Skip to content

Support User groups in permissions listing #3430

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: user-groups/permissions
Choose a base branch
from
Open

Support User groups in permissions listing #3430

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 4 additions & 2 deletions app/Actions/Sharing/Propagate.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,7 +49,7 @@ private function applyUpdate(Album $album): void
// for each descendant, create a new permission if it does not exist.
// or update the existing permission.
$descendants = $album->descendants()->getQuery()->select('id')->pluck('id');
$permissions = $album->access_permissions()->whereNotNull('user_id')->get();
$permissions = $album->access_permissions()->whereNotNull('user_id')->orWhereNotNull('user_group_id')->get();

// This is super inefficient.
// It would be better to do it in a single query...
Expand All @@ -59,6 +59,7 @@ private function applyUpdate(Album $album): void
$perm = AccessPermission::updateOrCreate([
APC::BASE_ALBUM_ID => $descendant,
APC::USER_ID => $permission->user_id,
APC::USER_GROUP_ID => $permission->user_group_id,
], [
APC::GRANTS_FULL_PHOTO_ACCESS => $permission->grants_full_photo_access,
APC::GRANTS_DOWNLOAD => $permission->grants_download,
Expand Down Expand Up @@ -122,7 +123,7 @@ private function applyOverwrite(Album $album): void
->where('_rgt', '<', $album->_rgt)
->pluck('id');

$access_permissions = $album->access_permissions()->whereNotNull('user_id')->get();
$access_permissions = $album->access_permissions()->whereNotNull('user_id')->orWhereNotNull('user_group_id')->get();

$new_perm = $access_permissions->reduce(
fn (?array $acc, AccessPermission $permission) => array_merge(
Expand All @@ -131,6 +132,7 @@ private function applyOverwrite(Album $album): void
fn ($descendant_id) => [
APC::BASE_ALBUM_ID => $descendant_id,
APC::USER_ID => $permission->user_id,
APC::USER_GROUP_ID => $permission->user_group_id,
APC::GRANTS_FULL_PHOTO_ACCESS => $permission->grants_full_photo_access,
APC::GRANTS_DOWNLOAD => $permission->grants_download,
APC::GRANTS_UPLOAD => $permission->grants_upload,
Expand Down
12 changes: 10 additions & 2 deletions app/Actions/Sharing/Share.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -17,14 +17,21 @@ class Share
* Create an access permission from a resource.
*
* @param AccessPermissionResource $access_permission_resource
* @param int|null $user_id
* @param int|null $user_group_id
* @param string $base_album_id
*
* @return AccessPermission
*/
public function do(AccessPermissionResource $access_permission_resource, int $user_id, string $base_album_id): AccessPermission
{
public function do(
AccessPermissionResource $access_permission_resource,
string $base_album_id,
?int $user_id = null,
?int $user_group_id = null,
): AccessPermission {
$perm = new AccessPermission();
$perm->user_id = $user_id;
$perm->user_group_id = $user_group_id;
$perm->base_album_id = $base_album_id;
$perm->grants_full_photo_access = $access_permission_resource->grants_full_photo_access;
$perm->grants_download = $access_permission_resource->grants_download;
Expand All @@ -33,6 +40,7 @@ public function do(AccessPermissionResource $access_permission_resource, int $us
$perm->grants_delete = $access_permission_resource->grants_delete;
$perm->load('user');
$perm->load('album');
$perm->load('user_group');
$perm->save();

return $perm;
Expand Down
17 changes: 17 additions & 0 deletions app/Contracts/Http/Requests/HasUserGroupIds.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,17 @@
<?php

/**
* SPDX-License-Identifier: MIT
* Copyright (c) 2017-2018 Tobias Reich
* Copyright (c) 2018-2025 LycheeOrg.
*/

namespace App\Contracts\Http\Requests;

interface HasUserGroupIds
{
/**
* @return int[]
*/
public function userGroupIds(): array;
}
1 change: 1 addition & 0 deletions app/Contracts/Http/Requests/RequestAttribute.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,7 @@ class RequestAttribute

public const USER_ID_ATTRIBUTE = 'user_id';
public const USER_IDS_ATTRIBUTE = 'user_ids';
public const USER_GROUP_IDS_ATTRIBUTE = 'group_ids';

public const GROUP_ID = 'group_id';
public const NAME_ATTRIBUTE = 'name';
Expand Down
54 changes: 39 additions & 15 deletions app/Http/Controllers/Gallery/SharingController.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -46,16 +46,35 @@ class SharingController extends Controller
public function create(AddSharingRequest $request, Share $share): array
{
// delete any already created.
AccessPermission::whereIn('user_id', $request->userIds())
->whereIn('base_album_id', $request->albumIds())
AccessPermission::whereIn('base_album_id', $request->albumIds())
->where(fn ($q) => $q->whereIn('user_id', $request->userIds())
->orWhereIn(APC::USER_GROUP_ID, $request->userGroupIds()))
->delete();

