Fix permissions checks for projects, fix gallery URLs (#321)

src/routes/project_creation.rs

@@ -494,7 +494,7 @@ pub async fn project_create_inner(
                 });
 
                 gallery_urls.push(crate::models::projects::GalleryItem {
-                    url,
+                    url: format!("{}/{}", cdn_url, url),
                     featured: item.featured,
                     title: item.title.clone(),
                     description: item.description.clone(),

src/routes/projects.rs

@@ -96,17 +96,24 @@ struct DependencyInfo {
 
 #[get("dependencies")]
 pub async fn dependency_list(
+    req: HttpRequest,
     info: web::Path<(String,)>,
     pool: web::Data<PgPool>,
 ) -> Result<HttpResponse, ApiError> {
     let string = info.into_inner().0;
 
     let result =
-        database::models::Project::get_from_slug_or_project_id(string, &**pool)
+        database::models::Project::get_full_from_slug_or_project_id(&string, &**pool)
             .await?;
 
+    let user_option = get_user_from_headers(req.headers(), &**pool).await.ok();
+
     if let Some(project) = result {
-        let id = project.id;
+        if !is_authorized(&project, &user_option, &pool).await? {
+            return Ok(HttpResponse::NotFound().body(""));
+        }
+
+        let id = project.inner.id;
 
         use futures::stream::TryStreamExt;
 

src/routes/versions.rs

@@ -4,7 +4,7 @@ use crate::database::models as db_models;
 use crate::models;
 use crate::models::projects::{Dependency, Version};
 use crate::models::teams::Permissions;
-use crate::util::auth::get_user_from_headers;
+use crate::util::auth::{get_user_from_headers, is_authorized};
 use crate::util::guards::admin_key_guard;
 use crate::util::validate::validation_errors_to_string;
 use actix_web::{delete, get, patch, web, HttpRequest, HttpResponse};
@@ -21,6 +21,7 @@ pub struct VersionListFilters {
 
 #[get("version")]
 pub async fn version_list(
+    req: HttpRequest,
     info: web::Path<(String,)>,
     web::Query(filters): web::Query<VersionListFilters>,
     pool: web::Data<PgPool>,
@@ -28,11 +29,17 @@ pub async fn version_list(
     let string = info.into_inner().0;
 
     let result =
-        database::models::Project::get_from_slug_or_project_id(string, &**pool)
+        database::models::Project::get_full_from_slug_or_project_id(&string, &**pool)
             .await?;
 
+    let user_option = get_user_from_headers(req.headers(), &**pool).await.ok();
+
     if let Some(project) = result {
-        let id = project.id;
+        if !is_authorized(&project, &user_option, &pool).await? {
+            return Ok(HttpResponse::NotFound().body(""));
+        }
+
+        let id = project.inner.id;
 
         let version_ids = database::models::Version::get_project_versions(
             id,

src/validate/forge.rs

@@ -83,11 +83,11 @@ impl super::Validator for LegacyForgeValidator {
         &self,
         archive: &mut ZipArchive<Cursor<bytes::Bytes>>,
     ) -> Result<ValidationResult, ValidationError> {
-        archive.by_name("mcmod.info").map_err(|_| {
-            ValidationError::InvalidInputError(
-                "No mcmod.info present for Forge file.".into(),
-            )
-        })?;
+        if archive.by_name("mcmod.info").is_err() {
+            return Ok(ValidationResult::Warning(
+                "Forge mod file does not contain mcmod.info!",
+            ));
+        };
 
         if !archive.file_names().any(|name| name.ends_with(".class")) {
             return Ok(ValidationResult::Warning(