first commit

common/Workspaces/Policies/WorkspaceMemberPolicy.php

@@ -0,0 +1,76 @@
+<?php
+
+namespace Common\Workspaces\Policies;
+
+use App\Models\User;
+use Common\Core\Policies\BasePolicy;
+use Common\Workspaces\Workspace;
+
+class WorkspaceMemberPolicy extends BasePolicy
+{
+    public function store(
+        User $currentUser,
+        Workspace $workspace,
+        $checkMemberCount = true
+    ) {
+        $member = $workspace->findMember($currentUser);
+
+        if (!$member || !$member->hasPermission('workspace_members.invite')) {
+            return false;
+        }
+
+        $owner =
+            $currentUser->id === $workspace->owner_id
+                ? $currentUser
+                : $workspace->owner;
+        $maxMemberCount = $owner->getRestrictionValue(
+            'workspaces.create',
+            'member_count',
+        );
+
+        if (!$checkMemberCount || !$maxMemberCount) {
+            return true;
+        }
+
+        $currentMemberCount =
+            $workspace->members()->count() + $workspace->invites->count();
+
+        if ($currentMemberCount >= $maxMemberCount) {
+            $message = __('policies.workspace_member_quota_exceeded');
+            return $this->denyWithAction(
+                $message,
+                $owner->id === $currentUser->id ? $this->upgradeAction() : null,
+            );
+        }
+
+        return true;
+    }
+
+    public function update(User $currentUser, Workspace $workspace)
+    {
+        if ($workspace->isOwner($currentUser)) {
+            return true;
+        } else {
+            return $workspace
+                ->findMember($currentUser)
+                ->hasPermission('workspace_members.update');
+        }
+    }
+
+    public function destroy(
+        User $currentUser,
+        Workspace $workspace,
+        int $userId = null
+    ) {
+        if ($workspace->isOwner($currentUser)) {
+            return true;
+        } elseif ($currentUser->id === $userId) {
+            // user is trying to delete their own membership, aka leaving workspace
+            return true;
+        } else {
+            return $workspace
+                ->findMember($currentUser)
+                ->hasPermission('workspace_members.delete');
+        }
+    }
+}

common/Workspaces/Policies/WorkspacePolicy.php

@@ -0,0 +1,43 @@
+<?php
+
+namespace Common\Workspaces\Policies;
+
+use Common\Auth\BaseUser;
+use Common\Core\Policies\BasePolicy;
+use Common\Workspaces\Workspace;
+
+class WorkspacePolicy extends BasePolicy
+{
+    public function index(BaseUser $user, int $userId = null)
+    {
+        return $user->hasPermission('workspaces.view') || $user->id === $userId;
+    }
+
+    public function show(BaseUser $user, Workspace $workspace)
+    {
+        return $user->hasPermission('workspaces.view') || $workspace->owner_id === $user->id || $workspace->isMember($user);
+    }
+
+    public function store(BaseUser $user)
+    {
+        return $this->storeWithCountRestriction($user, Workspace::class);
+    }
+
+    public function update(BaseUser $user, Workspace $workspace)
+    {
+        return $user->hasPermission('workspaces.update') || $workspace->owner_id === $user->id;
+    }
+
+    public function destroy(BaseUser $user, $workspaceIds)
+    {
+        if ($user->hasPermission('workspaces.delete')) {
+            return true;
+        } else {
+            $dbCount = app(Workspace::class)
+                ->whereIn('id', $workspaceIds)
+                ->where('owner_id', $user->id)
+                ->count();
+            return $dbCount === count($workspaceIds);
+        }
+    }
+}

common/Workspaces/Policies/WorkspacedResourcePolicy.php

@@ -0,0 +1,123 @@
+<?php
+
+namespace Common\Workspaces\Policies;
+
+use App\Models\User;
+use Common\Core\Policies\BasePolicy;
+use Common\Workspaces\ActiveWorkspace;
+use Illuminate\Auth\Access\Response;
+use Illuminate\Database\Eloquent\Model;
+use Illuminate\Support\Str;
+
+abstract class WorkspacedResourcePolicy extends BasePolicy
+{
+    protected string $resource;
+
+    const NO_PERMISSION = 1;
+    const NO_WORKSPACE_PERMISSION = 2;
+
+    public function index(User $currentUser, int $userId = null)
+    {
+        $userId = $userId ?? (int) $this->request->get('userId');
+
+        [, $permission] = $this->parseNamespace($this->resource, 'view');
+
+        // filtering resources by user id
+        if ($userId) {
+            return $currentUser->id === $userId;
+
+            // if we're requesting resources for a particular workspace,let user view the resources
+            // as long as they are a member, even without explicit "resource.view" permission
+        } elseif ($this->userIsWorkspaceMember($currentUser)) {
+            return true;
+        } else {
+            return $this->userHasPermission($currentUser, $permission);
+        }
+    }
+
+    public function show(User $currentUser, Model $resource)
+    {
+        [, $permission] = $this->parseNamespace($this->resource, 'view');
+
+        if ($resource->user_id === $currentUser->id) {
+            return true;
+            // if we're requesting resources for a particular workspace,let user view the resources
+            // as long as they are a member, event without explicit "resource.view" permission
+        } elseif ($this->userIsWorkspaceMember($currentUser)) {
+            return true;
+        } else {
+            return $this->userHasPermission($currentUser, $permission);
+        }
+    }
+
+    public function store(User $currentUser)
+    {
+        return $this->storeWithCountRestriction($currentUser, $this->resource);
+    }
+
+    public function update(User $currentUser, Model $resource)
+    {
+        [, $permission] = $this->parseNamespace($this->resource, 'update');
+
+        if ($resource->user_id === $currentUser->id) {
+            return true;
+        } else {
+            return $this->userHasPermission($currentUser, $permission);
+        }
+    }
+
+    public function destroy(User $currentUser, $resourceIds = null)
+    {
+        [, $permission] = $this->parseNamespace($this->resource, 'delete');
+
+        $response = $this->userHasPermission($currentUser, $permission);
+
+        if ($response->allowed()) {
+            return $response;
+        } elseif ($resourceIds) {
+            $dbCount = app($this->resource)
+                ->whereIn('id', $resourceIds)
+                ->where('user_id', $currentUser->id)
+                ->count();
+            return $dbCount === count($resourceIds);
+        } else {
+            return $response;
+        }
+    }
+
+    protected function userHasPermission(
+        User $user,
+        string $permission,
+    ): Response {
+        $permission = Str::snake($permission);
+
+        $activeWorkspace = app(ActiveWorkspace::class);
+        $userOwnsWorkspace =
+            $activeWorkspace->isPersonal() ||
+            !$activeWorkspace->workspace() ||
+            $user->id === $activeWorkspace->workspace()->owner_id;
+
+        // check if user has permission when they own workspace or no workspace at all
+        if ($userOwnsWorkspace && !parent::hasPermission($user, $permission)) {
+            return Response::deny('No permission', self::NO_PERMISSION);
+        }
+
+        // check if user has this permission for the workspace as well if they are not the owner
+        elseif (!$userOwnsWorkspace) {
+            $workspaceUser = $activeWorkspace->member($user->id);
+            if (!$workspaceUser?->hasPermission($permission)) {
+                return Response::deny(
+                    'No permission',
+                    self::NO_WORKSPACE_PERMISSION,
+                );
+            }
+        }
+
+        return Response::allow();
+    }
+
+    protected function userIsWorkspaceMember(User $user): bool
+    {
+        return !is_null(app(ActiveWorkspace::class)->member($user->id));
+    }
+}