feat: limit access to piscine overviews

FreekBes · FreekBes · commit bdd7d48f4de7 · 2025-01-30T16:50:44.000+01:00
- only staff and C.A.T.s have access to piscine overviews
- C.A.T.s can only view piscine overviews of the current year
diff --git a/.env.example b/.env.example
@@ -3,3 +3,4 @@ SESSION_SECRET=enter_your_session_secret_here
 INTRA_API_UID=enter_your_uid_here
 INTRA_API_SECRET=enter_your_secret_here
 INTRA_CAMPUS_ID=14
+INTRA_PISCINE_ASSISTANT_GROUP_ID=68
diff --git a/README.md b/README.md
@@ -1,6 +1,9 @@
 # CodamHero v2
 CodamHero v2 gives staff and students an overview of everything Codam.
 
+## Limited access
+Only staff members or C.A.T.s have access to (parts of) piscine overviews by design.
+
 ## Development
 To get started, run the folllowing:
 ```bash
diff --git a/prisma/migrations/20250130144450_add_groups/migration.sql b/prisma/migrations/20250130144450_add_groups/migration.sql
@@ -0,0 +1,16 @@
+-- CreateTable
+CREATE TABLE "Group" (
+    "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    "name" TEXT NOT NULL
+);
+
+-- CreateTable
+CREATE TABLE "GroupUser" (
+    "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    "group_id" INTEGER NOT NULL,
+    "user_id" INTEGER NOT NULL,
+    "created_at" DATETIME NOT NULL,
+    "updated_at" DATETIME NOT NULL,
+    CONSTRAINT "GroupUser_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "User" ("id") ON DELETE RESTRICT ON UPDATE CASCADE,
+    CONSTRAINT "GroupUser_group_id_fkey" FOREIGN KEY ("group_id") REFERENCES "Group" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);
diff --git a/prisma/migrations/20250130151906_groups_user_remove_updated_created_at/migration.sql b/prisma/migrations/20250130151906_groups_user_remove_updated_created_at/migration.sql
@@ -0,0 +1,21 @@
+/*
+  Warnings:
+
+  - You are about to drop the column `created_at` on the `GroupUser` table. All the data in the column will be lost.
+  - You are about to drop the column `updated_at` on the `GroupUser` table. All the data in the column will be lost.
+
+*/
+-- RedefineTables
+PRAGMA foreign_keys=OFF;
+CREATE TABLE "new_GroupUser" (
+    "id" INTEGER NOT NULL PRIMARY KEY AUTOINCREMENT,
+    "group_id" INTEGER NOT NULL,
+    "user_id" INTEGER NOT NULL,
+    CONSTRAINT "GroupUser_user_id_fkey" FOREIGN KEY ("user_id") REFERENCES "User" ("id") ON DELETE RESTRICT ON UPDATE CASCADE,
+    CONSTRAINT "GroupUser_group_id_fkey" FOREIGN KEY ("group_id") REFERENCES "Group" ("id") ON DELETE RESTRICT ON UPDATE CASCADE
+);
+INSERT INTO "new_GroupUser" ("group_id", "id", "user_id") SELECT "group_id", "id", "user_id" FROM "GroupUser";
+DROP TABLE "GroupUser";
+ALTER TABLE "new_GroupUser" RENAME TO "GroupUser";
+PRAGMA foreign_key_check("GroupUser");
+PRAGMA foreign_keys=ON;
diff --git a/prisma/schema.prisma b/prisma/schema.prisma
@@ -38,6 +38,7 @@ model User {
 	cursus_users     CursusUser[]
 	project_users    ProjectUser[]
 	locations        Location[]
+	groups           GroupUser[]
 }
 
 model Cursus {
@@ -66,6 +67,24 @@ model CursusUser {
 	cursus           Cursus   @relation(fields: [cursus_id], references: [id])
 }
 
+model Group {
+	id               Int      @id
+	name             String
+
+	// Relations
+	group_users      GroupUser[]
+}
+
+model GroupUser {
+	id               Int      @id
+	group_id         Int      @map("group_id")
+	user_id          Int      @map("user_id")
+
+	// Relations
+	user             User     @relation(fields: [user_id], references: [id])
+	group            Group   @relation(fields: [group_id], references: [id])
+}
+
 model Project {
 	id               Int      @id
 	name             String
