1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316

#![cfg_attr(not(feature = "std"), no_std)]

use codec::{Decode, Encode};
use frame_support::{
    decl_error, decl_event, decl_module, decl_storage,
    ensure,
    traits::Get,
    dispatch::DispatchResult
};
use sp_runtime::RuntimeDebug;
use sp_std::{collections::btree_set::BTreeSet, iter::FromIterator, prelude::*};
use frame_system::{self as system, ensure_signed};

use df_traits::{
    PermissionChecker, SpaceFollowsProvider, SpaceForRolesProvider,
    moderation::{IsAccountBlocked, IsContentBlocked},
};
use pallet_permissions::{Module as Permissions, SpacePermission, SpacePermissionSet};
use pallet_utils::{Module as Utils, Error as UtilsError, SpaceId, User, WhoAndWhen, Content};

pub mod functions;
pub mod rpc;

#[cfg(test)]
mod mock;

#[cfg(test)]
mod tests;

type RoleId = u64;

#[derive(Encode, Decode, Clone, Eq, PartialEq, RuntimeDebug)]
pub struct Role<T: Trait> {
    pub created: WhoAndWhen<T>,
    pub updated: Option<WhoAndWhen<T>>,

    /// Unique sequential identifier of a role. Examples of role ids: `1`, `2`, `3`, and so on.
    pub id: RoleId,

    pub space_id: SpaceId,
    pub disabled: bool,
    pub expires_at: Option<T::BlockNumber>,
    pub content: Content,
    pub permissions: SpacePermissionSet,
}

#[derive(Encode, Decode, Clone, Eq, PartialEq, RuntimeDebug)]
pub struct RoleUpdate {
    pub disabled: Option<bool>,
    pub content: Option<Content>,
    pub permissions: Option<SpacePermissionSet>,
}

/// The pallet's configuration trait.
pub trait Trait: system::Trait
    + pallet_permissions::Trait
    + pallet_utils::Trait
{
    /// The overarching event type.
    type Event: From<Event<Self>> + Into<<Self as system::Trait>::Event>;

    type MaxUsersToProcessPerDeleteRole: Get<u16>;

    type Spaces: SpaceForRolesProvider<AccountId=Self::AccountId>;

    type SpaceFollows: SpaceFollowsProvider<AccountId=Self::AccountId>;

    type IsAccountBlocked: IsAccountBlocked<Self::AccountId>;

    type IsContentBlocked: IsContentBlocked;
}

decl_event!(
    pub enum Event<T> where
        <T as system::Trait>::AccountId
    {
        RoleCreated(AccountId, SpaceId, RoleId),
        RoleUpdated(AccountId, RoleId),
        RoleDeleted(AccountId, RoleId),
        RoleGranted(AccountId, RoleId, Vec<User<AccountId>>),
        RoleRevoked(AccountId, RoleId, Vec<User<AccountId>>),
    }
);

decl_error! {
    pub enum Error for Module<T: Trait> {
        /// Role was not found by id.
        RoleNotFound,
        /// RoleId counter storage overflowed.
        RoleIdOverflow,
        /// Account has no permission to manage roles in this space.
        NoPermissionToManageRoles,
        /// Nothing to update in role.
        NoUpdatesProvided,
        /// No permissions provided when trying to create a new role.
        NoPermissionsProvided,
        /// No users provided when trying to grant them a role.
        NoUsersProvided,
        /// There are too many users with this role to delete it in a single tx.
        TooManyUsersToDelete,
        /// Cannot disable a role that is already disabled.
        RoleAlreadyDisabled,
        /// Cannot enable a role that is already enabled.
        RoleAlreadyEnabled,
    }
}

pub const FIRST_ROLE_ID: u64 = 1;

// This pallet's storage items.
decl_storage! {
    trait Store for Module<T: Trait> as PermissionsModule {

        /// The next role id.
        pub NextRoleId get(fn next_role_id): RoleId = FIRST_ROLE_ID;

