Extend permissions

8 months ago · 60253c3a3b
5 changed files with 74 additions and 14 deletions
--- a/apps/api/src/app/endpoints/market-data/market-data.controller.ts
+++ b/apps/api/src/app/endpoints/market-data/market-data.controller.ts
@ -1,5 +1,6 @@
 import { AdminService } from '@ghostfolio/api/app/admin/admin.service';
 import { MarketDataService } from '@ghostfolio/api/services/market-data/market-data.service';
+import { SymbolProfileService } from '@ghostfolio/api/services/symbol-profile/symbol-profile.service';
 import { MarketDataDetailsResponse } from '@ghostfolio/common/interfaces';
 import { hasPermission, permissions } from '@ghostfolio/common/permissions';
 import { RequestWithUser } from '@ghostfolio/common/types';
@ -27,7 +28,8 @@ export class MarketDataController {
  public constructor(
    private readonly adminService: AdminService,
    private readonly marketDataService: MarketDataService,
-    @Inject(REQUEST) private readonly request: RequestWithUser
+    @Inject(REQUEST) private readonly request: RequestWithUser,
+    private readonly symbolProfileService: SymbolProfileService
  ) {}

  @Get(':dataSource/:symbol')
@ -36,12 +38,35 @@ export class MarketDataController {
    @Param('dataSource') dataSource: DataSource,
    @Param('symbol') symbol: string
  ): Promise<MarketDataDetailsResponse> {
-    if (
-      !hasPermission(this.request.user.permissions, permissions.readMarketData)
-    ) {
+    const [assetProfile] = await this.symbolProfileService.getSymbolProfiles([
+      { dataSource, symbol }
+    ]);
+
+    if (!assetProfile) {
      throw new HttpException(
-        getReasonPhrase(StatusCodes.FORBIDDEN),
-        StatusCodes.FORBIDDEN
+        getReasonPhrase(StatusCodes.NOT_FOUND),
+        StatusCodes.NOT_FOUND
+      );
+    }
+
+    const canReadAllAssetProfiles = hasPermission(
+      this.request.user.permissions,
+      permissions.readMarketData
+    );
+
+    const canReadOwnAssetProfile =
+      assetProfile.userId === this.request.user.id &&
+      hasPermission(
+        this.request.user.permissions,
+        permissions.readMarketDataOfOwnAssetProfile
+      );
+
+    if (!canReadAllAssetProfiles && !canReadOwnAssetProfile) {
+      throw new HttpException(
+        assetProfile.userId
+          ? getReasonPhrase(StatusCodes.NOT_FOUND)
+          : getReasonPhrase(StatusCodes.FORBIDDEN),
+        assetProfile.userId ? StatusCodes.NOT_FOUND : StatusCodes.FORBIDDEN
      );
    }

@ -55,16 +80,39 @@ export class MarketDataController {
    @Param('dataSource') dataSource: DataSource,
    @Param('symbol') symbol: string
  ) {
-    if (
-      !hasPermission(
+    const [assetProfile] = await this.symbolProfileService.getSymbolProfiles([
+      { dataSource, symbol }
+    ]);
+
+    if (!assetProfile) {
+      throw new HttpException(
+        getReasonPhrase(StatusCodes.NOT_FOUND),
+        StatusCodes.NOT_FOUND
+      );
+    }
+
+    const canUpsertAllAssetProfiles =
+      hasPermission(
        this.request.user.permissions,
        permissions.createMarketData
-      ) ||
-      !hasPermission(
+      ) &&
+      hasPermission(
        this.request.user.permissions,
        permissions.updateMarketData
-      )
-    ) {
+      );
+
+    const canUpsertOwnAssetProfile =
+      assetProfile.userId === this.request.user.id &&
+      hasPermission(
+        this.request.user.permissions,
+        permissions.createMarketDataOfOwnAssetProfile
+      ) &&
+      hasPermission(
+        this.request.user.permissions,
+        permissions.updateMarketDataOfOwnAssetProfile
+      );
+
+    if (!canUpsertAllAssetProfiles && !canUpsertOwnAssetProfile) {
      throw new HttpException(
        getReasonPhrase(StatusCodes.FORBIDDEN),
        StatusCodes.FORBIDDEN
--- a/apps/api/src/app/endpoints/market-data/market-data.module.ts
+++ b/apps/api/src/app/endpoints/market-data/market-data.module.ts
@ -1,5 +1,6 @@
 import { AdminModule } from '@ghostfolio/api/app/admin/admin.module';
 import { MarketDataModule as MarketDataServiceModule } from '@ghostfolio/api/services/market-data/market-data.module';
+import { SymbolProfileModule } from '@ghostfolio/api/services/symbol-profile/symbol-profile.module';

 import { Module } from '@nestjs/common';

