ripple-api/common/privileges.go

package common

import "strings"

// These are the various privileges a token can have.
const (
	PrivilegeRead             = 1 << iota // used to be to fetch public data, such as user information etc. this is deprecated.
	PrivilegeReadConfidential             // (eventual) private messages, reports... of self
	PrivilegeWrite                        // change user information, write into confidential stuff...
	PrivilegeManageBadges                 // can change various users' badges.
	PrivilegeBetaKeys                     // can add, remove, upgrade/downgrade, make public beta keys.
	PrivilegeManageSettings               // maintainance, set registrations, global alerts, bancho settings
	PrivilegeViewUserAdvanced             // can see user email, and perhaps warnings in the future, basically.
	PrivilegeManageUser                   // can change user email, allowed status, userpage, rank, username...
	PrivilegeManageRoles                  // translates as admin, as they can basically assign roles to anyone, even themselves
	PrivilegeManageAPIKeys                // admin permission to manage user permission, not only self permissions. Only ever do this if you completely trust the application, because this essentially means to put the entire ripple database in the hands of a (potentially evil?) application.
	PrivilegeBlog                         // can do pretty much anything to the blog, and the documentation.
	PrivilegeAPIMeta                      // can do /meta API calls. basically means they can restart the API server.
	PrivilegeBeatmap                      // rank/unrank beatmaps. also BAT when implemented
)

// Privileges is a bitwise enum of the privileges of an user's API key.
type Privileges uint64

var privilegeString = [...]string{
	"Read",
	"ReadConfidential",
	"Write",
	"ManageBadges",
	"BetaKeys",
	"ManageSettings",
	"ViewUserAdvanced",
	"ManageUser",
	"ManageRoles",
	"ManageAPIKeys",
	"Blog",
	"APIMeta",
	"Beatmap",
}

func (p Privileges) String() string {
	var pvs []string
	for i, v := range privilegeString {
		if uint64(p)&uint64(1<<uint(i)) != 0 {
			pvs = append(pvs, v)
		}
	}
	return strings.Join(pvs, ", ")
}

var privilegeMustBe = [...]UserPrivileges{
	1 << 30, // read is deprecated, and should be given out to no-one.
	UserPrivilegeNormal,
	UserPrivilegeNormal,
	AdminPrivilegeAccessRAP | AdminPrivilegeManageBadges,
	AdminPrivilegeAccessRAP | AdminPrivilegeManageBetaKey,
	AdminPrivilegeAccessRAP | AdminPrivilegeManageSetting,
	AdminPrivilegeAccessRAP,
	AdminPrivilegeAccessRAP | AdminPrivilegeManageUsers | AdminPrivilegeBanUsers,
	AdminPrivilegeAccessRAP | AdminPrivilegeManageUsers | AdminPrivilegeManagePrivilege,
	AdminPrivilegeAccessRAP | AdminPrivilegeManageUsers | AdminPrivilegeManageServer,
	AdminPrivilegeChatMod, // temporary?
	AdminPrivilegeManageServer,
	AdminPrivilegeAccessRAP | AdminPrivilegeManageBeatmap,
}

// CanOnly removes any privilege that the user has requested to have, but cannot have due to their rank.
func (p Privileges) CanOnly(userPrivs UserPrivileges) Privileges {
	newPrivilege := 0
	for i, v := range privilegeMustBe {
		wants := p&1 == 1
		can := userPrivs&v == v
		if wants && can {
			newPrivilege |= 1 << uint(i)
		}
		p >>= 1
	}
	return Privileges(newPrivilege)
}
Initial commit 2016-04-03 17:59:27 +00:00			`package common`

			`import "strings"`

			`// These are the various privileges a token can have.`
			`const (`
Remove read privilege. Public data is now readable by everyone without having to pass an API token. Feel free to test around as much as you like! 2016-07-06 12:22:43 +00:00			`PrivilegeRead = 1 << iota // used to be to fetch public data, such as user information etc. this is deprecated.`
Initial commit 2016-04-03 17:59:27 +00:00			`PrivilegeReadConfidential // (eventual) private messages, reports... of self`
			`PrivilegeWrite // change user information, write into confidential stuff...`
			`PrivilegeManageBadges // can change various users' badges.`
			`PrivilegeBetaKeys // can add, remove, upgrade/downgrade, make public beta keys.`
			`PrivilegeManageSettings // maintainance, set registrations, global alerts, bancho settings`
			`PrivilegeViewUserAdvanced // can see user email, and perhaps warnings in the future, basically.`
			`PrivilegeManageUser // can change user email, allowed status, userpage, rank, username...`
			`PrivilegeManageRoles // translates as admin, as they can basically assign roles to anyone, even themselves`
			`PrivilegeManageAPIKeys // admin permission to manage user permission, not only self permissions. Only ever do this if you completely trust the application, because this essentially means to put the entire ripple database in the hands of a (potentially evil?) application.`
			`PrivilegeBlog // can do pretty much anything to the blog, and the documentation.`
Graceful restart! 2016-04-07 17:32:48 +00:00			`PrivilegeAPIMeta // can do /meta API calls. basically means they can restart the API server.`
beatmap ranking in API 2016-04-27 18:03:06 +00:00			`PrivilegeBeatmap // rank/unrank beatmaps. also BAT when implemented`
Initial commit 2016-04-03 17:59:27 +00:00			`)`