        /// Get role details by its id.
        pub RoleById get(fn role_by_id):
            map hasher(twox_64_concat) RoleId => Option<Role<T>>;

        /// A list of all users (account or space ids) that have this role.
        pub UsersByRoleId get(fn users_by_role_id):
            map hasher(twox_64_concat) RoleId => Vec<User<T::AccountId>>;

        /// A list of all role ids available in this space.
        pub RoleIdsBySpaceId get(fn role_ids_by_space_id):
            map hasher(twox_64_concat) SpaceId => Vec<RoleId>;

        /// A list of all role ids granted to this user (account or space) within this space.
        pub RoleIdsByUserInSpace get(fn role_ids_by_user_in_space): double_map
            hasher(blake2_128_concat) User<T::AccountId>,
            hasher(twox_64_concat) SpaceId
            => Vec<RoleId>;
    }
}

// The pallet's dispatchable functions.
decl_module! {
  pub struct Module<T: Trait> for enum Call where origin: T::Origin {

    const MaxUsersToProcessPerDeleteRole: u16 = T::MaxUsersToProcessPerDeleteRole::get();

    // Initializing errors
    type Error = Error<T>;

    // Initializing events
    fn deposit_event() = default;

    /// Create a new role in a space with a list of permissions.
    /// `content` points to the off-chain content with such additional info about this role
    /// as its name, description, color, etc.
    /// Only the space owner or a user with `ManageRoles` permission call this dispatch.
    #[weight = 10_000 + T::DbWeight::get().reads_writes(2, 3)]
    pub fn create_role(
      origin,
      space_id: SpaceId,
      time_to_live: Option<T::BlockNumber>,
      content: Content,
      permissions: Vec<SpacePermission>
    ) -> DispatchResult {
      let who = ensure_signed(origin)?;

      ensure!(!permissions.is_empty(), Error::<T>::NoPermissionsProvided);

      Utils::<T>::is_valid_content(content.clone())?;
      ensure!(T::IsContentBlocked::is_allowed_content(content.clone(), space_id), UtilsError::<T>::ContentIsBlocked);

      Self::ensure_role_manager(who.clone(), space_id)?;
      
      let permissions_set = BTreeSet::from_iter(permissions.into_iter());
      let new_role = Role::<T>::new(who.clone(), space_id, time_to_live, content, permissions_set)?;

      // TODO review strange code:
      let next_role_id = new_role.id.checked_add(1).ok_or(Error::<T>::RoleIdOverflow)?;
      NextRoleId::put(next_role_id);

      <RoleById<T>>::insert(new_role.id, new_role.clone());
      RoleIdsBySpaceId::mutate(space_id, |role_ids| { role_ids.push(new_role.id) });

      Self::deposit_event(RawEvent::RoleCreated(who, space_id, new_role.id));
      Ok(())
    }

    /// Update an existing role by its id.
    /// Only the space owner or a user with `ManageRoles` permission call this dispatch.
    #[weight = 10_000 + T::DbWeight::get().reads_writes(2, 1)]
    pub fn update_role(origin, role_id: RoleId, update: RoleUpdate) -> DispatchResult {
      let who = ensure_signed(origin)?;

      let has_updates =
        update.disabled.is_some() ||
        update.content.is_some() ||
        update.permissions.is_some();

      ensure!(has_updates, Error::<T>::NoUpdatesProvided);

      let mut role = Self::require_role(role_id)?;

      Self::ensure_role_manager(who.clone(), role.space_id)?;

      let mut is_update_applied = false;

      if let Some(disabled) = update.disabled {
        if disabled != role.disabled {
          role.set_disabled(disabled)?;
          is_update_applied = true;
        }
      }

      if let Some(content) = update.content {
        if content != role.content {
          Utils::<T>::is_valid_content(content.clone())?;
          ensure!(T::IsContentBlocked::is_allowed_content(content.clone(), role.space_id), UtilsError::<T>::ContentIsBlocked);

          role.content = content;
          is_update_applied = true;
        }
      }

      if let Some(permissions) = update.permissions {
        if !permissions.is_empty() {
          let permissions_diff: Vec<_> = permissions.symmetric_difference(&role.permissions).cloned().collect();

          if !permissions_diff.is_empty() {
            role.permissions = permissions;
            is_update_applied = true;
          }
        }
      }

      if is_update_applied {
        role.updated = Some(WhoAndWhen::<T>::new(who.clone()));

