Merge pull request #222 from assemblee-virtuelle/PermissionsManagement

[Minor] Resources permissions management

README.md

@@ -60,6 +60,7 @@ If you need to customize your Archipelago, you can follow the docs below:
 
 - [Configuration file](./docs/configuration.md)
 - [Layout configuration](./docs/layouts.md)
+- [Resources permissions](./docs/permissions.md)
 
 ## Linking to SemApps packages
 

docs/permssions.md

@@ -0,0 +1,19 @@
+# Resources permissions
+
+New resources created have permissions by default for anonymous users, auuthenticated users, and resource creator.
+
+Default permissions are summarized in the following table:
+
+| Users               | Read permission | Write permission | Control permission
+|---------------------|-----------------|------------------|-------------------
+| Anonymous users     | true            | false            | false
+| Authenticated users | true            | false            | false
+| Resource creator    | true            | true             | true
+
+If you want to change these permissions, you can define the following environment variables for the middleware:
+
+- `SEMAPPS_RESOURCESPERMISSIONS_ANON_READ`: false/true for anonymous users read permissions
+- `SEMAPPS_RESOURCESPERMISSIONS_ANYUSER_READ`: false/true for authenticated users read permissions
+- `SEMAPPS_RESOURCESPERMISSIONS_ANYUSER_WRITE`: false/true for authenticated users write permissions
+
+Resource creator permissions cannot be modified, as well as control permissions.

middleware/.env

@@ -37,3 +37,8 @@ SEMAPPS_AUTH_ACCOUNTS_DATASET_NAME=settings
 
 # SuperAdmins (separated by ,)
 SEMAPPS_SUPER_ADMINS=
+
+# Default permissions for new created resources
+SEMAPPS_RESOURCESPERMISSIONS_ANON_READ=
+SEMAPPS_RESOURCESPERMISSIONS_ANYUSER_READ=
+SEMAPPS_RESOURCESPERMISSIONS_ANYUSER_WRITE=

middleware/config/containers.js

@@ -1,4 +1,4 @@
-const CONFIG = require('./config');
+const { getDefaultRights } = require('./defaultRights');
 
 module.exports = [
   {
@@ -7,26 +7,31 @@ module.exports = [
   {
     path: '/membership-associations',
     acceptedTypes: ['pair:MembershipAssociation'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/groups',
     preferredView: '/Group',
     acceptedTypes: ['pair:Group', 'og:Circle'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/projects',
     preferredView: '/Project',
     acceptedTypes: ['pair:Project', 'og:Circle'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/events',
     preferredView: '/Event',
     acceptedTypes: ['pair:Event'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/tasks',
     preferredView: '/Task',
-    acceptedTypes: ['pair:Task']
+    acceptedTypes: ['pair:Task'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/bots',
@@ -36,27 +41,32 @@ module.exports = [
   {
     path: '/ideas',
     preferredView: '/Idea',
-    acceptedTypes: ['pair:Idea']
+    acceptedTypes: ['pair:Idea'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/themes',
     preferredView: '/Theme',
-    acceptedTypes: ['pair:Theme']
+    acceptedTypes: ['pair:Theme'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/skills',
     preferredView: '/Skill',
-    acceptedTypes: ['pair:Skill']
+    acceptedTypes: ['pair:Skill'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/membership-roles',
     preferredView: '/MembershipRole',
-    acceptedTypes: ['pair:MembershipRole']
+    acceptedTypes: ['pair:MembershipRole'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/documents',
     preferredView: '/Document',
-    acceptedTypes: ['pair:Document']
+    acceptedTypes: ['pair:Document'],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/status',
@@ -70,7 +80,8 @@ module.exports = [
       'pair:IdeaStatus',
       'pair:ProjectStatus',
       'pair:TaskStatus'
-    ]
+    ],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/types',
@@ -92,11 +103,13 @@ module.exports = [
       'pair:ResourceType',
       'pair:SubjectType',
       'pair:TaskType'
-    ]
+    ],
+    newResourcesPermissions: getDefaultRights
   },
   {
     path: '/pages',
     preferredView: '/Page',
-    acceptedTypes: ['semapps:Page']
+    acceptedTypes: ['semapps:Page'],
+    newResourcesPermissions: getDefaultRights
   }
 ];

middleware/config/defaultRights.js

@@ -0,0 +1,23 @@
+require('dotenv-flow').config();
+
+const getDefaultRights = (creatorUri) => {
+  return {
+    anon : {
+      read: !(process.env.SEMAPPS_RESOURCESPERMISSIONS_ANON_READ === 'false'),
+    },
+    anyUser: {
+      read: !(process.env.SEMAPPS_RESOURCESPERMISSIONS_ANYUSER_READ === 'false'),
+      write: process.env.SEMAPPS_RESOURCESPERMISSIONS_ANYUSER_WRITE === 'true',
+    },
+    user: {
+      uri: creatorUri,
+      read: true,
+      write: true,
+      control : true
+    }
+  }
+};
+
+module.exports = {
+  getDefaultRights,
+};

middleware/services/file.service.js

@@ -1,4 +1,5 @@
 const { ControlledContainerMixin, ImageProcessorMixin } = require("@semapps/ldp");
+const { getDefaultRights } = require('../config/defaultRights');
 
 module.exports = {
   name: 'file',
@@ -9,6 +10,7 @@ module.exports = {
     imageProcessor: {
       maxWidth: 1000,
       maxHeight: 1000
-    }
+    },
+    newResourcesPermissions: getDefaultRights,
   }
-}
+}

middleware/services/organizations.service.js

@@ -1,5 +1,6 @@
 const CONFIG = require('../config/config');
 const { ControlledContainerMixin, DisassemblyMixin } = require('@semapps/ldp');
+const { getDefaultRights } = require('../config/defaultRights');
 
 module.exports = {
   dependencies: ['ldp.resource'],
@@ -10,5 +11,6 @@ module.exports = {
     acceptedTypes: ['pair:Organization'],
     preferredView: '/Organization',
     disassembly: [{ path: 'pair:organizationOfMembership', container: CONFIG.HOME_URL + 'membership-associations' }],
+    newResourcesPermissions: getDefaultRights,
   },
 }