diff --git a/src/env.ts b/src/env.ts
@@ -3,5 +3,6 @@ export const SESSION_SECRET = process.env.SESSION_SECRET!;
 export const INTRA_API_UID = process.env.INTRA_API_UID!;
 export const INTRA_API_SECRET = process.env.INTRA_API_SECRET!;
 export const CAMPUS_ID: number = parseInt(process.env.INTRA_CAMPUS_ID!);
+export const INTRA_PISCINE_ASSISTANT_GROUP_ID : number = parseInt(process.env.INTRA_PISCINE_ASSISTANT_GROUP_ID!);
 export const NODE_ENV = process.env.NODE_ENV || "development";
 export const DEV_DAYS_LIMIT: number = process.env.DEV_DAYS_LIMIT ? parseInt(process.env.DEV_DAYS_LIMIT) : 365;
diff --git a/src/handlers/authentication.ts b/src/handlers/authentication.ts
@@ -4,7 +4,7 @@ import OAuth2Strategy from 'passport-oauth2';
 import { PrismaClient } from '@prisma/client';
 import { INTRA_API_UID, INTRA_API_SECRET, URL_ORIGIN, SESSION_SECRET } from '../env';
 import { getIntraUser, IntraUser } from '../intra/oauth';
-import { isStudentOrStaff } from '../utils';
+import { isStudentOrStaff, isCatOrStaff } from '../utils';
 
 export const setupPassport = function(prisma: PrismaClient): void {
 	passport.use(new OAuth2Strategy({
@@ -51,6 +51,7 @@ export const setupPassport = function(prisma: PrismaClient): void {
 				display_name: user.display_name,
 				kind: user.kind,
 				isStudentOrStaff: await isStudentOrStaff(user),
+				isCatOrStaff: await isCatOrStaff(user),
 				image_url: user.image,
 			};
 			cb(null, intraUser);
diff --git a/src/handlers/middleware.ts b/src/handlers/middleware.ts
@@ -2,6 +2,7 @@ import express from 'express';
 import { Request, Response, NextFunction } from "express";
 import { CustomSessionData } from "./session";
 import { IntraUser } from '../intra/oauth';
+import { hasPiscineHistoryAccess } from '../utils';
 
 
 const checkIfAuthenticated = function(req: Request, res: Response, next: NextFunction) {
@@ -35,6 +36,28 @@ export const checkIfStudentOrStaff = async function(req: Request, res: Response,
 	}
 };
 
+export const checkIfCatOrStaff = async function(req: Request, res: Response, next: NextFunction) {
+	// Warning: should be used together with checkIfStudentOrStaff
+	if ((req.user as IntraUser)?.isCatOrStaff === true) {
+		return next();
+	}
+	else {
+		console.warn(`User ${(req.user as IntraUser)?.id} is not a C.A.T. (piscine assistant) or staff member, denying access to ${req.path}.`);
+		res.status(403);
+		return res.send('Forbidden');
+	}
+};
+
+export const checkIfPiscineHistoryAccess = async function(req: Request, res: Response, next: NextFunction) {
+	const year = parseInt(req.params.year);
+	if (hasPiscineHistoryAccess(req.user as IntraUser, year)) {
+		return next();
+	}
+	console.warn(`User ${(req.user as IntraUser)?.id} is trying to access a piscine overview for ${year} (which is in the past), denying access to ${req.path}.`);
+	res.status(403);
+	return res.send('Forbidden');
+};
+
 const expressErrorHandler = function(err: any, req: Request, res: Response, next: NextFunction) {
 	console.error(err);
 	res.status(500);
diff --git a/src/intra/base.ts b/src/intra/base.ts
@@ -7,8 +7,9 @@ import { syncProjectsUsers } from "./projects_users";
 import { syncLocations } from "./locations";
 import { DEV_DAYS_LIMIT, NODE_ENV } from "../env";
 import { cleanupDB } from "./cleanup";
-import { invalidateAllCache } from "../handlers/cache";
 import { buildPiscineCache } from "../handlers/piscine";
+import { syncGroups } from "./groups";
+import { syncGroupsUsers } from "./groups_users";
 
 export const prisma = new PrismaClient();
 export const SYNC_INTERVAL = 10; // minutes
