Hotfix: fix version delete permissions and CORS allowed methods (#107)

2020-11-30 11:45:59 -06:00
parent a7be6504a2
commit b3f724c799
2 changed files with 10 additions and 6 deletions
--- a/src/main.rs
+++ b/src/main.rs
@@ -280,7 +280,7 @@ async fn main() -> std::io::Result<()> {
    // Init App
    HttpServer::new(move || {
        let mut cors = Cors::new()
-            .allowed_methods(vec!["GET", "POST"])
+            .allowed_methods(vec!["GET", "POST", "DELETE", "PATCH", "PUT"])
            .allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT])
            .allowed_header(http::header::CONTENT_TYPE)
            .max_age(3600);
--- a/src/routes/versions.rs
+++ b/src/routes/versions.rs
@@ -493,18 +493,18 @@ pub async fn version_delete(
    let user = get_user_from_headers(req.headers(), &**pool).await?;
    let id = info.into_inner().0;

-    if user.role.is_mod() {
+    if !user.role.is_mod() {
        let version = database::models::Version::get(id.into(), &**pool)
            .await
            .map_err(|e| ApiError::DatabaseError(e.into()))?
            .ok_or_else(|| {
-                ApiError::InvalidInputError("Invalid Version ID specified!".to_string())
+                ApiError::InvalidInputError("An invalid version ID was specified".to_string())
            })?;
        let mod_item = database::models::Mod::get(version.mod_id, &**pool)
            .await
            .map_err(|e| ApiError::DatabaseError(e.into()))?
            .ok_or_else(|| {
-                ApiError::InvalidInputError("Invalid Version ID specified!".to_string())
+                ApiError::InvalidInputError("The version is not attached to a mod".to_string())
            })?;
        let team_member = database::models::TeamMember::get_from_user_id(
            mod_item.team_id,
@@ -513,14 +513,18 @@ pub async fn version_delete(
        )
        .await
        .map_err(ApiError::DatabaseError)?
-        .ok_or_else(|| ApiError::InvalidInputError("Invalid Version ID specified!".to_string()))?;
+        .ok_or_else(|| {
+            ApiError::InvalidInputError(
+                "You do not have permission to delete versions in this team".to_string(),
+            )
+        })?;

        if !team_member
            .permissions
            .contains(Permissions::DELETE_VERSION)
        {
            return Err(ApiError::CustomAuthenticationError(
-                "You don't have permission to delete versions in this team".to_string(),
+                "You do not have permission to delete versions in this team".to_string(),
            ));
        }
    }