add checkPermission to all interactors

server/api/internal/usecase/interactor/asset.go

@@ -5,6 +5,7 @@ import (
 	"net/url"
 	"path"
 
+	"github.com/reearth/reearth-flow/api/internal/rbac"
 	"github.com/reearth/reearth-flow/api/internal/usecase/gateway"
 	"github.com/reearth/reearth-flow/api/internal/usecase/interfaces"
 	"github.com/reearth/reearth-flow/api/internal/usecase/repo"
@@ -14,22 +15,36 @@ import (
 )
 
 type Asset struct {
-	repos    *repo.Container
-	gateways *gateway.Container
+	repos             *repo.Container
+	gateways          *gateway.Container
+	permissionChecker gateway.PermissionChecker
 }
 
-func NewAsset(r *repo.Container, g *gateway.Container) interfaces.Asset {
+func NewAsset(r *repo.Container, g *gateway.Container, permissionChecker gateway.PermissionChecker) interfaces.Asset {
 	return &Asset{
-		repos:    r,
-		gateways: g,
+		repos:             r,
+		gateways:          g,
+		permissionChecker: permissionChecker,
 	}
 }
 
+func (i *Asset) checkPermission(ctx context.Context, action string) error {
+	return checkPermission(ctx, i.permissionChecker, rbac.ResourceAsset, action)
+}
+
 func (i *Asset) Fetch(ctx context.Context, assets []id.AssetID) ([]*asset.Asset, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	return i.repos.Asset.FindByIDs(ctx, assets)
 }
 
 func (i *Asset) FindByWorkspace(ctx context.Context, tid accountdomain.WorkspaceID, keyword *string, sort *asset.SortType, p *interfaces.PaginationParam) ([]*asset.Asset, *interfaces.PageBasedInfo, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, nil, err
+	}
+
 	return Run2(
 		ctx, i.repos,
 		Usecase().WithReadableWorkspaces(tid),
@@ -44,6 +59,10 @@ func (i *Asset) FindByWorkspace(ctx context.Context, tid accountdomain.Workspace
 }
 
 func (i *Asset) Create(ctx context.Context, inp interfaces.CreateAssetParam) (result *asset.Asset, err error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	if inp.File == nil {
 		return nil, interfaces.ErrFileNotIncluded
 	}
@@ -72,6 +91,10 @@ func (i *Asset) Create(ctx context.Context, inp interfaces.CreateAssetParam) (re
 }
 
 func (i *Asset) Remove(ctx context.Context, aid id.AssetID) (result id.AssetID, err error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return aid, err
+	}
+
 	return Run1(
 		ctx, i.repos,
 		Usecase().Transaction(),

server/api/internal/usecase/interactor/asset_test.go

@@ -15,6 +15,7 @@ import (
 	"github.com/reearth/reearth-flow/api/pkg/file"
 	"github.com/reearth/reearthx/account/accountdomain/workspace"
 	"github.com/reearth/reearthx/account/accountinfrastructure/accountmemory"
+	"github.com/reearth/reearthx/appx"
 	"github.com/spf13/afero"
 	"github.com/stretchr/testify/assert"
 )
@@ -28,6 +29,11 @@ func TestAsset_Create(t *testing.T) {
 
 	mfs := afero.NewMemMapFs()
 	f, _ := fs.NewFile(mfs, "", "")
+
+	mockPermissionCheckerTrue := NewMockPermissionChecker(func(ctx context.Context, authInfo *appx.AuthInfo, resource, action string) (bool, error) {
+		return true, nil
+	})
+
 	uc := &Asset{
 		repos: &repo.Container{
 			Asset:     memory.NewAsset(),
@@ -36,6 +42,7 @@ func TestAsset_Create(t *testing.T) {
 		gateways: &gateway.Container{
 			File: f,
 		},
+		permissionChecker: mockPermissionCheckerTrue,
 	}
 
 	buf := bytes.NewBufferString("Hello")

server/api/internal/usecase/interactor/common.go

@@ -31,15 +31,15 @@ func NewContainer(r *repo.Container, g *gateway.Container,
 	permissionChecker gateway.PermissionChecker,
 	config ContainerConfig,
 ) interfaces.Container {
-	job := NewJob(r, g)
+	job := NewJob(r, g, permissionChecker)
 
 	return interfaces.Container{
-		Asset:         NewAsset(r, g),
+		Asset:         NewAsset(r, g, permissionChecker),
 		Job:           job,
-		Deployment:    NewDeployment(r, g, job),
-		Parameter:     NewParameter(r),
+		Deployment:    NewDeployment(r, g, job, permissionChecker),
+		Parameter:     NewParameter(r, permissionChecker),
 		Project:       NewProject(r, g, permissionChecker),
-		ProjectAccess: NewProjectAccess(r, g, config),
+		ProjectAccess: NewProjectAccess(r, g, config, permissionChecker),
 		Workspace:     accountinteractor.NewWorkspace(ar, workspaceMemberCountEnforcer(r)),
 		Trigger:       NewTrigger(r, g, job, permissionChecker),
 		User:          accountinteractor.NewMultiUser(ar, ag, config.SignupSecret, config.AuthSrvUIDomain, ar.Users),

server/api/internal/usecase/interactor/deployment.go

@@ -8,6 +8,7 @@ import (
 	"strings"
 	"time"
 