$access_permissions = [];

// Not optimal, but this is barely used, so who cares.
// A better approach would be to do a massive insert in a single SQL query from the cross product.
foreach ($request->userIds() as $user_id) {
foreach ($request->albumIds() as $album_id) {
$access_permissions[] = $share->do($request->permResource(), $user_id, $album_id);
foreach ($request->albumIds() as $album_id) {
foreach ($request->userIds() as $user_id) {
// Create a new sharing permission for each user and album combination.
// This is not optimal, but it is simple and works.
// A better approach would be to do a massive insert in a single SQL query from the cross product.
$access_permissions[] = $share->do(
access_permission_resource: $request->permResource(),
user_id: $user_id,
base_album_id: $album_id
);
}
foreach ($request->userGroupIds() as $user_group_id) {
// Create a new sharing permission for each user group and album combination.
// This is not optimal, but it is simple and works.
// A better approach would be to do a massive insert in a single SQL query from the cross product.
$access_permissions[] = $share->do(
access_permission_resource: $request->permResource(),
user_group_id: $user_group_id,
base_album_id: $album_id
);
}
}

Expand Down Expand Up @@ -92,9 +111,10 @@ public function edit(EditSharingRequest $request): AccessPermissionResource
*/
public function list(ListSharingRequest $request): Collection
{
$query = AccessPermission::with(['album', 'user']);
$query = $query->whereNotNull(APC::USER_ID);
$query = AccessPermission::with(['album', 'user', 'user_group']);
$query = $query->where(APC::BASE_ALBUM_ID, '=', $request->album()->id);
$query = $query->where(fn ($q) => $q->whereNotNull(APC::USER_ID)
->orWhereNotNull(APC::USER_GROUP_ID));

return AccessPermissionResource::collect($query->get());
}
Expand All @@ -108,12 +128,14 @@ public function list(ListSharingRequest $request): Collection
*/
public function listAll(ListAllSharingRequest $request): Collection
{
$query = AccessPermission::with(['album', 'user']);
$query = AccessPermission::with(['album', 'user', 'user_group']);
$query = $query->when(
!Auth::user()->may_administrate,
fn ($q) => $q->whereIn('base_album_id', BaseAlbumImpl::select('id')
->where('owner_id', '=', Auth::id())));
$query = $query->whereNotNull('user_id');
->where('owner_id', '=', Auth::id()))
);
$query = $query->whereNotNull(APC::USER_ID);
$query = $query->orWhereNotNull(APC::USER_GROUP_ID);
$query = $query->orderBy('base_album_id', 'asc');

return AccessPermissionResource::collect($query->get());
Expand All @@ -134,10 +156,12 @@ public function listAlbums(ListAllSharingRequest $request, ListAlbums $list_albu
$owner_id = $user->id;
}

return TargetAlbumResource::collect($list_albums->do(
albums_filtering: resolve(Collection::class),
parent_id: null,
owner_id: $owner_id)
return TargetAlbumResource::collect(
$list_albums->do(
albums_filtering: resolve(Collection::class),
parent_id: null,
owner_id: $owner_id
)
);
}

Expand Down Expand Up @@ -173,4 +197,4 @@ public function propagate(PropagateSharingRequest $request, Propagate $propagate
$propagate->update($album);
}
}
}
}
14 changes: 13 additions & 1 deletion app/Http/Requests/Sharing/AddSharingRequest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -16,12 +16,14 @@
use App\Http\Requests\BaseApiRequest;
use App\Http\Requests\Traits\HasAccessPermissionResourceTrait;
use App\Http\Requests\Traits\HasAlbumIdsTrait;
use App\Http\Requests\Traits\HasUserGroupIdsTrait;
use App\Http\Requests\Traits\HasUserIdsTrait;
use App\Http\Resources\Models\AccessPermissionResource;
use App\Policies\AlbumPolicy;
use App\Rules\IntegerIDRule;
use App\Rules\RandomIDRule;
use Illuminate\Support\Facades\Gate;
use Illuminate\Validation\ValidationException;

