apply feedback

sourcenetwork · Dec 20, 2024 · 137e97e · 137e97e
1 parent ace6e9b
commit 137e97e
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 43 deletions.
diff --git a/internal/db/permission/check.go b/internal/db/permission/check.go
@@ -54,45 +54,6 @@ func CheckAccessOfDocOnCollectionWithACP(
 	)
 }
 
-// CheckAccessDocAccessWithDID handles the check, which tells us if access to the target
-// document is valid, with respect to the permission type, and the specified collection.
-//
-// The identity is determined by a DID.
-//
-// This function should only be called if acp is available. As we have unrestricted
-// access when acp is not available (acp turned off).
-//
-// Since we know acp is enabled we have these components to check in this function:
-// (1) the request is permissioned (has an identity),
-// (2) the collection is permissioned (has a policy),
-//
-// Unrestricted Access to document if:
-// - (2) is false.
-// - Document is public (unregistered), whether signatured request or not doesn't matter.
-func CheckDocAccessWithDID(
-	ctx context.Context,
-	did string,
-	acpSystem acp.ACP,
-	collection client.Collection,
-	permission acp.DPIPermission,
-	docID string,
-) (bool, error) {
-	identityFunc := func() immutable.Option[acpIdentity.Identity] {
-		if did == "" {
-			return immutable.None[acpIdentity.Identity]()
-		}
-		return immutable.Some[acpIdentity.Identity](acpIdentity.Identity{DID: did})
-	}
-	return CheckDocAccessWithIdentityFunc(
-		ctx,
-		identityFunc,
-		acpSystem,
-		collection,
-		permission,
-		docID,
-	)
-}
-
 // CheckDocAccessWithIdentityFunc handles the check, which tells us if access to the target
 // document is valid, with respect to the permission type, and the specified collection.
 //

diff --git a/net/server.go b/net/server.go
@@ -548,8 +548,9 @@ func (s *server) hasAccess(p libpeer.ID, c cid.Cid) bool {
 
 // trySelfHasAccess checks if the local node has access to the given block.
 //
-// This is a best-effort check and returns true unless we explicitly find that we don't have access
-// or if we get an error.
+// This is a best-effort check and returns true unless we explicitly find that the local node
+// doesn't have access or if we get an error. The node sending is ultimately responsible for
+// ensuring that the recipient has access.
 func (s *server) trySelfHasAccess(block *coreblock.Block) (bool, error) {
 	if !s.peer.acp.HasValue() {
 		return true, nil
@@ -575,9 +576,11 @@ func (s *server) trySelfHasAccess(block *coreblock.Block) (bool, error) {
 		return true, nil
 	}
 
-	peerHasAccess, err := permission.CheckDocAccessWithDID(
+	peerHasAccess, err := permission.CheckDocAccessWithIdentityFunc(
 		s.peer.ctx,
-		ident.Value().DID,
+		func() immutable.Option[identity.Identity] {
+			return immutable.Some(identity.Identity{DID: ident.Value().DID})
+		},
 		s.peer.acp.Value(),
 		cols[0], // For now we assume there is only one collection.
 		acp.ReadPermission,