+	"github.com/reearth/reearth-flow/api/internal/rbac"
 	"github.com/reearth/reearth-flow/api/internal/usecase/gateway"
 	"github.com/reearth/reearth-flow/api/internal/usecase/interfaces"
 	"github.com/reearth/reearth-flow/api/internal/usecase/repo"
@@ -20,52 +21,82 @@ import (
 )
 
 type Deployment struct {
-	deploymentRepo repo.Deployment
-	projectRepo    repo.Project
-	workflowRepo   repo.Workflow
-	jobRepo        repo.Job
-	workspaceRepo  accountrepo.Workspace
-	transaction    usecasex.Transaction
-	batch          gateway.Batch
-	file           gateway.File
-	job            interfaces.Job
+	deploymentRepo    repo.Deployment
+	projectRepo       repo.Project
+	workflowRepo      repo.Workflow
+	jobRepo           repo.Job
+	workspaceRepo     accountrepo.Workspace
+	transaction       usecasex.Transaction
+	batch             gateway.Batch
+	file              gateway.File
+	job               interfaces.Job
+	permissionChecker gateway.PermissionChecker
 }
 
-func NewDeployment(r *repo.Container, gr *gateway.Container, jobUsecase interfaces.Job) interfaces.Deployment {
+func NewDeployment(r *repo.Container, gr *gateway.Container, jobUsecase interfaces.Job, permissionChecker gateway.PermissionChecker) interfaces.Deployment {
 	return &Deployment{
-		deploymentRepo: r.Deployment,
-		projectRepo:    r.Project,
-		workflowRepo:   r.Workflow,
-		jobRepo:        r.Job,
-		workspaceRepo:  r.Workspace,
-		transaction:    r.Transaction,
-		batch:          gr.Batch,
-		file:           gr.File,
-		job:            jobUsecase,
+		deploymentRepo:    r.Deployment,
+		projectRepo:       r.Project,
+		workflowRepo:      r.Workflow,
+		jobRepo:           r.Job,
+		workspaceRepo:     r.Workspace,
+		transaction:       r.Transaction,
+		batch:             gr.Batch,
+		file:              gr.File,
+		job:               jobUsecase,
+		permissionChecker: permissionChecker,
 	}
 }
 
+func (i *Deployment) checkPermission(ctx context.Context, action string) error {
+	return checkPermission(ctx, i.permissionChecker, rbac.ResourceDeployment, action)
+}
+
 func (i *Deployment) Fetch(ctx context.Context, ids []id.DeploymentID) ([]*deployment.Deployment, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	return i.deploymentRepo.FindByIDs(ctx, ids)
 }
 
 func (i *Deployment) FindByWorkspace(ctx context.Context, id accountdomain.WorkspaceID, p *interfaces.PaginationParam) ([]*deployment.Deployment, *interfaces.PageBasedInfo, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, nil, err
+	}
+
 	return i.deploymentRepo.FindByWorkspace(ctx, id, p)
 }
 
 func (i *Deployment) FindByProject(ctx context.Context, id id.ProjectID) (*deployment.Deployment, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	return i.deploymentRepo.FindByProject(ctx, id)
 }
 
 func (i *Deployment) FindByVersion(ctx context.Context, wsID accountdomain.WorkspaceID, projectID *id.ProjectID, version string) (*deployment.Deployment, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	return i.deploymentRepo.FindByVersion(ctx, wsID, projectID, version)
 }
 
 func (i *Deployment) FindHead(ctx context.Context, wsID accountdomain.WorkspaceID, projectID *id.ProjectID) (*deployment.Deployment, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	return i.deploymentRepo.FindHead(ctx, wsID, projectID)
 }
 
 func (i *Deployment) FindVersions(ctx context.Context, wsID accountdomain.WorkspaceID, projectID *id.ProjectID) ([]*deployment.Deployment, error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	return i.deploymentRepo.FindVersions(ctx, wsID, projectID)
 }
 
@@ -80,6 +111,10 @@ func incrementVersion(version string) string {
 }
 
 func (i *Deployment) Create(ctx context.Context, dp interfaces.CreateDeploymentParam) (result *deployment.Deployment, err error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	tx, err := i.transaction.Begin(ctx)
 	if err != nil {
 		return
@@ -147,6 +182,10 @@ func (i *Deployment) Create(ctx context.Context, dp interfaces.CreateDeploymentP
 }
 
 func (i *Deployment) Update(ctx context.Context, dp interfaces.UpdateDeploymentParam) (_ *deployment.Deployment, err error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	tx, err := i.transaction.Begin(ctx)
 	if err != nil {
 		return
@@ -208,6 +247,10 @@ func (i *Deployment) Update(ctx context.Context, dp interfaces.UpdateDeploymentP
 }
 
 func (i *Deployment) Delete(ctx context.Context, deploymentID id.DeploymentID) (err error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return err
+	}
+
 	tx, err := i.transaction.Begin(ctx)
 	if err != nil {
 		return
@@ -247,6 +290,10 @@ func (i *Deployment) Delete(ctx context.Context, deploymentID id.DeploymentID) (
 }
 
 func (i *Deployment) Execute(ctx context.Context, p interfaces.ExecuteDeploymentParam) (_ *job.Job, err error) {
+	if err := i.checkPermission(ctx, rbac.ActionAny); err != nil {
+		return nil, err
+	}
+
 	tx, err := i.transaction.Begin(ctx)
 	if err != nil {
 		return