Authz

nicolashery · nicolashery · commit 364410acef14 · 2025-06-03T11:18:39.000-04:00
diff --git a/app/access/access.go b/app/access/access.go
@@ -56,9 +56,9 @@ func IsValidAccessToken(token string) bool {
 type Role string
 
 const (
-	Role_Admin = "admin"
-	Role_Edit  = "edit"
-	Role_View  = "view"
+	Role_Admin Role = "admin"
+	Role_Edit  Role = "edit"
+	Role_View  Role = "view"
 )
 
 func GetTokenRole(space *db.Space, token string) (Role, bool) {
diff --git a/app/access/authz.go b/app/access/authz.go
@@ -0,0 +1,49 @@
+package access
+
+type Action string
+
+const (
+	Action_UpdateSpace  Action = "update_space"
+	Action_DeleteSpace  Action = "delete_space"
+	Action_ViewTokens   Action = "view_tokens"
+	Action_UpdateTokens Action = "updated_tokens"
+	Action_CreateMember Action = "create_member"
+	Action_UpdateMember Action = "update_member"
+	Action_DeleteMember Action = "delete_member"
+	Action_CreateNote   Action = "create_note"
+	Action_UpdateNote   Action = "update_note"
+	Action_DeleteNote   Action = "delete_note"
+)
+
+var rolePermissions = map[Role]map[Action]bool{
+	Role_Admin: {
+		Action_UpdateSpace:  true,
+		Action_DeleteSpace:  true,
+		Action_ViewTokens:   true,
+		Action_UpdateTokens: true,
+		Action_CreateMember: true,
+		Action_UpdateMember: true,
+		Action_DeleteMember: true,
+		Action_CreateNote:   true,
+		Action_UpdateNote:   true,
+		Action_DeleteNote:   true,
+	},
+	Role_Edit: {
+		Action_CreateNote:   true,
+		Action_UpdateNote:   true,
+		Action_DeleteNote:   true,
+		Action_UpdateMember: true,
+	},
+	Role_View: {
+		// This role can only view resources
+	},
+}
+
+func (a *Access) Can(action Action) bool {
+	permissions, exists := rolePermissions[a.Role]
+	if !exists {
+		return false
+	}
+
+	return permissions[action]
+}
diff --git a/app/handlers/middlewares.go b/app/handlers/middlewares.go
@@ -0,0 +1,22 @@
+package handlers
+
+import (
+	"github.com/nicolashery/simply-shared-notes/app/access"
+	"github.com/nicolashery/simply-shared-notes/app/rctx"
+	"net/http"
+)
+
+func Authorize(action access.Action) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			access := rctx.GetAccess(r.Context())
+
+			if !access.Can(action) {
+				http.Error(w, "insufficient permissions", http.StatusForbidden)
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
diff --git a/app/handlers/routes.go b/app/handlers/routes.go
@@ -2,13 +2,13 @@ package handlers
 
 import (
 	"database/sql"
-	"log/slog"
-
 	"github.com/go-chi/chi/v5"
 	"github.com/gorilla/sessions"
+	"github.com/nicolashery/simply-shared-notes/app/access"
 	"github.com/nicolashery/simply-shared-notes/app/config"
 	"github.com/nicolashery/simply-shared-notes/app/db"
 	"github.com/nicolashery/simply-shared-notes/app/rctx"
+	"log/slog"
 )
 
 func RegisterRoutes(r chi.Router, cfg *config.Config, logger *slog.Logger, sqlDB *sql.DB, queries *db.Queries, sessionStore *sessions.CookieStore) {
@@ -32,15 +32,19 @@ func RegisterRoutes(r chi.Router, cfg *config.Config, logger *slog.Logger, sqlDB
 			r.Use(rctx.FlashCtxMiddleware(logger, sessionStore))
 
 			r.Get("/", handleSpacesShow(logger))
-			r.Get("/settings", handleSpacesEdit(logger))
-			r.Post("/settings", handleSpacesUpdate(logger, queries, sessionStore))
+			r.With(Authorize(access.Action_UpdateSpace)).Group(func(r chi.Router) {
+				r.Get("/settings", handleSpacesEdit(logger))
+				r.Post("/settings", handleSpacesUpdate(logger, queries, sessionStore))
+			})
 
