diff --git a/api/shortcut.go b/api/shortcut.go index 80054f5..8f3eb81 100644 --- a/api/shortcut.go +++ b/api/shortcut.go @@ -74,10 +74,11 @@ type ShortcutFind struct { WorkspaceID *int `json:"workspaceId"` // Domain specific fields - Name *string `json:"name"` - Link *string `json:"link"` - Description *string `json:"description"` - Visibility *Visibility `json:"visibility"` + Name *string + Link *string + Description *string + MemberID *int + VisibilityList []Visibility } type ShortcutDelete struct { diff --git a/server/shortcut.go b/server/shortcut.go index 9906dfd..d232039 100644 --- a/server/shortcut.go +++ b/server/shortcut.go @@ -66,8 +66,12 @@ func (s *Server) registerShortcutRoutes(g *echo.Group) { g.GET("/shortcut", func(c echo.Context) error { ctx := c.Request().Context() - shortcutFind := &api.ShortcutFind{} + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } + shortcutFind := &api.ShortcutFind{} if workspaceID, err := strconv.Atoi(c.QueryParam("workspaceId")); err == nil { shortcutFind.WorkspaceID = &workspaceID } @@ -78,10 +82,24 @@ func (s *Server) registerShortcutRoutes(g *echo.Group) { shortcutFind.Link = &link } - list, err := s.Store.FindShortcutList(ctx, shortcutFind) + list := []*api.Shortcut{} + if shortcutFind.WorkspaceID == nil { + shortcutFind.MemberID = &userID + } + shortcutFind.VisibilityList = []api.Visibility{api.VisibilityWorkspace, api.VisibilityPublic} + visibleShortcutList, err := s.Store.FindShortcutList(ctx, shortcutFind) if err != nil { return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch shortcut list").SetInternal(err) } + list = append(list, visibleShortcutList...) + + shortcutFind.VisibilityList = []api.Visibility{api.VisibilityPrivite} + shortcutFind.CreatorID = &userID + privateShortcutList, err := s.Store.FindShortcutList(ctx, shortcutFind) + if err != nil { + return echo.NewHTTPError(http.StatusInternalServerError, "Failed to fetch private shortcut list").SetInternal(err) + } + list = append(list, privateShortcutList...) c.Response().Header().Set(echo.HeaderContentType, echo.MIMEApplicationJSONCharsetUTF8) if err := json.NewEncoder(c.Response().Writer).Encode(composeResponse(list)); err != nil { diff --git a/server/workspace.go b/server/workspace.go index e8d2539..343bf5d 100644 --- a/server/workspace.go +++ b/server/workspace.go @@ -125,6 +125,10 @@ func (s *Server) registerWorkspaceRoutes(g *echo.Group) { return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") } + if shortcut.Visibility == api.VisibilityPrivite && shortcut.CreatorID != userID { + return echo.NewHTTPError(http.StatusUnauthorized, "not shortcut owner") + } + workspaceUser, err := s.Store.FindWordspaceUser(ctx, &api.WorkspaceUserFind{ WorkspaceID: &workspace.ID, UserID: &userID, diff --git a/store/shortcut.go b/store/shortcut.go index 8356cd4..f8a7902 100644 --- a/store/shortcut.go +++ b/store/shortcut.go @@ -269,8 +269,16 @@ func findShortcutList(ctx context.Context, tx *sql.Tx, find *api.ShortcutFind) ( if v := find.Description; v != nil { where, args = append(where, "description = ?"), append(args, *v) } - if v := find.Visibility; v != nil { - where, args = append(where, "visibility = ?"), append(args, *v) + if v := find.VisibilityList; len(v) != 0 { + list := []string{} + for _, visibility := range v { + list = append(list, fmt.Sprintf("$%d", len(args)+1)) + args = append(args, visibility) + } + where = append(where, fmt.Sprintf("visibility in (%s)", strings.Join(list, ","))) + } + if v := find.MemberID; v != nil { + where, args = append(where, "workspace_id IN (SELECT workspace_id FROM workspace_user WHERE user_id = ? )"), append(args, *v) } rows, err := tx.QueryContext(ctx, `