ZDDC
7c0b66590c
When a user lacks permission, the app should (a) not let them do data entry it
will reject and (b) subtly say who can. General mechanism + the key gates.
Server — compute & expose "who can <verb> here":
- zddc.WhoCan(chain, verb) → Authority{Roles, People}: the acl.permissions
grantees holding the verb across the cascade (roles + their members) plus the
admins (who bypass). New whocan.go + whocan_test.go.
- AccessView gains path_who_can (profilehandler.go), populated only for verbs the
caller LACKS and only when they can read the path (mirrors .zddc readability),
so one cap.at() answers "can I?" and "if not, who?".
- writeForbiddenWho enriches the 403 body with who_can for the missing verb
(errors.go); authorizeAction uses it (fileapi.go) as the safety net for denials
that weren't pre-checked.
Shared — shared/cap.js:
- cap.whoCan(view, verb) + cap.denyHint(view, verb) → {text, title}, role-first
("Only the document controller can create here") with the people in the tooltip.
- handleForbidden appends the hint (from the 403 body, else the cached view), so
every tool that already routes 403s through it (form save, tables save, browse)
now explains who can — for free.
Key gates:
- Browse party-create (the reported bug): pre-check create authority on ssr/ and
the slot BEFORE opening the picker — if the user can do neither, show the hint
instead of the form; if only existing parties are usable, disable "+ New party"
with the who-can hint. The post-hoc 403 catch now names who can too.
- Tables +Add row disabled state shows the who-can hint.
Plus: subtle /_apps/{browse,archive,classifier}.html links in the landing footer.
Tests: Go WhoCan unit test (role/person split, admin bypass, dedupe); cap.spec.js
(denyHint role-first/people/fallback, whoCan, handleForbidden enrichment) — 5
green; Go handler+zddc+policy suites green. (Pre-existing stale browse toolbar
test browse.spec.js:274 unaffected.)
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
74 lines
2.6 KiB
Go
74 lines
2.6 KiB
Go
package handler
|
|
|
|
import (
|
|
"encoding/json"
|
|
"net/http"
|
|
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/policy"
|
|
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
|
|
)
|
|
|
|
// writeForbidden emits a 403 JSON response naming the missing verb. Used
|
|
// at every ACL-deny site so the client-side toast can render a specific
|
|
// "you need <verb> here" message and offer elevation when the path-scoped
|
|
// /.profile/access?path= reports a would_elevate_grant covering that verb.
|
|
//
|
|
// Body shape:
|
|
//
|
|
// {"error": "Forbidden", "missing_verb": "w"}
|
|
//
|
|
// Existing clients that read the body as text see the JSON string instead
|
|
// of "Forbidden\n" — both are diagnostic-only display strings, no client
|
|
// in this repo parses the previous plain-text body for content. Used in
|
|
// place of `http.Error(w, "Forbidden", http.StatusForbidden)` exclusively
|
|
// for ACL-deny cases. Other 403 conditions (no authenticated principal,
|
|
// existence-leak guards, etc.) keep the plain-text variant since
|
|
// "missing_verb" doesn't apply to them.
|
|
func writeForbidden(w http.ResponseWriter, action string) {
|
|
verb := verbForAction(action)
|
|
body, _ := json.Marshal(map[string]string{
|
|
"error": "Forbidden",
|
|
"missing_verb": verb,
|
|
})
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(http.StatusForbidden)
|
|
_, _ = w.Write(body)
|
|
}
|
|
|
|
// writeForbiddenWho is writeForbidden enriched with a "who_can" Authority for
|
|
// the missing verb, computed from the deny site's policy chain. Lets the toast
|
|
// tell the user who to ask even when the action wasn't pre-checked (a race, or
|
|
// a path the client didn't gate). The pre-check path (AccessView.PathWhoCan) is
|
|
// the primary surface; this is the safety net.
|
|
func writeForbiddenWho(w http.ResponseWriter, action string, chain zddc.PolicyChain) {
|
|
verb := verbForAction(action)
|
|
body := map[string]any{"error": "Forbidden", "missing_verb": verb}
|
|
if vs, ok := zddc.ParseVerbSet(verb); ok {
|
|
if a := zddc.WhoCan(chain, vs); !a.Empty() {
|
|
body["who_can"] = a
|
|
}
|
|
}
|
|
raw, _ := json.Marshal(body)
|
|
w.Header().Set("Content-Type", "application/json; charset=utf-8")
|
|
w.WriteHeader(http.StatusForbidden)
|
|
_, _ = w.Write(raw)
|
|
}
|
|
|
|
// verbForAction maps a policy.Action constant to its single-character
|
|
// verb. Mirrors policy.actionVerb but emits the wire-format letter
|
|
// rather than the bitmask, so the JSON body carries "r"/"w"/"c"/"d"/"a"
|
|
// — the same alphabet the listing's `verbs` field uses.
|
|
func verbForAction(action string) string {
|
|
switch action {
|
|
case policy.ActionWrite:
|
|
return "w"
|
|
case policy.ActionCreate:
|
|
return "c"
|
|
case policy.ActionDelete:
|
|
return "d"
|
|
case policy.ActionAdmin:
|
|
return "a"
|
|
default:
|
|
return "r"
|
|
}
|
|
}
|