package db import ( "context" "database/sql" "time" "git.haelnorr.com/h/oslstats/internal/roles" "github.com/pkg/errors" "github.com/uptrace/bun" ) type Role struct { bun.BaseModel `bun:"table:roles,alias:r"` ID int `bun:"id,pk,autoincrement"` Name roles.Role `bun:"name,unique,notnull"` DisplayName string `bun:"display_name,notnull"` Description string `bun:"description"` IsSystem bool `bun:"is_system,default:false"` CreatedAt int64 `bun:"created_at,notnull"` UpdatedAt *int64 `bun:"updated_at"` // Relations (loaded on demand) Users []User `bun:"m2m:user_roles,join:Role=User"` Permissions []Permission `bun:"m2m:role_permissions,join:Role=Permission"` } type RolePermission struct { RoleID int `bun:",pk"` Role *Role `bun:"rel:belongs-to,join:role_id=id"` PermissionID int `bun:",pk"` Permission *Permission `bun:"rel:belongs-to,join:permission_id=id"` } func (r Role) isSystem() bool { return r.IsSystem } // GetRoleByName queries the database for a role matching the given name // Returns nil, nil if no role is found func GetRoleByName(ctx context.Context, tx bun.Tx, name roles.Role) (*Role, error) { if name == "" { return nil, errors.New("name cannot be empty") } return GetByField[Role](tx, "name", name).GetFirst(ctx) } // GetRoleByID queries the database for a role matching the given ID // Returns nil, nil if no role is found func GetRoleByID(ctx context.Context, tx bun.Tx, id int) (*Role, error) { return GetByID[Role](tx, id).GetFirst(ctx) } // GetRoleWithPermissions loads a role and all its permissions func GetRoleWithPermissions(ctx context.Context, tx bun.Tx, id int) (*Role, error) { return GetByID[Role](tx, id).Relation("Permissions").GetFirst(ctx) } // ListAllRoles returns all roles func ListAllRoles(ctx context.Context, tx bun.Tx) ([]*Role, error) { var roles []*Role err := tx.NewSelect(). Model(&roles). Order("name ASC"). Scan(ctx) if err != nil && err != sql.ErrNoRows { return nil, errors.Wrap(err, "tx.NewSelect") } return roles, nil } // CreateRole creates a new role func CreateRole(ctx context.Context, tx bun.Tx, role *Role) error { if role == nil { return errors.New("role cannot be nil") } role.CreatedAt = time.Now().Unix() err := Insert(tx, role). Returning("id"). Exec(ctx) if err != nil { return errors.Wrap(err, "db.Insert") } return nil } // UpdateRole updates an existing role func UpdateRole(ctx context.Context, tx bun.Tx, role *Role) error { if role == nil { return errors.New("role cannot be nil") } if role.ID <= 0 { return errors.New("role id must be positive") } err := Update(tx, role). WherePK(). Exec(ctx) if err != nil { return errors.Wrap(err, "db.Update") } return nil } // DeleteRole deletes a role (checks IsSystem protection) func DeleteRole(ctx context.Context, tx bun.Tx, id int) error { if id <= 0 { return errors.New("id must be positive") } return DeleteWithProtection[Role](ctx, tx, id) } // AddPermissionToRole grants a permission to a role func AddPermissionToRole(ctx context.Context, tx bun.Tx, roleID, permissionID int) error { if roleID <= 0 { return errors.New("roleID must be positive") } if permissionID <= 0 { return errors.New("permissionID must be positive") } rolePerm := &RolePermission{ RoleID: roleID, PermissionID: permissionID, } err := Insert(tx, rolePerm). ConflictNothing("role_id", "permission_id"). Exec(ctx) if err != nil { return errors.Wrap(err, "db.Insert") } return nil } // RemovePermissionFromRole revokes a permission from a role func RemovePermissionFromRole(ctx context.Context, tx bun.Tx, roleID, permissionID int) error { if roleID <= 0 { return errors.New("roleID must be positive") } if permissionID <= 0 { return errors.New("permissionID must be positive") } err := DeleteItem[RolePermission](tx). Where("role_id = ?", roleID). Where("permission_id = ?", permissionID). Delete(ctx) if err != nil { return errors.Wrap(err, "DeleteItem") } return nil }