/**
* Represents a request for setting the shares of specific albums.
Expand All @@ -32,6 +34,7 @@ class AddSharingRequest extends BaseApiRequest implements HasAlbumIds, HasUserId
{
use HasAlbumIdsTrait;
use HasUserIdsTrait;
use HasUserGroupIdsTrait;
use HasAccessPermissionResourceTrait;

/**
Expand All @@ -50,8 +53,10 @@ public function rules(): array
return [
RequestAttribute::ALBUM_IDS_ATTRIBUTE => 'required|array|min:1',
RequestAttribute::ALBUM_IDS_ATTRIBUTE . '.*' => ['required', new RandomIDRule(false)],
RequestAttribute::USER_IDS_ATTRIBUTE => 'required|array|min:1',
RequestAttribute::USER_IDS_ATTRIBUTE => 'present|array',
RequestAttribute::USER_IDS_ATTRIBUTE . '.*' => ['required', new IntegerIDRule(false)],
RequestAttribute::USER_GROUP_IDS_ATTRIBUTE => 'present|array',
RequestAttribute::USER_GROUP_IDS_ATTRIBUTE . '.*' => ['required', new IntegerIDRule(false)],
RequestAttribute::GRANTS_DOWNLOAD_ATTRIBUTE => ['required', 'boolean'],
RequestAttribute::GRANTS_FULL_PHOTO_ACCESS_ATTRIBUTE => ['required', 'boolean'],
RequestAttribute::GRANTS_UPLOAD_ATTRIBUTE => ['required', 'boolean'],
Expand All @@ -67,6 +72,13 @@ protected function processValidatedValues(array $values, array $files): void
{
$this->album_ids = $values[RequestAttribute::ALBUM_IDS_ATTRIBUTE];
$this->user_ids = $values[RequestAttribute::USER_IDS_ATTRIBUTE];
$this->user_group_ids = $values[RequestAttribute::USER_GROUP_IDS_ATTRIBUTE];

if ($this->user_ids === [] && $this->user_group_ids === []) {
// If no users or groups are specified, we do not create a permission.
throw new ValidationException('You must specify at least one user or group to share with.', 422);
}

$this->perm_resource = new AccessPermissionResource(
grants_edit: static::toBoolean($values[RequestAttribute::GRANTS_EDIT_ATTRIBUTE]),
grants_delete: static::toBoolean($values[RequestAttribute::GRANTS_DELETE_ATTRIBUTE]),
Expand Down
2 changes: 1 addition & 1 deletion app/Http/Requests/Sharing/EditSharingRequest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -64,7 +64,7 @@ protected function processValidatedValues(array $values, array $files): void
{
/** @var int $id */
$id = $values[RequestAttribute::PERMISSION_ID];
$this->perm = AccessPermission::with(['album', 'user'])->findOrFail($id);
$this->perm = AccessPermission::with(['album', 'user', 'user_group'])->findOrFail($id);

$this->perm_resource = new AccessPermissionResource(
grants_edit: static::toBoolean($values[RequestAttribute::GRANTS_EDIT_ATTRIBUTE]),
Expand Down
25 changes: 25 additions & 0 deletions app/Http/Requests/Traits/HasUserGroupIdsTrait.php
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,25 @@
<?php

/**
* SPDX-License-Identifier: MIT
* Copyright (c) 2017-2018 Tobias Reich
* Copyright (c) 2018-2025 LycheeOrg.
*/

namespace App\Http\Requests\Traits;

trait HasUserGroupIdsTrait
{
/**
* @var array<int,int>
*/
protected array $user_group_ids = [];

