fix: fixed viewing of apps of other users

Author: ludomikula

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/application/repository/ApplicationRepository.java

@@ -32,6 +32,8 @@ public interface ApplicationRepository extends ReactiveMongoRepository<Applicati
 
     Flux<Application> findByIdIn(Collection<String> ids);
 
+    Flux<Application> findByCreatedByAndIdIn(String userId, Collection<String> ids);
+
     /**
      * Filter public applications from list of supplied IDs
      */

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/application/service/ApplicationService.java

@@ -52,15 +52,15 @@ public interface ApplicationService {
 
     @NonEmptyMono
     @SuppressWarnings("ReactiveStreamsNullableInLambdaInTransform")
-    Mono<Set<String>> getFilteredPublicApplicationIds(ApplicationRequestType requestType, Collection<String> applicationIds, boolean isAnonymous, Boolean isPrivateMarketplace);
+    Mono<Set<String>> getFilteredPublicApplicationIds(ApplicationRequestType requestType, Collection<String> applicationIds, String userId, Boolean isPrivateMarketplace);
 
     @NonEmptyMono
     @SuppressWarnings("ReactiveStreamsNullableInLambdaInTransform")
     Mono<Set<String>> getPublicApplicationIds(Collection<String> applicationIds);
 
     @NonEmptyMono
     @SuppressWarnings("ReactiveStreamsNullableInLambdaInTransform")
-    Mono<Set<String>> getPrivateApplicationIds(Collection<String> applicationIds);
+    Mono<Set<String>> getPrivateApplicationIds(Collection<String> applicationIds, String userId);
 
     @NonEmptyMono
     @SuppressWarnings("ReactiveStreamsNullableInLambdaInTransform")

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/application/service/ApplicationServiceImpl.java

@@ -7,12 +7,17 @@
 import java.util.stream.Collectors;
 
 import lombok.RequiredArgsConstructor;
+import org.apache.commons.lang3.StringUtils;
 import org.lowcoder.domain.application.model.Application;
 import org.lowcoder.domain.application.model.ApplicationRequestType;
 import org.lowcoder.domain.application.model.ApplicationStatus;
 import org.lowcoder.domain.application.repository.ApplicationRepository;
+import org.lowcoder.domain.organization.repository.OrganizationRepository;
+import org.lowcoder.domain.organization.service.OrgMemberService;
 import org.lowcoder.domain.permission.model.ResourceRole;
 import org.lowcoder.domain.permission.service.ResourcePermissionService;
+import org.lowcoder.domain.user.repository.UserRepository;
+import org.lowcoder.domain.user.service.UserService;
 import org.lowcoder.infra.annotation.NonEmptyMono;
 import org.lowcoder.infra.mongo.MongoUpsertHelper;
 import org.lowcoder.sdk.constants.FieldName;
@@ -37,6 +42,7 @@ public class ApplicationServiceImpl implements ApplicationService {
     private final MongoUpsertHelper mongoUpsertHelper;
     private final ResourcePermissionService resourcePermissionService;
     private final ApplicationRepository repository;
+    private final UserRepository userRepository;
 
