Fix permissions checks for projects, fix gallery URLs (#321)

2022-03-16 07:49:09 -07:00
parent 3883c509b9
commit 023663b268
4 changed files with 25 additions and 11 deletions
@@ -494,7 +494,7 @@ pub async fn project_create_inner(
                });
                gallery_urls.push(crate::models::projects::GalleryItem {
-                    url,
+                    url: format!("{}/{}", cdn_url, url),
                    featured: item.featured,
                    title: item.title.clone(),
                    description: item.description.clone(),
@@ -96,17 +96,24 @@ struct DependencyInfo {
 #[get("dependencies")]
 pub async fn dependency_list(
    req: HttpRequest,
    info: web::Path<(String,)>,
    pool: web::Data<PgPool>,
 ) -> Result<HttpResponse, ApiError> {
    let string = info.into_inner().0;
    let result =
-        database::models::Project::get_from_slug_or_project_id(string, &**pool)
+        database::models::Project::get_full_from_slug_or_project_id(&string, &**pool)
            .await?;
    let user_option = get_user_from_headers(req.headers(), &**pool).await.ok();
    if let Some(project) = result {
-        let id = project.id;
+        if !is_authorized(&project, &user_option, &pool).await? {
            return Ok(HttpResponse::NotFound().body(""));
        }
        let id = project.inner.id;
        use futures::stream::TryStreamExt;
@@ -4,7 +4,7 @@ use crate::database::models as db_models;
 use crate::models;
 use crate::models::projects::{Dependency, Version};
 use crate::models::teams::Permissions;
-use crate::util::auth::get_user_from_headers;
+use crate::util::auth::{get_user_from_headers, is_authorized};
 use crate::util::guards::admin_key_guard;
 use crate::util::validate::validation_errors_to_string;
 use actix_web::{delete, get, patch, web, HttpRequest, HttpResponse};
@@ -21,6 +21,7 @@ pub struct VersionListFilters {
 #[get("version")]
 pub async fn version_list(
    req: HttpRequest,
    info: web::Path<(String,)>,
    web::Query(filters): web::Query<VersionListFilters>,
    pool: web::Data<PgPool>,
@@ -28,11 +29,17 @@ pub async fn version_list(
    let string = info.into_inner().0;
    let result =
-        database::models::Project::get_from_slug_or_project_id(string, &**pool)
+        database::models::Project::get_full_from_slug_or_project_id(&string, &**pool)
            .await?;
    let user_option = get_user_from_headers(req.headers(), &**pool).await.ok();
    if let Some(project) = result {
-        let id = project.id;
+        if !is_authorized(&project, &user_option, &pool).await? {
            return Ok(HttpResponse::NotFound().body(""));
        }
        let id = project.inner.id;
        let version_ids = database::models::Version::get_project_versions(
            id,
@@ -83,11 +83,11 @@ impl super::Validator for LegacyForgeValidator {
        &self,
        archive: &mut ZipArchive<Cursor<bytes::Bytes>>,
    ) -> Result<ValidationResult, ValidationError> {
-        archive.by_name("mcmod.info").map_err(|_| {
+        if archive.by_name("mcmod.info").is_err() {
-            ValidationError::InvalidInputError(
+            return Ok(ValidationResult::Warning(
-                "No mcmod.info present for Forge file.".into(),
+                "Forge mod file does not contain mcmod.info!",
-            )
+            ));
-        })?;
+        };
        if !archive.file_names().any(|name| name.ends_with(".class")) {
            return Ok(ValidationResult::Warning(