From a52c07910c4b11e33e1add927c6d9c37ecf5cfc2 Mon Sep 17 00:00:00 2001
From: oppiliappan <me@oppi.li>
Date: Fri, 25 Jul 2025 11:11:50 +0100
Subject: [PATCH] rbac,knotserver: move `ThisServer` const to rbac pkg
Change-Id: vltkzpuwxukknkmsqzkkmtmuykqzxuwl

Signed-off-by: oppiliappan <me@oppi.li>
---
 knotserver/ingester.go |  5 +++--
 knotserver/internal.go |  2 +-
 knotserver/routes.go   | 11 ++++++-----
 knotserver/util.go     |  5 -----
 rbac/rbac.go           |  4 ++++
 5 files changed, 14 insertions(+), 13 deletions(-)

diff --git a/knotserver/ingester.go b/knotserver/ingester.go
index bc6011d..abbd4e5 100644
--- a/knotserver/ingester.go
+++ b/knotserver/ingester.go
@@ -21,6 +21,7 @@ import (
 	"tangled.sh/tangled.sh/core/knotserver/db"
 	"tangled.sh/tangled.sh/core/knotserver/git"
 	"tangled.sh/tangled.sh/core/log"
+	"tangled.sh/tangled.sh/core/rbac"
 	"tangled.sh/tangled.sh/core/workflow"
 )
 
@@ -46,13 +47,13 @@ func (h *Handle) processKnotMember(ctx context.Context, did string, record tangl
 		return fmt.Errorf("domain mismatch: %s != %s", record.Domain, h.c.Server.Hostname)
 	}
 
-	ok, err := h.e.E.Enforce(did, ThisServer, ThisServer, "server:invite")
+	ok, err := h.e.E.Enforce(did, rbac.ThisServer, rbac.ThisServer, "server:invite")
 	if err != nil || !ok {
 		l.Error("failed to add member", "did", did)
 		return fmt.Errorf("failed to enforce permissions: %w", err)
 	}
 
-	if err := h.e.AddKnotMember(ThisServer, record.Subject); err != nil {
+	if err := h.e.AddKnotMember(rbac.ThisServer, record.Subject); err != nil {
 		l.Error("failed to add member", "error", err)
 		return fmt.Errorf("failed to add member: %w", err)
 	}
diff --git a/knotserver/internal.go b/knotserver/internal.go
index 9450e87..0e2d41c 100644
--- a/knotserver/internal.go
+++ b/knotserver/internal.go
@@ -38,7 +38,7 @@ func (h *InternalHandle) PushAllowed(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
-	ok, err := h.e.IsPushAllowed(user, ThisServer, repo)
+	ok, err := h.e.IsPushAllowed(user, rbac.ThisServer, repo)
 	if err != nil || !ok {
 		w.WriteHeader(http.StatusForbidden)
 		return
diff --git a/knotserver/routes.go b/knotserver/routes.go
index 79b9b79..8b37982 100644
--- a/knotserver/routes.go
+++ b/knotserver/routes.go
@@ -29,6 +29,7 @@ import (
 	"tangled.sh/tangled.sh/core/knotserver/db"
 	"tangled.sh/tangled.sh/core/knotserver/git"
 	"tangled.sh/tangled.sh/core/patchutil"
+	"tangled.sh/tangled.sh/core/rbac"
 	"tangled.sh/tangled.sh/core/types"
 )
 
@@ -674,7 +675,7 @@ func (h *Handle) NewRepo(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// add perms for this user to access the repo
-	err = h.e.AddRepo(did, ThisServer, relativeRepoPath)
+	err = h.e.AddRepo(did, rbac.ThisServer, relativeRepoPath)
 	if err != nil {
 		l.Error("adding repo permissions", "error", err.Error())
 		writeError(w, err.Error(), http.StatusInternalServerError)
@@ -892,7 +893,7 @@ func (h *Handle) RepoFork(w http.ResponseWriter, r *http.Request) {
 	}
 
 	// add perms for this user to access the repo
-	err = h.e.AddRepo(did, ThisServer, relativeRepoPath)
+	err = h.e.AddRepo(did, rbac.ThisServer, relativeRepoPath)
 	if err != nil {
 		l.Error("adding repo permissions", "error", err.Error())
 		writeError(w, err.Error(), http.StatusInternalServerError)
@@ -1146,7 +1147,7 @@ func (h *Handle) AddMember(w http.ResponseWriter, r *http.Request) {
 	}
 	h.jc.AddDid(did)
 
-	if err := h.e.AddKnotMember(ThisServer, did); err != nil {
+	if err := h.e.AddKnotMember(rbac.ThisServer, did); err != nil {
 		l.Error("adding member", "error", err.Error())
 		writeError(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -1184,7 +1185,7 @@ func (h *Handle) AddRepoCollaborator(w http.ResponseWriter, r *http.Request) {
 	h.jc.AddDid(data.Did)
 
 	repoName, _ := securejoin.SecureJoin(ownerDid, repo)
-	if err := h.e.AddCollaborator(data.Did, ThisServer, repoName); err != nil {
+	if err := h.e.AddCollaborator(data.Did, rbac.ThisServer, repoName); err != nil {
 		l.Error("adding repo collaborator", "error", err.Error())
 		writeError(w, err.Error(), http.StatusInternalServerError)
 		return
@@ -1281,7 +1282,7 @@ func (h *Handle) Init(w http.ResponseWriter, r *http.Request) {
 	}
 	h.jc.AddDid(data.Did)
 
-	if err := h.e.AddKnotOwner(ThisServer, data.Did); err != nil {
+	if err := h.e.AddKnotOwner(rbac.ThisServer, data.Did); err != nil {
 		l.Error("adding owner", "error", err.Error())
 		writeError(w, err.Error(), http.StatusInternalServerError)
 		return
diff --git a/knotserver/util.go b/knotserver/util.go
index c7e8fa3..2cb6305 100644
--- a/knotserver/util.go
+++ b/knotserver/util.go
@@ -8,13 +8,8 @@ import (
 	"github.com/bluesky-social/indigo/atproto/syntax"
 	securejoin "github.com/cyphar/filepath-securejoin"
 	"github.com/go-chi/chi/v5"
-	"github.com/microcosm-cc/bluemonday"
 )
 
-func sanitize(content []byte) []byte {
-	return bluemonday.UGCPolicy().SanitizeBytes([]byte(content))
-}
-
 func didPath(r *http.Request) string {
 	did := chi.URLParam(r, "did")
 	name := chi.URLParam(r, "name")
diff --git a/rbac/rbac.go b/rbac/rbac.go
index 46f5eba..a7fd5a0 100644
--- a/rbac/rbac.go
+++ b/rbac/rbac.go
@@ -10,6 +10,10 @@ import (
 	"github.com/casbin/casbin/v2/model"
 )
 
+const (
+	ThisServer = "thisserver" // resource identifier for local rbac enforcement
+)
+
 const (
 	Model = `
 [request_definition]
-- 
2.43.0