     @Override
     public Mono<Application> findById(String id) {
@@ -219,8 +225,8 @@ public Mono<Boolean> setApplicationAsAgencyProfile(String applicationId, boolean
     @Override
     @NonEmptyMono
     @SuppressWarnings("ReactiveStreamsNullableInLambdaInTransform")
-    public Mono<Set<String>> getFilteredPublicApplicationIds(ApplicationRequestType requestType, Collection<String> applicationIds, boolean isAnonymous, Boolean isPrivateMarketplace) {
-
+    public Mono<Set<String>> getFilteredPublicApplicationIds(ApplicationRequestType requestType, Collection<String> applicationIds, String userId, Boolean isPrivateMarketplace) {
+        boolean isAnonymous = StringUtils.isBlank(userId);
     	switch(requestType)
     	{
 	    	case PUBLIC_TO_ALL:
@@ -230,7 +236,7 @@ public Mono<Set<String>> getFilteredPublicApplicationIds(ApplicationRequestType
 	    		}
 	    		else
 	    		{
-	    			return getPrivateApplicationIds(applicationIds);
+	    			return getPrivateApplicationIds(applicationIds, userId);
 	    		}
 	    	case PUBLIC_TO_MARKETPLACE:
 	    		return getPublicMarketplaceApplicationIds(applicationIds, isAnonymous, isPrivateMarketplace);
@@ -262,11 +268,16 @@ public Mono<Set<String>> getPublicApplicationIds(Collection<String> applicationI
     @Override
     @NonEmptyMono
     @SuppressWarnings("ReactiveStreamsNullableInLambdaInTransform")
-    public Mono<Set<String>> getPrivateApplicationIds(Collection<String> applicationIds) {
+    public Mono<Set<String>> getPrivateApplicationIds(Collection<String> applicationIds, String userId) {
+
     	// TODO: in 2.4.0 we need to check whether the app was published or not
-        return repository.findByIdIn(applicationIds)
+        return repository.findByCreatedByAndIdIn(userId, applicationIds)
                         .map(HasIdAndAuditing::getId)
                         .collect(Collectors.toSet());
+
+//        return repository.findByIdIn(applicationIds)
+//                        .map(HasIdAndAuditing::getId)
+//                        .collect(Collectors.toSet());
     }
 
 

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/permission/service/ApplicationPermissionHandler.java

@@ -53,10 +53,10 @@ protected Mono<Map<String, List<ResourcePermission>>> getAnonymousUserPermission
     // This is for PTM apps that are public but only available to logged-in users
     @Override
     protected Mono<Map<String, List<ResourcePermission>>> getNonAnonymousUserPublicResourcePermissions
-            (Collection<String> resourceIds, ResourceAction resourceAction) {
+            (Collection<String> resourceIds, ResourceAction resourceAction, String userId) {
 
         Set<String> applicationIds = newHashSet(resourceIds);
-        return Mono.zip(applicationService.getPrivateApplicationIds(applicationIds),
+        return Mono.zip(applicationService.getPrivateApplicationIds(applicationIds, userId),
                         templateSolutionService.getTemplateApplicationIds(applicationIds))
                 .map(tuple -> {
                     Set<String> publicAppIds = tuple.getT1();
@@ -75,7 +75,7 @@ protected Mono<Map<String, List<ResourcePermission>>> getAnonymousUserApplicatio
         }
 
         Set<String> applicationIds = newHashSet(resourceIds);
-        return Mono.zip(applicationService.getFilteredPublicApplicationIds(requestType, applicationIds, Boolean.TRUE, config.getMarketplace().isPrivateMode())
+        return Mono.zip(applicationService.getFilteredPublicApplicationIds(requestType, applicationIds, null, config.getMarketplace().isPrivateMode())
         					.defaultIfEmpty(new HashSet<>()),
                         templateSolutionService.getTemplateApplicationIds(applicationIds)
                         	.defaultIfEmpty(new HashSet<>())
@@ -88,9 +88,9 @@ protected Mono<Map<String, List<ResourcePermission>>> getAnonymousUserApplicatio
 
 	@Override
 	protected Mono<Map<String, List<ResourcePermission>>> getNonAnonymousUserApplicationPublicResourcePermissions(
-			Collection<String> resourceIds, ResourceAction resourceAction, ApplicationRequestType requestType) {
+			Collection<String> resourceIds, ResourceAction resourceAction, ApplicationRequestType requestType, String userId) {
         Set<String> applicationIds = newHashSet(resourceIds);
-        return Mono.zip(applicationService.getFilteredPublicApplicationIds(requestType, applicationIds, Boolean.FALSE, config.getMarketplace().isPrivateMode()),
+        return Mono.zip(applicationService.getFilteredPublicApplicationIds(requestType, applicationIds, userId, config.getMarketplace().isPrivateMode()),
                         templateSolutionService.getTemplateApplicationIds(applicationIds))
                 .map(tuple -> {
                     Set<String> publicAppIds = tuple.getT1();