        <RoleById<T>>::insert(role_id, role);
        Self::deposit_event(RawEvent::RoleUpdated(who, role_id));
      }
      Ok(())
    }

    /// Delete a role from all associated storage items.
    /// Only the space owner or a user with `ManageRoles` permission call this dispatch.
    #[weight = 1_000_000 + T::DbWeight::get().reads_writes(6, 5)]
    pub fn delete_role(origin, role_id: RoleId) -> DispatchResult {
      let who = ensure_signed(origin)?;

      let role = Self::require_role(role_id)?;

      Self::ensure_role_manager(who.clone(), role.space_id)?;

      let users = Self::users_by_role_id(role_id);
      ensure!(
        users.len() <= T::MaxUsersToProcessPerDeleteRole::get() as usize,
        Error::<T>::TooManyUsersToDelete
      );

      let role_idx_by_space_opt = Self::role_ids_by_space_id(role.space_id).iter()
        .position(|x| { *x == role_id });

      if let Some(role_idx) = role_idx_by_space_opt {
        RoleIdsBySpaceId::mutate(role.space_id, |n| { n.swap_remove(role_idx) });
      }

      role.revoke_from_users(users);

      <RoleById<T>>::remove(role_id);
      <UsersByRoleId<T>>::remove(role_id);

      Self::deposit_event(RawEvent::RoleDeleted(who, role_id));
      Ok(())
    }

    /// Grant a role to a list of users.
    /// Only the space owner or a user with `ManageRoles` permission call this dispatch.
    #[weight = 1_000_000 + T::DbWeight::get().reads_writes(4, 2)]
    pub fn grant_role(origin, role_id: RoleId, users: Vec<User<T::AccountId>>) -> DispatchResult {
      let who = ensure_signed(origin)?;

      ensure!(!users.is_empty(), Error::<T>::NoUsersProvided);
      let users_set: BTreeSet<User<T::AccountId>> = Utils::<T>::convert_users_vec_to_btree_set(users)?;

      let role = Self::require_role(role_id)?;

      Self::ensure_role_manager(who.clone(), role.space_id)?;

      for user in users_set.iter() {
        if !Self::users_by_role_id(role_id).contains(&user) {
          <UsersByRoleId<T>>::mutate(role_id, |users| { users.push(user.clone()); });
        }
        if !Self::role_ids_by_user_in_space(user.clone(), role.space_id).contains(&role_id) {
          <RoleIdsByUserInSpace<T>>::mutate(user.clone(), role.space_id, |roles| { roles.push(role_id); })
        }
      }

      Self::deposit_event(RawEvent::RoleGranted(who, role_id, users_set.iter().cloned().collect()));
      Ok(())
    }

    /// Revoke a role from a list of users.
    /// Only the space owner or a user with `ManageRoles` permission call this dispatch.
    #[weight = 1_000_000 + T::DbWeight::get().reads_writes(4, 2)]
    pub fn revoke_role(origin, role_id: RoleId, users: Vec<User<T::AccountId>>) -> DispatchResult {
      let who = ensure_signed(origin)?;

      ensure!(!users.is_empty(), Error::<T>::NoUsersProvided);

      let role = Self::require_role(role_id)?;

      Self::ensure_role_manager(who.clone(), role.space_id)?;

      role.revoke_from_users(users.clone());

      Self::deposit_event(RawEvent::RoleRevoked(who, role_id, users));
      Ok(())
    }
  }
}