From 594372506b97ec0608a33d6405dd7697845209ca Mon Sep 17 00:00:00 2001 From: Ruben Date: Fri, 20 Dec 2024 15:00:39 +0100 Subject: [PATCH 1/4] put timesheet and worklogs in employee-specific graph add a group `public-all-employees` so kimai-service kan keep access to all the graphs. only persons part of the `employee` group have their own graph. The assumption is made that other users have no timesheet/worklog data. --- config/authorization/config.lisp | 23 ++++++++--- ...e-timesheet-employee-specific-graph.sparql | 38 +++++++++++++++++++ 2 files changed, 56 insertions(+), 5 deletions(-) create mode 100644 config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql diff --git a/config/authorization/config.lisp b/config/authorization/config.lisp index 6cb0405..dee8507 100644 --- a/config/authorization/config.lisp +++ b/config/authorization/config.lisp @@ -55,7 +55,7 @@ ;; specifications can be folded too. This could help when building ;; indexes. -(define-graph timesheet ("http://mu.semte.ch/graphs/redpencil") +(define-graph timesheet ("http://mu.semte.ch/graphs/employees/") ("cal:Vevent" -> _) ("skos:Collection" -> _) ("foaf:Person" -> _) @@ -89,6 +89,15 @@ (supply-allowed-group "public") +(supply-allowed-group "public-all-employees" + :parameters ("employeeId") + :query "PREFIX mu: + SELECT ?employeeId WHERE { + foaf:member ?user . + ?user mu:uuid ?employeeId . + }" +) + (supply-allowed-group "logged-in" :parameters () :query "PREFIX session: @@ -111,14 +120,15 @@ (supply-allowed-group "employee" - :parameters () + :parameters ("employeeId") :query "PREFIX session: PREFIX foaf: PREFIX mu: - SELECT ?account WHERE { + SELECT ?account ?employeeId WHERE { session:account ?account . ?user foaf:account ?account . foaf:member ?user . + ?user mu:uuid ?employeeId . } LIMIT 1") (grant (read) @@ -127,11 +137,14 @@ (with-scope "http://services.redpencil.io/timekeeper-kimai-sync-service" (grant (read write) - :to-graph (kimai timesheet) + :to-graph (kimai) :for-allowed-group "public") (grant (read) :to-graph (users) - :for-allowed-group "public")) + :for-allowed-group "public") + (grant (read write) + :to-graph (timesheet) + :for-allowed-group "public-all-employees")) (grant (read write) :to-graph (timesheet) diff --git a/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql b/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql new file mode 100644 index 0000000..2be94cd --- /dev/null +++ b/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql @@ -0,0 +1,38 @@ +PREFIX skos: +prefix prov: +prefix cal: +PREFIX mu: +DELETE { + GRAPH { + ?s ?p ?o . + } +} INSERT { + GRAPH ?g { + ?s ?p ?o . + } +} WHERE { + GRAPH { + ?s a skos:Collection . + ?s ?p ?o . + ?s prov:wasAssociatedWith ?employee . + } + ?employee mu:uuid ?employeeId . + BIND(IRI(CONCAT("http://mu.semte.ch/graphs/employees/", ?employeeId)) AS ?g) +}; +DELETE { + GRAPH { + ?s ?p ?o . + } +} INSERT { + GRAPH ?g { + ?s ?p ?o . + } +} WHERE { + GRAPH { + ?s a cal:Vevent . + ?s ?p ?o . + ?s prov:wasAssociatedWith ?employee . + } + ?employee mu:uuid ?employeeId . + BIND(IRI(CONCAT("http://mu.semte.ch/graphs/employees/", ?employeeId)) AS ?g) +} From fe4cf22c6c81950b5fc26075e0ea83494b689e22 Mon Sep 17 00:00:00 2001 From: Erika Pauwels Date: Fri, 27 Dec 2024 14:44:25 +0100 Subject: [PATCH 2/4] Rename public-all-employees to kimai-each-employee --- config/authorization/config.lisp | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) diff --git a/config/authorization/config.lisp b/config/authorization/config.lisp index dee8507..89500a3 100644 --- a/config/authorization/config.lisp +++ b/config/authorization/config.lisp @@ -89,15 +89,6 @@ (supply-allowed-group "public") -(supply-allowed-group "public-all-employees" - :parameters ("employeeId") - :query "PREFIX mu: - SELECT ?employeeId WHERE { - foaf:member ?user . - ?user mu:uuid ?employeeId . - }" -) - (supply-allowed-group "logged-in" :parameters () :query "PREFIX session: @@ -118,7 +109,6 @@ foaf:member ?user . } LIMIT 1") - (supply-allowed-group "employee" :parameters ("employeeId") :query "PREFIX session: @@ -131,6 +121,14 @@ ?user mu:uuid ?employeeId . } LIMIT 1") +(supply-allowed-group "kimai-each-employee" + :parameters ("employeeId") + :query "PREFIX mu: + SELECT ?employeeId WHERE { + foaf:member ?user . + ?user mu:uuid ?employeeId . + }") + (grant (read) :to-graph (static) :for-allowed-group "public") @@ -144,7 +142,7 @@ :for-allowed-group "public") (grant (read write) :to-graph (timesheet) - :for-allowed-group "public-all-employees")) + :for-allowed-group "kimai-each-employee")) (grant (read write) :to-graph (timesheet) From de5e658c3159117dbac0f7fc19c79d3ce84942b9 Mon Sep 17 00:00:00 2001 From: Erika Pauwels Date: Fri, 27 Dec 2024 15:26:45 +0100 Subject: [PATCH 3/4] Add missing foaf prefix to SPARQL query in auth config --- config/authorization/config.lisp | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/config/authorization/config.lisp b/config/authorization/config.lisp index 89500a3..5c2329f 100644 --- a/config/authorization/config.lisp +++ b/config/authorization/config.lisp @@ -123,15 +123,22 @@ (supply-allowed-group "kimai-each-employee" :parameters ("employeeId") - :query "PREFIX mu: + :query "PREFIX foaf: + PREFIX mu: SELECT ?employeeId WHERE { foaf:member ?user . ?user mu:uuid ?employeeId . }") +;; workaroud to avoid allowed-groups to be discarded because they don't have a grant +(grant (read) + :to-graph (static) + :for-allowed-group "public") + (grant (read) - :to-graph (static) - :for-allowed-group "public") + :to-graph (static) + :for-allowed-group "kimai-each-employee") +;; end workaround (with-scope "http://services.redpencil.io/timekeeper-kimai-sync-service" (grant (read write) From 54ebcb51b1a3ba3efc4c61f2865438684a6898d2 Mon Sep 17 00:00:00 2001 From: Aad Versteden Date: Sun, 29 Dec 2024 23:15:11 +0100 Subject: [PATCH 4/4] More consistent whitespace and caps in migration No logical change to the migration so it's safe to update it without changing the filename. --- ...0-move-timesheet-employee-specific-graph.sparql | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql b/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql index 2be94cd..1441570 100644 --- a/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql +++ b/config/migrations/20241219140000-move-timesheet-employee-specific-graph.sparql @@ -1,19 +1,19 @@ PREFIX skos: -prefix prov: -prefix cal: +PREFIX prov: +PREFIX cal: PREFIX mu: DELETE { GRAPH { ?s ?p ?o . } } INSERT { - GRAPH ?g { + GRAPH ?g { ?s ?p ?o . } } WHERE { GRAPH { - ?s a skos:Collection . - ?s ?p ?o . + ?s a skos:Collection . + ?s ?p ?o . ?s prov:wasAssociatedWith ?employee . } ?employee mu:uuid ?employeeId . @@ -29,8 +29,8 @@ DELETE { } } WHERE { GRAPH { - ?s a cal:Vevent . - ?s ?p ?o . + ?s a cal:Vevent . + ?s ?p ?o . ?s prov:wasAssociatedWith ?employee . } ?employee mu:uuid ?employeeId .