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/permission/service/DatasourcePermissionHandler.java

@@ -36,7 +36,7 @@ protected Mono<Map<String, List<ResourcePermission>>> getAnonymousUserPermission
     }
 
     @Override
-    protected Mono<Map<String, List<ResourcePermission>>> getNonAnonymousUserPublicResourcePermissions(Collection<String> resourceIds, ResourceAction resourceAction) {
+    protected Mono<Map<String, List<ResourcePermission>>> getNonAnonymousUserPublicResourcePermissions(Collection<String> resourceIds, ResourceAction resourceAction, String userId) {
         return Mono.just(Collections.emptyMap());
     }
 
@@ -48,7 +48,7 @@ protected Mono<Map<String, List<ResourcePermission>>> getAnonymousUserApplicatio
 
 	@Override
 	protected Mono<Map<String, List<ResourcePermission>>> getNonAnonymousUserApplicationPublicResourcePermissions(
-			Collection<String> resourceIds, ResourceAction resourceAction, ApplicationRequestType requestType) {
+			Collection<String> resourceIds, ResourceAction resourceAction, ApplicationRequestType requestType, String userId) {
         return Mono.just(Collections.emptyMap());
 	}
 

server/api-service/lowcoder-domain/src/main/java/org/lowcoder/domain/permission/service/ResourcePermissionHandler.java

@@ -88,7 +88,7 @@ public Mono<UserPermissionOnResourceStatus> checkUserPermissionStatusOnResource(
             return publicResourcePermissionMono;
         }
 
-        Mono<UserPermissionOnResourceStatus> nonAnonymousPublicResourcePermissionMono = getNonAnonymousUserPublicResourcePermissions(singletonList(resourceId), resourceAction)
+        Mono<UserPermissionOnResourceStatus> nonAnonymousPublicResourcePermissionMono = getNonAnonymousUserPublicResourcePermissions(singletonList(resourceId), resourceAction, userId)
                 .map(it -> it.getOrDefault(resourceId, emptyList()))
                 .map(it -> {
                     if (!it.isEmpty()) {
@@ -141,13 +141,13 @@ protected abstract Mono<Map<String, List<ResourcePermission>>> getAnonymousUserP
             ResourceAction resourceAction);
 
     protected abstract Mono<Map<String, List<ResourcePermission>>> getNonAnonymousUserPublicResourcePermissions
-            (Collection<String> resourceIds, ResourceAction resourceAction);
+            (Collection<String> resourceIds, ResourceAction resourceAction, String userId);
 
     protected abstract Mono<Map<String, List<ResourcePermission>>> getAnonymousUserApplicationPermissions(Collection<String> resourceIds,
             ResourceAction resourceAction, ApplicationRequestType requestType);
 
     protected abstract Mono<Map<String, List<ResourcePermission>>> getNonAnonymousUserApplicationPublicResourcePermissions
-            (Collection<String> resourceIds, ResourceAction resourceAction, ApplicationRequestType requestType);
+            (Collection<String> resourceIds, ResourceAction resourceAction, ApplicationRequestType requestType, String userId);
 
 
     private Mono<Map<String, List<ResourcePermission>>> getAllMatchingPermissions0(String userId, String orgId, ResourceType resourceType,
@@ -229,7 +229,7 @@ public Mono<UserPermissionOnResourceStatus> checkUserPermissionStatusOnApplicati
             return publicResourcePermissionMono;
         }
 
-        Mono<UserPermissionOnResourceStatus> nonAnonymousPublicResourcePermissionMono = getNonAnonymousUserApplicationPublicResourcePermissions(singletonList(resourceId), resourceAction, requestType)
+        Mono<UserPermissionOnResourceStatus> nonAnonymousPublicResourcePermissionMono = getNonAnonymousUserApplicationPublicResourcePermissions(singletonList(resourceId), resourceAction, requestType, userId)
                 .map(it -> it.getOrDefault(resourceId, emptyList()))
                 .map(it -> {
                     if (!it.isEmpty()) {