Improved permission check #393

2023-10-02 16:08:16 +02:00
parent 76d94c0f60
commit 1125c83d13
3 changed files with 37 additions and 4 deletions
--- a/kdb-bot/src/bot_core/configuration/feature_flags_enum.py
+++ b/kdb-bot/src/bot_core/configuration/feature_flags_enum.py
@@ -24,3 +24,4 @@ class FeatureFlagsEnum(Enum):
    game_server = "GameServer"
    sync_xp = "SyncXp"
    short_role_name = "ShortRoleName"
+    technician_full_access = "TechnicianFullAccess"
--- a/kdb-bot/src/bot_core/configuration/feature_flags_settings.py
+++ b/kdb-bot/src/bot_core/configuration/feature_flags_settings.py
@@ -26,6 +26,7 @@ class FeatureFlagsSettings(ConfigurationModelABC):
        FeatureFlagsEnum.game_server.value: False,  # 25.09.2023 #366
        FeatureFlagsEnum.sync_xp.value: False,  # 25.09.2023 #366
        FeatureFlagsEnum.short_role_name.value: False,  # 28.09.2023 #378
+        FeatureFlagsEnum.technician_full_access.value: False,  # 02.10.2023 #393
    }

    def __init__(self, **kwargs: dict):
--- a/kdb-bot/src/bot_graphql/abc/query_abc.py
+++ b/kdb-bot/src/bot_graphql/abc/query_abc.py
@@ -1,6 +1,7 @@
 from typing import Callable

 from ariadne import ObjectType
+from cpl_core.configuration import ConfigurationABC
 from cpl_core.dependency_injection import ServiceProviderABC
 from cpl_core.type import T
 from cpl_discord.service import DiscordBotServiceABC
@@ -10,6 +11,7 @@ from bot_api.exception.service_error_code_enum import ServiceErrorCode
 from bot_api.exception.service_exception import ServiceException
 from bot_api.route.route import Route
 from bot_core.configuration.feature_flags_enum import FeatureFlagsEnum
+from bot_core.configuration.feature_flags_settings import FeatureFlagsSettings
 from bot_data.model.achievement import Achievement
 from bot_data.model.auth_role_enum import AuthRoleEnum
 from bot_data.model.auth_user import AuthUser
@@ -75,7 +77,12 @@ class QueryABC(ObjectType):
        def get_services(services: ServiceProviderABC) -> ServiceProviderABC:
            return services

+        @ServiceProviderABC.inject
+        def get_config(config: ConfigurationABC) -> ConfigurationABC:
+            return config
+
        services = get_services()
+        config = get_config()
        permissions: PermissionService = services.get_service(PermissionService)
        bot: DiscordBotServiceABC = services.get_service(DiscordBotServiceABC)

@@ -84,6 +91,13 @@ class QueryABC(ObjectType):

        for u in user.users:
            guild = bot.get_guild(u.server.discord_id)
+
+            settings: ServerConfig = config.get_configuration(f"ServerConfig_{guild.id}")
+            if not FeatureFlagsSettings.get_flag_from_dict(
+                settings.feature_flags, FeatureFlagsEnum.technician_full_access
+            ):
+                continue
+
            if permissions.is_member_technician(guild.get_member(u.discord_id)):
                return True

@@ -216,23 +230,40 @@ class QueryABC(ObjectType):

    @ServiceProviderABC.inject
    def _can_user_mutate_data(self, server: Server, permission: UserRoleEnum, services: ServiceProviderABC):
+        @ServiceProviderABC.inject
+        def get_config(config: ConfigurationABC) -> ConfigurationABC:
+            return config
+
+        config = get_config()
        permissions: PermissionService = services.get_service(PermissionService)
        bot: DiscordBotServiceABC = services.get_service(DiscordBotServiceABC)

        auth_user = Route.get_user()
-        if auth_user == "system" or auth_user.auth_role == AuthRoleEnum.admin:
+        if auth_user == "system":
            return

        member = bot.get_guild(server.discord_id).get_member(
            auth_user.users.where(lambda x: x.server.id == server.id).single().discord_id
        )
+        settings: ServerConfig = config.get_configuration(f"ServerConfig_{member.guild.id}")
+        technician_full_access_flag = FeatureFlagsSettings.get_flag_from_dict(
+            settings.feature_flags, FeatureFlagsEnum.technician_full_access
+        )

-        check_perm = lambda x: True
+        check_perm = lambda x: False
        match permission:
            case UserRoleEnum.moderator:
-                check_perm = lambda x: permissions.is_member_moderator(x)
+                check_perm = (
+                    lambda x: technician_full_access_flag
+                    and permissions.is_member_technician(x)
+                    or permissions.is_member_moderator(x)
+                )
            case UserRoleEnum.admin:
-                check_perm = lambda x: permissions.is_member_admin(x)
+                check_perm = (
+                    lambda x: technician_full_access_flag
+                    and permissions.is_member_technician(x)
+                    or permissions.is_member_admin(x)
+                )
            case UserRoleEnum.technician:
                check_perm = lambda x: permissions.is_member_technician(x)