@@ -173,6 +174,8 @@ export const syncWithIntra = async function(api: Fast42): Promise<void> {
 	await syncProjects(api, now);
 	await syncProjectsUsers(api, now);
 	await syncLocations(api, now);
+	await syncGroups(api, now);
+	await syncGroupsUsers(api, now);
 	await cleanupDB(api);
 
 	// Clear the server-side cache (should not be needed because of the cache rebuilding below)
diff --git a/src/intra/groups.ts b/src/intra/groups.ts
@@ -0,0 +1,49 @@
+import Fast42 from '@codam/fast42';
+import { prisma, syncDataCB } from './base';
+import { INTRA_PISCINE_ASSISTANT_GROUP_ID } from '../env';
+
+export const syncGroups = async function(api: Fast42, syncDate: Date): Promise<void> {
+	// Fetch the last synchronization date from the database
+	const syncKind = await prisma.synchronization.findFirst({
+		where: {
+			kind: 'groups',
+		},
+	});
+
+	// We only sync the C.A.T. group (id defined in INTRA_PISCINE_ASSISTANT_GROUP_ID)
+	// In the future we might want to sync all groups, but then syncing groups_users will be a pain as there is no campus filter on that endpoint.
+	await syncDataCB(api, syncDate, syncKind?.last_synced_at, `/groups/${INTRA_PISCINE_ASSISTANT_GROUP_ID}`, {}, async (group) => {
+		try {
+			await prisma.group.upsert({
+				where: {
+					id: group.id,
+				},
+				update: {
+					name: group.name,
+				},
+				create: {
+					id: group.id,
+					name: group.name,
+				}
+			});
+		}
+		catch (err) {
+			console.error(`Error syncing group ${group.id}: ${err}`);
+		}
+	});
+
+	// Mark synchronization as complete by updating the last_synced_at field
+	await prisma.synchronization.upsert({
+		where: {
+			kind: 'groups',
+		},
+		update: {
+			last_synced_at: syncDate,
+		},
+		create: {
+			kind: 'groups',
+			first_synced_at: syncDate,
+			last_synced_at: syncDate,
+		},
+	});
+};
diff --git a/src/intra/groups_users.ts b/src/intra/groups_users.ts
@@ -0,0 +1,78 @@
+import Fast42 from '@codam/fast42';
+import { prisma, syncDataCB } from './base';
+
+export const syncGroupsUsers = async function(api: Fast42, syncDate: Date): Promise<void> {
+	// Fetch the last synchronization date from the database
+	const syncKind = await prisma.synchronization.findFirst({
+		where: {
+			kind: 'groups_users_syncall', // Make sure to always sync all (not just updated) group_users by selecting a non-existing syncKind
+		},
+	});
+
+	const groups = await prisma.group.findMany({});
+
+	for (const group of groups) {
+		await syncDataCB(api, syncDate, syncKind?.last_synced_at, `/groups/${group.id}/groups_users`, {}, async (groupsUsers) => {
+			// Delete all group_users
+			await prisma.groupUser.deleteMany({});
+
+			for (const groupUser of groupsUsers) {
+				console.debug(`Syncing a group_user (user ${groupUser.user_id} in group "${groupUser.group.name}")...`);
+
+				try {
+					const user = await prisma.user.findFirst({
+						where: {
+							id: groupUser.user_id,
+						},
+						select: {
+							id: true, // Minimal select to check if user exists
+						},
+					});
+					if (!user) {
+						continue; // User is likely not from our campus
+					}
+
+					await prisma.groupUser.upsert({
+						where: {
+							id: groupUser.id,
+						},
+						update: {
+							user_id: groupUser.user_id,
+						},
+						create: {
+							id: groupUser.id,
+							user: {
+								connect: {
+									id: groupUser.user_id,
+								},
+							},
+							group: {
+								connect: {
+									id: groupUser.group.id,
+								},
+							},
+						}
+					});
+				}
+				catch (err) {
+					console.error(`Error syncing group_user ${groupUser.id}: ${err}`);
+				}
+			}
+		});
+	}
+
