Merge pull request #238 from MerginMaps/develop

2024.4.0

Author: MarcelGeo

.gitignore

@@ -21,3 +21,6 @@ gen
 # pyenv
 .python-version
 web-app/.node-version
+
+# datadir for database
+mergin-db-ce

server/mergin/app.py

@@ -143,6 +143,7 @@ def create_app(public_keys: List[str] = None) -> Flask:
     from .sync.config import Configuration as SyncConfig
     from .sync.commands import add_commands
     from .auth import register as register_auth
+    from .sync.project_handler import ProjectHandler
 
     app = create_simple_app().connexion_app
 
@@ -397,6 +398,7 @@ def log_bad_request(response):
 
     # we need to register default handler to be accessible within app
     application.ws_handler = GlobalWorkspaceHandler()
+    application.project_handler = ProjectHandler()
 
     # append config route with settings from app.config needed by clients
     if public_keys:

server/mergin/auth/api.yaml

@@ -525,13 +525,7 @@ paths:
                     type: object
                     nullable: true
                     additionalProperties:
-                      type: string
-                      enum:
-                        - owner
-                        - admin
-                        - writer
-                        - reader
-                        - guest
+                      $ref: "#/components/schemas/WorkspaceRole"
                     example: { myWorkspace: owner }
         "400":
           $ref: "#/components/responses/BadStatusResp"
@@ -805,8 +799,7 @@ components:
                 type: string
                 example: my-workspace
               role:
-                type: string
-                example: reader
+                $ref: "#/components/schemas/WorkspaceRole"
         preferred_workspace:
           type: integer
           nullable: true
@@ -824,8 +817,7 @@ components:
                 type: string
                 example: my-workspace
               role:
-                type: string
-                example: reader
+                $ref: "#/components/schemas/WorkspaceRole"
     LoginResponse:
       allOf:
         - $ref: "#/components/schemas/UserDetail"
@@ -838,3 +830,13 @@ components:
               type: string
               format: date-time
               example: 2019-05-04T14:21:56.695035Z
+    WorkspaceRole:
+      type: string
+      enum:
+        - owner
+        - admin
+        - writer
+        - editor
+        - reader
+        - guest
+      example: reader

server/mergin/auth/app.py

@@ -7,6 +7,7 @@
 from flask import current_app, render_template
 from flask_login import current_user
 from itsdangerous import URLSafeTimedSerializer
+from sqlalchemy import func
 
 from .commands import add_commands
 from .config import Configuration
@@ -72,10 +73,10 @@ def wrapped_func(*args, **kwargs):
 
 def authenticate(login, password):
     if "@" in login:
-        query = {"email": login}
+        query = func.lower(User.email) == func.lower(login)
     else:
-        query = {"username": login}
-    user = User.query.filter_by(**query).one_or_none()
+        query = func.lower(User.username) == func.lower(login)
+    user = User.query.filter(query).one_or_none()
     if user and user.check_password(password):
         return user
 

server/mergin/auth/commands.py

@@ -4,7 +4,7 @@
 
 import click
 from flask import Flask
-from sqlalchemy import or_
+from sqlalchemy import or_, func
 
 from .. import db
 from .models import User, UserProfile
@@ -24,7 +24,10 @@ def user():
     def create(username, password, is_admin, email):  # pylint: disable=W0612
         """Create user account"""
         user = User.query.filter(
-            or_(User.username == username, User.email == email)
+            or_(
+                func.lower(User.username) == func.lower(username),
+                func.lower(User.email) == func.lower(email),
+            )
         ).first()
         if user:
             print("ERROR: User already exists!\n")

server/mergin/auth/models.py

@@ -7,7 +7,7 @@
 from typing import List, Optional
 import bcrypt
 from flask import current_app, request
-from sqlalchemy import or_
+from sqlalchemy import or_, func
 
 from .. import db
 from ..sync.utils import get_user_agent, get_ip, get_device_id
@@ -16,8 +16,8 @@
 class User(db.Model):
     id = db.Column(db.Integer, primary_key=True)
 
