File: privileges.ml

package info (click to toggle)
nurpawiki 1.2.3-10
  • links: PTS, VCS
  • area: main
  • in suites: sid, stretch
  • size: 1,400 kB
  • ctags: 1,581
  • sloc: ml: 2,869; sh: 119; makefile: 54
file content (81 lines) | stat: -rw-r--r-- 2,998 bytes parent folder | download | duplicates (2)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
(* Copyright (c) 2006-2008 Janne Hellsten <jjhellst@gmail.com> *)

(* 
 * This program is free software: you can redistribute it and/or
 * modify it under the terms of the GNU General Public License as
 * published by the Free Software Foundation, either version 2 of the
 * License, or (at your option) any later version.
 * 
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU
 * General Public License for more details.  You should have received
 * a copy of the GNU General Public License along with this program.
 * If not, see <http://www.gnu.org/licenses/>. 
 *)

(* Logic to handle user privileges.  Instead of cluttering HTML
   generation and other logic with privilege handling, abstract it behind
   a tight interface.  This interface also allows for a later addition of
   a more fine-grained access control. *)

open Types

(** with_can_create_user [user f on_fail] calls [f ()] if user is
    privileged enough to perform the operation.  Otherwise call
    [on_fail error] to handle the error case. *)
let with_can_create_user cur_user f ~on_fail =
  if cur_user.user_login = "admin" then
    f ()
  else 
    on_fail ("User '"^cur_user.user_login^"' is not permitted to create new users")

let can_view_users cur_user =
  cur_user.user_login = "admin"

(** with_can_view_users [user f] calls [f ()] if user is privileged
    enough to view a list of all users.  Otherwise return an error
    message. *)
let with_can_view_users cur_user f ~on_fail =
  if can_view_users cur_user  then
    f ()
  else
    on_fail ("User '"^cur_user.user_login^"' is not permitted to view other users")

(** with_can_edit_user [user cur_user user_to_edit f] calls [f ()] if
    user is privileged enough to perform the operation.  Otherwise
    return an error message. *)
let with_can_edit_user cur_user target f ~on_fail =
  if cur_user.user_login = "admin" || cur_user.user_login = target.user_login then
    f ()
  else 
    on_fail ("User '"^cur_user.user_login^"' is not permitted to edit users other than self")

(** Privileged enough to schedule tasks for all users? *)
let can_schedule_all_tasks cur_user =
  cur_user.user_login = "admin"

let user_owns_task_or_is_admin todo cur_user =
  if cur_user.user_login = "admin" then
    true
  else 
    match todo.t_owner with
      Some o -> o.owner_id = cur_user.user_id
    | None -> false
        
let can_edit_task todo cur_user =
  user_owns_task_or_is_admin todo cur_user

let can_complete_task task_id cur_user =
  lwt todo = Database.query_todo task_id in
  match todo with
    Some t -> 
      Lwt.return (user_owns_task_or_is_admin t cur_user)
  | None -> Lwt.return false

let can_modify_task_priority task_id cur_user =
  lwt todo = Database.query_todo task_id in
  match todo with
    Some t -> 
      Lwt.return (user_owns_task_or_is_admin t cur_user)
  | None -> Lwt.return false