Authorize inspector when updating an inspection

Author: DrTom

src/madek/media_service/server/authentication/shared.clj

@@ -27,5 +27,3 @@
           :else false] :is_system_admin])
       (sql/join :people [:= :users.person_id :people.id])))
 
-
-(comment (sql-format user-base-query {:inline true}))

src/madek/media_service/server/authorization/main.clj

@@ -29,6 +29,22 @@
 (defn check-system-admin [request]
   (get-in request [:authenticated-entity :is_system_admin]))
 
+
+(defn check-inspector-inspection-access-query [request]
+  (-> (sql/select true)
+      (sql/from :inspections)
+      (sql/where [:in :inspections.state ["dispatched" "processing"]])
+      (sql/where [:= :inspections.id (get-in request [:route :path-params :inspection-id])])
+      (sql/where [:= :inspections.inspector_id (get-in request [:authenticated-entity :id])])))
+
+(defn check-inspector-inspection-access
+  [{tx :tx :as request}]
+  (and
+    (= :inspector (get-in request [:authenticated-entity :type]))
+    (-> request check-inspector-inspection-access-query
+        (sql-format :inline false)
+        (->> (jdbc/query tx) first spy boolean))))
+
 (defn check-inspector [request]
   (= :inspector (get-in request [:authenticated-entity :type])))
 
@@ -50,7 +66,8 @@
     :permitted-user (case route-name
                       :original-content (check-permitted-user-original request))
     :performing-inspector (case route-name
-                            :original-content (check-original-inspector-access request))
+                            :original-content (check-original-inspector-access request)
+                            :inspection (check-inspector-inspection-access request))
     :admin (check-admin request)
     :system-admin (check-system-admin request)))
 

src/madek/media_service/server/resources/inspections/inspection/main.clj

@@ -26,7 +26,7 @@
     method :request-method :as request}]
   (case route-name
     :inspection (case method
-                  :patch (-> request get-inspection)
-                  :get (-> request update-inspection)
+                  :patch (-> request update-inspection)
+                  :get (-> request get-inspection)
                   {:status 405})
     {:status 404}))

src/madek/media_service/server/resources/inspectors/inspector/main.clj

@@ -33,7 +33,7 @@
                 (sql/on-conflict :id)
                 (sql/do-update-set :description :enabled :public_key
                                    (sql/where [:= :inspectors.id inspector-id]))
-                (sql-format :inline true)
+                (sql-format :inline false)
                 (->> (spy :info))
                 (#(jdbc/execute! tx % {:return-keys true})))]
     {:body res}))

src/madek/media_service/utils/logging/core.cljc

@@ -6,14 +6,13 @@
 
 (def DEFAULT_CONFIG
   {:min-level [[#{
-                  ;"madek.media-service.server.routing"
+                  ;"madek.media-service.inspector.*"
+                  ;"madek.media-service.server.authentication.jwt"
+                  ;"madek.media-service.server.authorization.main"
                   ;"madek.media-service.server.resources.inspections.*"
                   ;"madek.media-service.server.resources.originals.original.*"
                   ;"madek.media-service.server.resources.settings.*"
-                  ;"madek.media-service.server.authorization.main"
-                  ;"madek.media-service.server.authentication.jwt"
-                  ; "madek.media-service.inspector.*"
-                  "madek.media-service.server.authorization.main"
+                  ;"madek.media-service.server.routing"
                   "madek.media-service.server.resources.inspections.inspection.main"
                   "madek.media-service.inspector.inspect.exif"
                   } :debug]