-    username = db.Column(db.String(80), unique=True, info={"label": "Username"})
-    email = db.Column(db.String(120), unique=True)
+    username = db.Column(db.String(80), info={"label": "Username"})
+    email = db.Column(db.String(120))
 
     passwd = db.Column(db.String(80), info={"label": "Password"})  # salted + hashed
 
@@ -32,6 +32,11 @@ class User(db.Model):
         default=datetime.datetime.utcnow,
     )
 
+    __table_args__ = (
+        db.Index("ix_user_username", func.lower(username), unique=True),
+        db.Index("ix_user_email", func.lower(email), unique=True),
+    )
+
     def __init__(self, username, email, passwd, is_admin=False):
         self.username = username
         self.email = email
@@ -150,6 +155,7 @@ def inactivate(self) -> None:
             or_(
                 Project.access.has(ProjectAccess.owners.contains([self.id])),
                 Project.access.has(ProjectAccess.writers.contains([self.id])),
+                Project.access.has(ProjectAccess.editors.contains([self.id])),
                 Project.access.has(ProjectAccess.readers.contains([self.id])),
             )
         ).all()

server/mergin/sync/forms.py

@@ -19,5 +19,10 @@ class AccessPermissionForm(FlaskForm):
     permissions = SelectField(
         "permissions",
         [DataRequired()],
-        choices=[("read", "read"), ("write", "write"), ("owner", "owner")],
+        choices=[
+            ("read", "read"),
+            ("edit", "edit"),
+            ("write", "write"),
+            ("owner", "owner"),
+        ],
     )

server/mergin/sync/interfaces.py

@@ -50,9 +50,10 @@ def disk_usage(self):
         pass
 
     def user_has_permissions(self, user, permissions):
-        """Check whether User obj has read/write/admin permissions to workspace
+        """Check whether User obj has read/write/admin permissions to workspace or project
         Current rules are:
         - read: user can list and download all projects within workspace
+        - edit: user can add/update features on a map, can't remove any files, change any layers (schema) nor update *.qgz or *.qgs files
         - write: user can push to any projects within workspace
         - admin: user can create new projects, delete projects within workspace
         and modify read/write permissions for other users
@@ -152,3 +153,12 @@ def workspace_count():
         Return number of workspaces
         """
         pass
+
+
+class AbstractProjectHandler(ABC):
+    @abstractmethod
+    def get_push_permission(self, changes: dict):
+        """
+        Return project permission for user to push data to project
+        """
+        pass

server/mergin/sync/models.py

@@ -8,6 +8,7 @@
 from datetime import datetime, timedelta
 from enum import Enum
 from typing import Optional, List, Dict, Set
+from dataclasses import dataclass, asdict
 
 from blinker import signal
 from flask_login import current_user
@@ -324,7 +325,9 @@ def delete(self, removed_by: int = None):
         db.session.execute(
             upload_table.delete().where(upload_table.c.project_id == self.id)
         )
-        self.access.owners = self.access.writers = self.access.readers = []
+        self.access.owners = self.access.writers = self.access.editors = (
+            self.access.readers
+        ) = []
         access_requests = (
             AccessRequest.query.filter_by(project_id=self.id)
             .filter(AccessRequest.status.is_(None))
@@ -339,6 +342,7 @@ def delete(self, removed_by: int = None):
 class ProjectRole(Enum):
     OWNER = "owner"
     WRITER = "writer"
+    EDITOR = "editor"
     READER = "reader"
 
     def __gt__(self, other):
@@ -354,6 +358,17 @@ def __gt__(self, other):
             return False
 
