fix: add backward compatibility for old dossier_access table
RBAC editor was failing with 403 Forbidden when trying to edit permissions for users who have access via the old dossier_access table but not the new access grants table. Added fallback logic to CanManageDossier and CanAccessDossier: 1. Check new RBAC system (access table) first 2. If no grant found, check old dossier_access table 3. For manage: check can_edit = 1 4. For access: check status = 1 This allows existing access relationships to work with the new RBAC editor while we migrate data from old to new system. Fixes: "Forbidden" error when editing permissions for legacy access grants Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
James
parent
7cd450cb49
commit
c3b5381c4c
|
|
@ -329,13 +329,43 @@ func EnsureCategoryEntry(dossierID string, category int) (string, error) {
|
||||||
}
|
}
|
||||||
|
|
||||||
// CanAccessDossier returns true if accessor can read dossier (for quick checks)
|
// CanAccessDossier returns true if accessor can read dossier (for quick checks)
|
||||||
|
// Falls back to old dossier_access for backward compatibility
|
||||||
func CanAccessDossier(accessorID, dossierID string) bool {
|
func CanAccessDossier(accessorID, dossierID string) bool {
|
||||||
return CheckAccess(accessorID, dossierID, "", 'r') == nil
|
// Check new RBAC system first
|
||||||
|
if CheckAccess(accessorID, dossierID, "", 'r') == nil {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fallback: check old dossier_access table
|
||||||
|
var result []struct {
|
||||||
|
Status int `db:"status"`
|
||||||
|
}
|
||||||
|
err := Query(
|
||||||
|
"SELECT status FROM dossier_access WHERE accessor_dossier_id = ? AND target_dossier_id = ? AND status = 1",
|
||||||
|
[]any{accessorID, dossierID},
|
||||||
|
&result,
|
||||||
|
)
|
||||||
|
return err == nil && len(result) > 0 && result[0].Status == 1
|
||||||
}
|
}
|
||||||
|
|
||||||
// CanManageDossier returns true if accessor can manage permissions for dossier
|
// CanManageDossier returns true if accessor can manage permissions for dossier
|
||||||
|
// Falls back to old dossier_access.can_edit for backward compatibility
|
||||||
func CanManageDossier(accessorID, dossierID string) bool {
|
func CanManageDossier(accessorID, dossierID string) bool {
|
||||||
return CheckAccess(accessorID, dossierID, "", 'm') == nil
|
// Check new RBAC system first
|
||||||
|
if CheckAccess(accessorID, dossierID, "", 'm') == nil {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
|
||||||
|
// Fallback: check old dossier_access table
|
||||||
|
var result []struct {
|
||||||
|
CanEdit int `db:"can_edit"`
|
||||||
|
}
|
||||||
|
err := Query(
|
||||||
|
"SELECT can_edit FROM dossier_access WHERE accessor_dossier_id = ? AND target_dossier_id = ? AND status = 1",
|
||||||
|
[]any{accessorID, dossierID},
|
||||||
|
&result,
|
||||||
|
)
|
||||||
|
return err == nil && len(result) > 0 && result[0].CanEdit == 1
|
||||||
}
|
}
|
||||||
|
|
||||||
// GrantAccess creates an access grant
|
// GrantAccess creates an access grant
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue