aziz/AstralRinth
0
0
Fork 0
forked from xxxOFFxxx/AstralRinth
Code Pull Requests Activity

Fix issue with moderator identities being revealed (#892)

Browse Source 
* Fix issue with moderator identities being revealed

* Fix on multiple threads route

* Fix thread notifs

* Fix failing test

* fix thread messages returning nothing
This commit is contained in:
Geometrically
2024-03-19 17:25:49 -07:00
committed by GitHub
parent 730913bec4
commit decfcb6c27
20 changed files with 79 additions and 334 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
src/routes/v2/threads.rs
View File

@@ -14,10 +14,8 @@ use sqlx::PgPool;
pub fn config(cfg: &mut web::ServiceConfig) {
cfg.service(
web::scope("thread")
.service(moderation_inbox)
.service(thread_get)
.service(thread_send_message)
.service(thread_read),
.service(thread_send_message),
);
cfg.service(web::scope("message").service(message_delete));
cfg.service(threads_get);
@@ -102,44 +100,6 @@ pub async fn thread_send_message(
.or_else(v2_reroute::flatten_404_error)
}
#[get("inbox")]
pub async fn moderation_inbox(
req: HttpRequest,
pool: web::Data<PgPool>,
redis: web::Data<RedisPool>,
session_queue: web::Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let response = v3::threads::moderation_inbox(req, pool, redis, session_queue)
.await
.or_else(v2_reroute::flatten_404_error)?;
// Convert response to V2 format
match v2_reroute::extract_ok_json::<Vec<Thread>>(response).await {
Ok(threads) => {
let threads = threads
.into_iter()
.map(LegacyThread::from)
.collect::<Vec<_>>();
Ok(HttpResponse::Ok().json(threads))
}
Err(response) => Ok(response),
}
}
#[post("{id}/read")]
pub async fn thread_read(
req: HttpRequest,
info: web::Path<(ThreadId,)>,
pool: web::Data<PgPool>,
redis: web::Data<RedisPool>,
session_queue: web::Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
// Returns NoContent, so we don't need to convert the response
v3::threads::thread_read(req, info, pool, redis, session_queue)
.await
.or_else(v2_reroute::flatten_404_error)
}
#[delete("{id}")]
pub async fn message_delete(
req: HttpRequest,

4
src/routes/v3/project_creation.rs
View File

@@ -615,14 +615,14 @@ async fn project_create_inner(
let mut members = vec![];
if let Some(organization_id) = project_create_data.organization_id {
let org = models::Organization::get_id(organization_id.into(), &*pool, &redis)
let org = models::Organization::get_id(organization_id.into(), pool, redis)
.await?
.ok_or_else(|| {
CreateError::InvalidInput("Invalid organization ID specified!".to_string())
})?;
let team_member =
models::TeamMember::get_from_user_id(org.team_id, current_user.id.into(), &*pool)
models::TeamMember::get_from_user_id(org.team_id, current_user.id.into(), pool)
.await?;
let perms =

12
src/routes/v3/projects.rs
View File

@@ -355,17 +355,6 @@ pub async fn project_edit(
.execute(&mut *transaction)
.await?;
sqlx::query!(
"
UPDATE threads
SET show_in_mod_inbox = FALSE
WHERE id = $1
",
project_item.thread_id as db_ids::ThreadId,
)
.execute(&mut *transaction)
.await?;
moderation_queue
.projects
.insert(project_item.inner.id.into());
@@ -464,6 +453,7 @@ pub async fn project_edit(
old_status: project_item.inner.status,
},
thread_id: project_item.thread_id,
hide_identity: true,
}
.insert(&mut transaction)
.await?;

13
src/routes/v3/reports.rs
View File

@@ -435,6 +435,7 @@ pub async fn report_edit(
MessageBody::ThreadClosure
},
thread_id: report.thread_id,
hide_identity: true,
}
.insert(&mut transaction)
.await?;
@@ -450,18 +451,6 @@ pub async fn report_edit(
)
.execute(&mut *transaction)
.await?;
sqlx::query!(
"
UPDATE threads
SET show_in_mod_inbox = $1
WHERE id = $2
",
!(edit_closed || report.closed),
report.thread_id.0,
)
.execute(&mut *transaction)
.await?;
}
// delete any images no longer in the body

118
src/routes/v3/threads.rs
View File

@@ -1,6 +1,6 @@
use std::sync::Arc;
use crate::auth::{check_is_moderator_from_headers, get_user_from_headers};
use crate::auth::get_user_from_headers;
use crate::database;
use crate::database::models::image_item;
use crate::database::models::notification_item::NotificationBuilder;
@@ -24,10 +24,8 @@ use sqlx::PgPool;
pub fn config(cfg: &mut web::ServiceConfig) {
cfg.service(
web::scope("thread")
.route("inbox", web::get().to(moderation_inbox))
.route("{id}", web::get().to(thread_get))
.route("{id}", web::post().to(thread_send_message))
.route("{id}/read", web::post().to(thread_read)),
.route("{id}", web::post().to(thread_send_message)),
);
cfg.service(web::scope("message").route("{id}", web::delete().to(message_delete)));
cfg.route("threads", web::get().to(threads_get));
@@ -252,7 +250,13 @@ pub async fn filter_authorized_threads(
&mut thread
.messages
.iter()
.filter_map(|x| x.author_id)
.filter_map(|x| {
if x.hide_identity && !user.role.is_mod() {
None
} else {
x.author_id
}
})
.collect::<Vec<_>>(),
);
@@ -299,7 +303,13 @@ pub async fn thread_get(
&mut data
.messages
.iter()
.filter_map(|x| x.author_id)
.filter_map(|x| {
if x.hide_identity && !user.role.is_mod() {
None
} else {
x.author_id
}
})
.collect::<Vec<_>>(),
);
@@ -379,7 +389,6 @@ pub async fn thread_send_message(
body,
replying_to,
private,
hide_identity,
..
} = &new_message.body
{
@@ -395,12 +404,6 @@ pub async fn thread_send_message(
));
}
if *hide_identity && !user.role.is_mod() {
return Err(ApiError::InvalidInput(
"You are not allowed to send masked messages!".to_string(),
));
}
if let Some(replying_to) = replying_to {
let thread_message =
database::models::ThreadMessage::get((*replying_to).into(), &**pool).await?;
@@ -436,11 +439,12 @@ pub async fn thread_send_message(
author_id: Some(user.id.into()),
body: new_message.body.clone(),
thread_id: thread.id,
hide_identity: user.role.is_mod(),
}
.insert(&mut transaction)
.await?;
let mod_notif = if let Some(project_id) = thread.project_id {
if let Some(project_id) = thread.project_id {
let project = database::models::Project::get_id(project_id, &**pool, &redis).await?;
if let Some(project) = project {
@@ -468,8 +472,6 @@ pub async fn thread_send_message(
.await?;
}
}
!user.role.is_mod()
} else if let Some(report_id) = thread.report_id {
let report = database::models::report_item::Report::get(report_id, &**pool).await?;
@@ -493,23 +495,7 @@ pub async fn thread_send_message(
.await?;
}
}
!user.role.is_mod()
} else {
false
};
sqlx::query!(
"
UPDATE threads
SET show_in_mod_inbox = $1
WHERE id = $2
",
mod_notif,
thread.id.0,
)
.execute(&mut *transaction)
.await?;
}
if let MessageBody::Text {
associated_images, ..
@@ -559,72 +545,6 @@ pub async fn thread_send_message(
}
}
pub async fn moderation_inbox(
req: HttpRequest,
pool: web::Data<PgPool>,
redis: web::Data<RedisPool>,
session_queue: web::Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let user = check_is_moderator_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Some(&[Scopes::THREAD_READ]),
)
.await?;
let ids = sqlx::query!(
"
SELECT id
FROM threads
WHERE show_in_mod_inbox = TRUE
"
)
.fetch_many(&**pool)
.try_filter_map(|e| async { Ok(e.right().map(|m| database::models::ThreadId(m.id))) })
.try_collect::<Vec<database::models::ThreadId>>()
.await?;
let threads_data = database::models::Thread::get_many(&ids, &**pool).await?;
let threads = filter_authorized_threads(threads_data, &user, &pool, &redis).await?;
Ok(HttpResponse::Ok().json(threads))
}
pub async fn thread_read(
req: HttpRequest,
info: web::Path<(ThreadId,)>,
pool: web::Data<PgPool>,
redis: web::Data<RedisPool>,
session_queue: web::Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
check_is_moderator_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Some(&[Scopes::THREAD_READ]),
)
.await?;
let id = info.into_inner().0;
let mut transaction = pool.begin().await?;
sqlx::query!(
"
UPDATE threads
SET show_in_mod_inbox = FALSE
WHERE id = $1
",
id.0 as i64,
)
.execute(&mut *transaction)
.await?;
transaction.commit().await?;
Ok(HttpResponse::NoContent().body(""))
}
pub async fn message_delete(
req: HttpRequest,
info: web::Path<(ThreadMessageId,)>,