eightequal/AstralRinth
1
0
Fork 0
forked from didirus/AstralRinth
Code Pull Requests Activity

Hotfix: fix version delete permissions and CORS allowed methods (#107)

Browse Source
This commit is contained in:
Aeledfyr
2020-11-30 11:45:59 -06:00
committed by GitHub
parent a7be6504a2
commit b3f724c799
2 changed files with 10 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
src/main.rs
View File

@@ -280,7 +280,7 @@ async fn main() -> std::io::Result<()> {
// Init App // Init App
HttpServer::new(move || { HttpServer::new(move || {
let mut cors = Cors::new() let mut cors = Cors::new()
.allowed_methods(vec!["GET", "POST"]) .allowed_methods(vec!["GET", "POST", "DELETE", "PATCH", "PUT"])
.allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT]) .allowed_headers(vec![http::header::AUTHORIZATION, http::header::ACCEPT])
.allowed_header(http::header::CONTENT_TYPE) .allowed_header(http::header::CONTENT_TYPE)
.max_age(3600); .max_age(3600);

14
src/routes/versions.rs
View File

@@ -493,18 +493,18 @@ pub async fn version_delete(
let user = get_user_from_headers(req.headers(), &**pool).await?; let user = get_user_from_headers(req.headers(), &**pool).await?;
let id = info.into_inner().0; let id = info.into_inner().0;
if user.role.is_mod() { if !user.role.is_mod() {
let version = database::models::Version::get(id.into(), &**pool) let version = database::models::Version::get(id.into(), &**pool)
.await .await
.map_err(|e| ApiError::DatabaseError(e.into()))? .map_err(|e| ApiError::DatabaseError(e.into()))?
.ok_or_else(|| { .ok_or_else(|| {
ApiError::InvalidInputError("Invalid Version ID specified!".to_string()) ApiError::InvalidInputError("An invalid version ID was specified".to_string())
})?; })?;
let mod_item = database::models::Mod::get(version.mod_id, &**pool) let mod_item = database::models::Mod::get(version.mod_id, &**pool)
.await .await
.map_err(|e| ApiError::DatabaseError(e.into()))? .map_err(|e| ApiError::DatabaseError(e.into()))?
.ok_or_else(|| { .ok_or_else(|| {
ApiError::InvalidInputError("Invalid Version ID specified!".to_string()) ApiError::InvalidInputError("The version is not attached to a mod".to_string())
})?; })?;
let team_member = database::models::TeamMember::get_from_user_id( let team_member = database::models::TeamMember::get_from_user_id(
mod_item.team_id, mod_item.team_id,
@@ -513,14 +513,18 @@ pub async fn version_delete(
) )
.await .await
.map_err(ApiError::DatabaseError)? .map_err(ApiError::DatabaseError)?
.ok_or_else(|| ApiError::InvalidInputError("Invalid Version ID specified!".to_string()))?; .ok_or_else(|| {
ApiError::InvalidInputError(
"You do not have permission to delete versions in this team".to_string(),
)
})?;
if !team_member if !team_member
.permissions .permissions
.contains(Permissions::DELETE_VERSION) .contains(Permissions::DELETE_VERSION)
{ {
return Err(ApiError::CustomAuthenticationError( return Err(ApiError::CustomAuthenticationError(
"You don't have permission to delete versions in this team".to_string(), "You do not have permission to delete versions in this team".to_string(),
)); ));
} }
} }