@ -7,6 +8,6 @@ import { MarketDataController } from './market-data.controller';

@Module({
  controllers: [MarketDataController],
-  imports: [AdminModule, MarketDataServiceModule]
+  imports: [AdminModule, MarketDataServiceModule, SymbolProfileModule]
 })
 export class MarketDataModule {}
--- a/apps/api/src/app/import/import.service.ts
+++ b/apps/api/src/app/import/import.service.ts
@ -551,7 +551,8 @@ export class ImportService {
            holdings: undefined,
            id: undefined,
            sectors: undefined,
-            updatedAt: undefined
+            updatedAt: undefined,
+            userId: undefined
          }
        };
      }
--- a/libs/common/src/lib/interfaces/enhanced-symbol-profile.interface.ts
+++ b/libs/common/src/lib/interfaces/enhanced-symbol-profile.interface.ts
@ -30,4 +30,5 @@ export interface EnhancedSymbolProfile {
  symbolMapping?: { [key: string]: string };
  updatedAt: Date;
  url?: string;
+  userId?: string;
 }
--- a/libs/common/src/lib/permissions.ts
+++ b/libs/common/src/lib/permissions.ts
@ -11,6 +11,7 @@ export const permissions = {
  createAccountBalance: 'createAccountBalance',
  createApiKey: 'createApiKey',
  createMarketData: 'createMarketData',
+  createMarketDataOfOwnAssetProfile: 'createMarketDataOfOwnAssetProfile',
  createOrder: 'createOrder',
  createPlatform: 'createPlatform',
  createTag: 'createTag',
@ -35,6 +36,7 @@ export const permissions = {
  enableSystemMessage: 'enableSystemMessage',
  impersonateAllUsers: 'impersonateAllUsers',
  readMarketData: 'readMarketData',
+  readMarketDataOfOwnAssetProfile: 'readMarketDataOfOwnAssetProfile',
  readPlatforms: 'readPlatforms',
  readTags: 'readTags',
  reportDataGlitch: 'reportDataGlitch',
@ -42,6 +44,7 @@ export const permissions = {
  updateAccount: 'updateAccount',
  updateAuthDevice: 'updateAuthDevice',
  updateMarketData: 'updateMarketData',
+  updateMarketDataOfOwnAssetProfile: 'updateMarketDataOfOwnAssetProfile',
  updateOrder: 'updateOrder',
  updatePlatform: 'updatePlatform',
  updateTag: 'updateTag',
@ -61,6 +64,7 @@ export function getPermissions(aRole: Role): string[] {
        permissions.createAccountBalance,
        permissions.deleteAccountBalance,
        permissions.createMarketData,
+        permissions.createMarketDataOfOwnAssetProfile,
        permissions.createOrder,
        permissions.createPlatform,
        permissions.createTag,
@ -73,11 +77,13 @@ export function getPermissions(aRole: Role): string[] {
        permissions.deleteTag,
        permissions.deleteUser,
        permissions.readMarketData,
+        permissions.readMarketDataOfOwnAssetProfile,
        permissions.readPlatforms,
        permissions.readTags,
        permissions.updateAccount,
        permissions.updateAuthDevice,
        permissions.updateMarketData,
+        permissions.updateMarketDataOfOwnAssetProfile,
        permissions.updateOrder,
        permissions.updatePlatform,
        permissions.updateTag,
@ -99,6 +105,7 @@ export function getPermissions(aRole: Role): string[] {
        permissions.createAccess,
        permissions.createAccount,
        permissions.createAccountBalance,
+        permissions.createMarketDataOfOwnAssetProfile,
        permissions.createOrder,
        permissions.deleteAccess,
        permissions.deleteAccount,
@ -106,8 +113,10 @@ export function getPermissions(aRole: Role): string[] {
        permissions.deleteAuthDevice,
        permissions.deleteOrder,
        permissions.deleteOwnUser,
+        permissions.readMarketDataOfOwnAssetProfile,
        permissions.updateAccount,
        permissions.updateAuthDevice,
+        permissions.updateMarketDataOfOwnAssetProfile,
        permissions.updateOrder,
        permissions.updateUserSettings,
        permissions.updateViewMode