+	// Mark synchronization as complete by updating the last_synced_at field
+	await prisma.synchronization.upsert({
+		where: {
+			kind: 'groups_users',
+		},
+		update: {
+			last_synced_at: syncDate,
+		},
+		create: {
+			kind: 'groups_users',
+			first_synced_at: syncDate,
+			last_synced_at: syncDate,
+		},
+	});
+};
diff --git a/src/intra/oauth.ts b/src/intra/oauth.ts
@@ -1,6 +1,6 @@
 import https from 'https';
 import { CAMPUS_ID } from '../env';
-import { isStudentOrStaff } from '../utils';
+import { isStudentOrStaff, isCatOrStaff } from '../utils';
 
 export interface IntraUser extends Express.User {
 	id: number;
@@ -13,6 +13,7 @@ export interface IntraUser extends Express.User {
 	display_name: string;
 	kind: string;
 	isStudentOrStaff: boolean;
+	isCatOrStaff: boolean;
 	image_url: string | null;
 };
 
@@ -62,6 +63,7 @@ export const getIntraUser = async function(accessToken: string): Promise<IntraUs
 			display_name: me.displayname,
 			kind: me.kind,
 			isStudentOrStaff: await isStudentOrStaff(me),
+			isCatOrStaff: await isCatOrStaff(me),
 			image_url: (me.image && me.image.link ? me.image.versions.medium : null),
 		};
 
diff --git a/src/routes/piscines.ts b/src/routes/piscines.ts
@@ -1,9 +1,10 @@
 import { Express } from 'express';
 import passport from 'passport';
 import { PrismaClient } from '@prisma/client';
-import { formatDate, getAllPiscines, getLatestPiscine, numberToMonth, projectStatusToString } from '../utils';
-import { checkIfStudentOrStaff } from '../handlers/middleware';
+import { formatDate, getAllPiscines, getLatestPiscine, hasLimitedPiscineHistoryAccess, numberToMonth, projectStatusToString } from '../utils';
+import { checkIfStudentOrStaff, checkIfCatOrStaff, checkIfPiscineHistoryAccess } from '../handlers/middleware';
 import { getPiscineData } from '../handlers/piscine';
+import { IntraUser } from '../intra/oauth';
 
 export const setupPiscinesRoutes = function(app: Express, prisma: PrismaClient): void {
 	app.get('/piscines', passport.authenticate('session'), checkIfStudentOrStaff, async (req, res) => {
@@ -19,20 +20,20 @@ export const setupPiscinesRoutes = function(app: Express, prisma: PrismaClient):
 		}
 	});
 
-	app.get('/piscines/:year/:month', passport.authenticate('session'), checkIfStudentOrStaff, async (req, res) => {
+	app.get('/piscines/:year/:month', passport.authenticate('session'), checkIfStudentOrStaff, checkIfCatOrStaff, checkIfPiscineHistoryAccess, async (req, res) => {
 		// Parse parameters
 		const year = parseInt(req.params.year);
 		const month = parseInt(req.params.month);
 
-		// Find all possible piscines from the database
-		const piscines = await getAllPiscines(prisma);
+		// Find all possible piscines from the database (if not staff, limit to the current year)
+		const piscines = await getAllPiscines(prisma, hasLimitedPiscineHistoryAccess(req.user as IntraUser));
 
 		const { users, logtimes, dropouts, projects } = await getPiscineData(year, month, prisma);
 
 		return res.render('piscines.njk', { piscines, projects, users, logtimes, dropouts, year, month, subtitle: `${year} ${numberToMonth(month)}` });
 	});
 
-	app.get('/piscines/:year/:month/csv', passport.authenticate('session'), checkIfStudentOrStaff, async (req, res) => {
+	app.get('/piscines/:year/:month/csv', passport.authenticate('session'), checkIfStudentOrStaff, checkIfCatOrStaff, checkIfPiscineHistoryAccess, async (req, res) => {
 		// Parse parameters
 		const year = parseInt(req.params.year);
 		const month = parseInt(req.params.month);
diff --git a/src/utils.ts b/src/utils.ts
diff --git a/templates/piscines.njk b/templates/piscines.njk
