboxID = token.MailboxID
-			i.From = token.Email
+			return nil, vcago.NewBadRequest(MessageCollection, "Not allwed to create a message")
+			// i.MailboxID = token.MailboxID
+			// i.From = token.Email
 		}
 	}
-	// ADMIN
-	return i
+	return
 }
 
 func (i *Message) Inbox() *[]interface{} {

server.go

@@ -2,6 +2,7 @@ package main
 
 import (
 	"pool-backend/dao"
+	"pool-backend/handlers/admin"
 	"pool-backend/handlers/key"
 	"pool-backend/handlers/token"
 
@@ -13,6 +14,7 @@ func main() {
 	dao.InitialDatabase()
 	dao.InitialNats()
 	dao.InitialIDjango()
+	dao.InitialTestLogin()
 	dao.FixDatabase()
 	dao.UpdateDatabase()
 	dao.UpdateTicker()
@@ -56,9 +58,11 @@ func main() {
 
 	key.Import.Routes(api.Group("/import"))
 
-	//admin.Crew.Routes(e.Group("/admin/crews"))
-	//admin.Role.Routes(e.Group("/admin/users/role"))
-	//admin.User.Routes(e.Group("/admin/users"))
+	if dao.TestLogin {
+		admin.Crew.Routes(e.Group("/admin/crews"))
+		admin.Role.Routes(e.Group("/admin/users/role"))
+		admin.User.Routes(e.Group("/admin/users"))
+	}
 	//server
 	e.Run()
 }