			`// Privileges is a bitwise enum of the privileges of an user's API key.`
Graceful restart! 2016-04-07 17:32:48 +00:00			`type Privileges uint64`
Initial commit 2016-04-03 17:59:27 +00:00
			`var privilegeString = [...]string{`
			`"Read",`
			`"ReadConfidential",`
			`"Write",`
			`"ManageBadges",`
			`"BetaKeys",`
			`"ManageSettings",`
			`"ViewUserAdvanced",`
			`"ManageUser",`
			`"ManageRoles",`
			`"ManageAPIKeys",`
			`"Blog",`
Graceful restart! 2016-04-07 17:32:48 +00:00			`"APIMeta",`
beatmap ranking in API 2016-04-27 18:03:06 +00:00			`"Beatmap",`
Initial commit 2016-04-03 17:59:27 +00:00			`}`

			`func (p Privileges) String() string {`
			`var pvs []string`
			`for i, v := range privilegeString {`
Allow users with AdminManageUsers to see banned users Also: - General code refactoring - Allow banned/restricted users to see their scores etc - common.MethodData now contains UserPrivileges - UserPrivileges have now their own type - Implement md.HasQuery, to know if there's a GET querystring parameter or not 2016-08-27 10:04:12 +00:00			`if uint64(p)&uint64(1<<uint(i)) != 0 {`
Initial commit 2016-04-03 17:59:27 +00:00			`pvs = append(pvs, v)`
			`}`
			`}`
			`return strings.Join(pvs, ", ")`
			`}`
Add token creation (login) 2016-04-05 20:22:13 +00:00
Allow users with AdminManageUsers to see banned users Also: - General code refactoring - Allow banned/restricted users to see their scores etc - common.MethodData now contains UserPrivileges - UserPrivileges have now their own type - Implement md.HasQuery, to know if there's a GET querystring parameter or not 2016-08-27 10:04:12 +00:00			`var privilegeMustBe = [...]UserPrivileges{`
Remove read privilege. Public data is now readable by everyone without having to pass an API token. Feel free to test around as much as you like! 2016-07-06 12:22:43 +00:00			`1 << 30, // read is deprecated, and should be given out to no-one.`
Finish up with new ranks and stuff on the API 2016-07-03 22:06:23 +00:00			`UserPrivilegeNormal,`
			`UserPrivilegeNormal,`
			`AdminPrivilegeAccessRAP \| AdminPrivilegeManageBadges,`
			`AdminPrivilegeAccessRAP \| AdminPrivilegeManageBetaKey,`
			`AdminPrivilegeAccessRAP \| AdminPrivilegeManageSetting,`
			`AdminPrivilegeAccessRAP,`
			`AdminPrivilegeAccessRAP \| AdminPrivilegeManageUsers \| AdminPrivilegeBanUsers,`
			`AdminPrivilegeAccessRAP \| AdminPrivilegeManageUsers \| AdminPrivilegeManagePrivilege,`
			`AdminPrivilegeAccessRAP \| AdminPrivilegeManageUsers \| AdminPrivilegeManageServer,`
			`AdminPrivilegeChatMod, // temporary?`
			`AdminPrivilegeManageServer,`
			`AdminPrivilegeAccessRAP \| AdminPrivilegeManageBeatmap,`
Add token creation (login) 2016-04-05 20:22:13 +00:00			`}`

			`// CanOnly removes any privilege that the user has requested to have, but cannot have due to their rank.`
Allow users with AdminManageUsers to see banned users Also: - General code refactoring - Allow banned/restricted users to see their scores etc - common.MethodData now contains UserPrivileges - UserPrivileges have now their own type - Implement md.HasQuery, to know if there's a GET querystring parameter or not 2016-08-27 10:04:12 +00:00			`func (p Privileges) CanOnly(userPrivs UserPrivileges) Privileges {`
Add token creation (login) 2016-04-05 20:22:13 +00:00			`newPrivilege := 0`
			`for i, v := range privilegeMustBe {`
			`wants := p&1 == 1`
Finish up with new ranks and stuff on the API 2016-07-03 22:06:23 +00:00			`can := userPrivs&v == v`
Add token creation (login) 2016-04-05 20:22:13 +00:00			`if wants && can {`
			`newPrivilege \|= 1 << uint(i)`
			`}`
			`p >>= 1`
			`}`
			`return Privileges(newPrivilege)`
			`}`