 
+@dataclass
+class ProjectAccessDetail:
+    id: int or str
+    email: str
+    role: str
+    username: str
+    name: Optional[str]
+    project_permission: str
+    type: str
+
+
 class ProjectAccess(db.Model):
     project_id = db.Column(
         UUID(as_uuid=True),
@@ -365,6 +380,7 @@ class ProjectAccess(db.Model):
     owners = db.Column(ARRAY(db.Integer), server_default="{}")
     readers = db.Column(ARRAY(db.Integer), server_default="{}")
     writers = db.Column(ARRAY(db.Integer), server_default="{}")
+    editors = db.Column(ARRAY(db.Integer), server_default="{}")
 
     project = db.relationship(
         "Project",
@@ -382,13 +398,15 @@ class ProjectAccess(db.Model):
         db.Index("ix_project_access_owners", owners, postgresql_using="gin"),
         db.Index("ix_project_access_readers", readers, postgresql_using="gin"),
         db.Index("ix_project_access_writers", writers, postgresql_using="gin"),
+        db.Index("ix_project_access_editors", editors, postgresql_using="gin"),
     )
 
     def __init__(self, project, public=False):
         self.project = project
         self.owners = [project.creator.id]
         self.writers = [project.creator.id]
         self.readers = [project.creator.id]
+        self.editors = [project.creator.id]
         self.project_id = project.id
         self.public = public
 
@@ -398,6 +416,8 @@ def get_role(self, user_id: int) -> Optional[ProjectRole]:
             return ProjectRole.OWNER
         elif user_id in self.writers:
             return ProjectRole.WRITER
+        elif user_id in self.editors:
+            return ProjectRole.EDITOR
         elif user_id in self.readers:
             return ProjectRole.READER
         else:
@@ -409,8 +429,9 @@ def _permission_attrs(role: ProjectRole) -> List[str]:
         # because roles do not inherit, they must be un/set explicitly in db ACLs
         perm_list = {
             ProjectRole.READER: ["readers"],
-            ProjectRole.WRITER: ["writers", "readers"],
-            ProjectRole.OWNER: ["owners", "writers", "readers"],
+            ProjectRole.EDITOR: ["editors", "readers"],
+            ProjectRole.WRITER: ["writers", "editors", "readers"],
+            ProjectRole.OWNER: ["owners", "writers", "editors", "readers"],
         }
         return perm_list[role]
 
@@ -440,7 +461,7 @@ def unset_role(self, user_id: int) -> None:
     def bulk_update(self, new_access: Dict) -> Set[int]:
         """From new access lists do bulk update and return ids with any change applied"""
         diff = set()
-        for key in ("owners", "writers", "readers"):
+        for key in ("owners", "writers", "editors", "readers"):
             new_value = new_access.get(key, None)
             if not new_value:
                 continue
@@ -450,7 +471,8 @@ def bulk_update(self, new_access: Dict) -> Set[int]:
 
         # make sure lists are consistent (they inherit from each other)
         self.writers = list(set(self.writers).union(set(self.owners)))
-        self.readers = list(set(self.readers).union(set(self.writers)))
+        self.editors = list(set(self.editors).union(set(self.writers)))
+        self.readers = list(set(self.readers).union(set(self.editors)))
         return diff
 
 
@@ -638,18 +660,16 @@ def expire(self):
     def accept(self, permissions):
         """Accept project access request"""
         project_access = self.project.access
-        readers = project_access.readers.copy()
-        writers = project_access.writers.copy()
-        owners = project_access.owners.copy()
-        readers.append(self.requested_by)
-        project_access.readers = readers
-        if permissions == "write" or permissions == "owner":
-            writers.append(self.requested_by)
-            project_access.writers = writers
-        if permissions == "owner":
-            owners.append(self.requested_by)
-            project_access.owners = owners
+        PERMISSION_PROJECT_ROLE = {
+            "read": ProjectRole.READER,
+            "edit": ProjectRole.EDITOR,
+            "write": ProjectRole.WRITER,
+            "owner": ProjectRole.OWNER,
+        }
 
+        project_access.set_role(
+            self.requested_by, PERMISSION_PROJECT_ROLE.get(permissions)
+        )
         self.resolve(RequestStatus.ACCEPTED, current_user.id)
         db.session.commit()