/**
* @return array<int,int>
*/
public function userGroupIds(): array
{
return $this->user_group_ids;
}
}
8 changes: 6 additions & 2 deletions app/Http/Resources/Models/AccessPermissionResource.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,9 @@ class AccessPermissionResource extends Data
public function __construct(
public ?int $id = null,
public ?int $user_id = null,
public ?int $user_group_id = null,
public ?string $username = null,
public ?string $user_group_name = null,
public ?string $album_title = null,
public ?string $album_id = null,
public bool $grants_full_photo_access = false,
Expand All @@ -33,8 +35,10 @@ public static function fromModel(AccessPermission $access_permission): AccessPer
{
return new AccessPermissionResource(
id: $access_permission->id,
user_id: $access_permission->user_id,
username: $access_permission->user->name,
user_id: $access_permission->user?->id,
username: $access_permission->user?->name,
user_group_id: $access_permission->user_group?->id,
user_group_name: $access_permission->user_group?->name,
album_title: $access_permission->album->title,
album_id: $access_permission->base_album_id,
grants_full_photo_access: $access_permission->grants_full_photo_access,
Expand Down
2 changes: 2 additions & 0 deletions app/Models/AccessPermission.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,7 @@ class AccessPermission extends Model
'created_at' => 'datetime',
'updated_at' => 'datetime',
APC::USER_ID => 'integer',
APC::USER_GROUP_ID => 'integer',
APC::IS_LINK_REQUIRED => 'boolean',
APC::GRANTS_FULL_PHOTO_ACCESS => 'boolean',
APC::GRANTS_DOWNLOAD => 'boolean',
Expand All @@ -86,6 +87,7 @@ class AccessPermission extends Model
*/
protected $fillable = [
APC::USER_ID,
APC::USER_GROUP_ID,
APC::BASE_ALBUM_ID,
APC::IS_LINK_REQUIRED,
APC::GRANTS_FULL_PHOTO_ACCESS,
Expand Down
8 changes: 8 additions & 0 deletions app/Models/User.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -120,6 +120,14 @@ class User extends Authenticatable implements WebAuthnAuthenticatable

protected $hidden = [];

/**
* We always want to load the user groups when loading a user.
* So that we can use the groups to determine the permissions without having to do intersection in the db.
*
* Furthermore, that way it is also provided when using Auth::user()
*
* @var list<string>
*/
protected $with = [
'user_groups',
];
Expand Down
2 changes: 2 additions & 0 deletions resources/js/lychee.d.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -334,7 +334,9 @@ declare namespace App.Http.Resources.Models {
export type AccessPermissionResource = {
id: number | null;
user_id: number | null;
user_group_id: number | null;
username: string | null;
user_group_name: string | null;
album_title: string | null;
album_id: string | null;
grants_full_photo_access: boolean;
Expand Down
13 changes: 8 additions & 5 deletions tests/Feature_v2/Album/SharingTest.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,7 @@ public function testUserGet(): void

$response = $this->actingAs($this->userMayUpload2)->postJson('Sharing', [
'user_ids' => [$this->userMayUpload1->id],
'group_ids' => [],
'album_ids' => [$this->album2->id],
'grants_edit' => true,
'grants_delete' => true,
Expand Down Expand Up @@ -141,8 +142,8 @@ public function testUpdate(): void
'shall_override' => false,
]);
$this->assertNoContent($response);
self::assertEquals(1, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());
$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->first();
self::assertEquals(2, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());
$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->whereNull(APC::USER_GROUP_ID)->first();

// Update the permission with false
$response = $this->actingAs($this->userMayUpload1)->patchJson('Sharing', [
Expand All @@ -156,7 +157,7 @@ public function testUpdate(): void
$this->assertOk($response);

// Verify the permission
$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->first();
$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->whereNull(APC::USER_GROUP_ID)->first();
self::assertFalse($perm->grants_edit);
self::assertFalse($perm->grants_delete);
self::assertFalse($perm->grants_download);
Expand All @@ -170,10 +171,10 @@ public function testUpdate(): void
]);
$this->assertNoContent($response);
// Verify the count is still 1.
self::assertEquals(1, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());
self::assertEquals(2, AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->count());

// Verify the permission
$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->first();
$perm = AccessPermission::where(APC::BASE_ALBUM_ID, '=', $this->subAlbum1->id)->whereNull(APC::USER_GROUP_ID)->first();
self::assertTrue($perm->grants_edit);
self::assertTrue($perm->grants_delete);
self::assertTrue($perm->grants_download);
Expand All @@ -186,6 +187,7 @@ public function testOverride(): void
// Set up the permission in subSlbum
$response = $this->actingAs($this->userMayUpload1)->postJson('Sharing', [
'user_ids' => [$this->userLocked->id],
'group_ids' => [],
'album_ids' => [$this->subAlbum1->id],
'grants_edit' => true,
'grants_delete' => true,
Expand All @@ -198,6 +200,7 @@ public function testOverride(): void

$response = $this->actingAs($this->userMayUpload1)->postJson('Sharing', [
'user_ids' => [$this->userNoUpload->id],
'group_ids' => [],
'album_ids' => [$this->album1->id],
'grants_edit' => true,
'grants_delete' => true,
Expand Down