-			r.Get("/share", handleTokensShow(logger))
+			r.With(Authorize(access.Action_ViewTokens)).
+				Get("/share", handleTokensShow(logger))
 
 			r.Get("/notes", handleNotesList(logger))
 
 			r.Get("/members", handleMembersList(logger))
-			r.Get("/members/{memberId}/edit", handleMembersEdit(logger))
+			r.With(Authorize(access.Action_UpdateMember)).
+				Get("/members/{memberId}/edit", handleMembersEdit(logger))
 
 			r.Get("/activity", handleActivityList(logger))
 		})
diff --git a/app/views/layouts/space.layout.templ b/app/views/layouts/space.layout.templ
@@ -3,7 +3,7 @@ package layouts
 import (
 	"fmt"
 	"github.com/go-chi/chi/v5"
-	"github.com/nicolashery/simply-shared-notes/app/access"
+	acc "github.com/nicolashery/simply-shared-notes/app/access"
 	"github.com/nicolashery/simply-shared-notes/app/db"
 	"github.com/nicolashery/simply-shared-notes/app/identity"
 	"github.com/nicolashery/simply-shared-notes/app/rctx"
@@ -30,7 +30,7 @@ templ Space() {
 	}
 }
 
-templ navBar(route string, space *db.Space, access *access.Access, identity *identity.Identity) {
+templ navBar(route string, space *db.Space, access *acc.Access, identity *identity.Identity) {
 	<div class="navbar bg-base-100 px-4 border-b-2 border-base-300 mb-6">
 		<div class="navbar-start">
 			<div>
@@ -48,7 +48,7 @@ templ navBar(route string, space *db.Space, access *access.Access, identity *ide
 	</div>
 }
 
-templ navMenu(route string, space *db.Space, access *access.Access) {
+templ navMenu(route string, space *db.Space, access *acc.Access) {
 	<div class="drawer">
 		<input id="nav-drawer" type="checkbox" class="drawer-toggle"/>
 		<div class="drawer-content">
@@ -159,7 +159,7 @@ templ navMenu(route string, space *db.Space, access *access.Access) {
 						Activity
 					</a>
 				</li>
-				if access.IsAdmin() {
+				if access.Can(acc.Action_ViewTokens) {
 					<li>
 						<a
 							href={ templ.URL(fmt.Sprintf("/s/%s/share", access.Token)) }
@@ -182,6 +182,8 @@ templ navMenu(route string, space *db.Space, access *access.Access) {
 							Share
 						</a>
 					</li>
+				}
+				if access.Can(acc.Action_UpdateSpace) {
 					<li>
 						<a
 							href={ templ.URL(fmt.Sprintf("/s/%s/settings", access.Token)) }
@@ -211,7 +213,7 @@ templ navMenu(route string, space *db.Space, access *access.Access) {
 	</div>
 }
 
-templ userMenu(access *access.Access, identity *identity.Identity) {
+templ userMenu(access *acc.Access, identity *identity.Identity) {
 	<div class="drawer drawer-end">
 		<input id="user-drawer" type="checkbox" class="drawer-toggle"/>
 		<div class="drawer-content">
@@ -240,7 +242,7 @@ templ userMenu(access *access.Access, identity *identity.Identity) {
 						<div>{ helpers.IdentityName(identity) }</div>
 						<div class="text-xs font-normal">{ helpers.RoleLabel(access) }</div>
 					</li>
-					if !access.IsView() {
+					if access.Can(acc.Action_UpdateMember) {
 						<li>
 							<a
 								href={ templ.URL(fmt.Sprintf("/s/%s/members/%s/edit", access.Token, identity.Member.PublicID)) }
diff --git a/app/views/layouts/space.layout_templ.go b/app/views/layouts/space.layout_templ.go
