Fix users not being able to see their own unapproved mods

2021-03-11 10:32:47 -07:00
parent a13bae2f39
commit 6104150b77
3 changed files with 66 additions and 4 deletions
--- a/src/database/models/user_item.rs
+++ b/src/database/models/user_item.rs
@@ -213,6 +213,31 @@ impl User {
        Ok(mods)
    }

+    pub async fn get_mods_private<'a, E>(
+        user_id: UserId,
+        exec: E,
+    ) -> Result<Vec<ModId>, sqlx::Error>
+    where
+        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+    {
+        use futures::stream::TryStreamExt;
+
+        let mods = sqlx::query!(
+            "
+            SELECT m.id FROM mods m
+            INNER JOIN team_members tm ON tm.team_id = m.team_id
+            WHERE tm.user_id = $1
+            ",
+            user_id as UserId,
+        )
+        .fetch_many(exec)
+        .try_filter_map(|e| async { Ok(e.right().map(|m| ModId(m.id))) })
+        .try_collect::<Vec<ModId>>()
+        .await?;
+
+        Ok(mods)
+    }
+
    pub async fn remove<'a, 'b, E>(id: UserId, exec: E) -> Result<Option<()>, sqlx::error::Error>
    where
        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
--- a/src/routes/users.rs
+++ b/src/routes/users.rs
@@ -122,10 +122,13 @@ fn convert_user(data: crate::database::models::user_item::User) -> crate::models

 #[get("{user_id}/mods")]
 pub async fn mods_list(
+    req: HttpRequest,
    info: web::Path<(UserId,)>,
    pool: web::Data<PgPool>,
 ) -> Result<HttpResponse, ApiError> {
-    let id = info.into_inner().0.into();
+    let user = get_user_from_headers(req.headers(), &**pool).await.ok();
+
+    let id: crate::database::models::UserId = info.into_inner().0.into();

    let user_exists = sqlx::query!(
        "SELECT EXISTS(SELECT 1 FROM users WHERE id = $1)",
@@ -137,9 +140,23 @@ pub async fn mods_list(
    .exists;

    if user_exists.unwrap_or(false) {
-        let mod_data = User::get_mods(id, ModStatus::Approved.as_str(), &**pool)
-            .await
-            .map_err(|e| ApiError::DatabaseError(e.into()))?;
+        let user_id: UserId = id.into();
+
+        let mod_data = if let Some(current_user) = user {
+            if current_user.role.is_mod() || current_user.id == user_id {
+                User::get_mods_private(id, &**pool)
+                    .await
+                    .map_err(|e| ApiError::DatabaseError(e.into()))?
+            } else {
+                User::get_mods(id, ModStatus::Approved.as_str(), &**pool)
+                    .await
+                    .map_err(|e| ApiError::DatabaseError(e.into()))?
+            }
+        } else {
+            User::get_mods(id, ModStatus::Approved.as_str(), &**pool)
+                .await
+                .map_err(|e| ApiError::DatabaseError(e.into()))?
+        };

        let response = mod_data
            .into_iter()