Limit 'superuser' status of current moderators (#386)

Resolves MOD-88

Co-authored-by: Geometrically <18202329+Geometrically@users.noreply.github.com>

src/models/users.rs

@@ -77,4 +77,11 @@ impl Role {
             Role::Moderator | Role::Admin => true,
         }
     }
+
+    pub fn is_admin(&self) -> bool {
+        match self {
+            Role::Developer | Role::Moderator => false,
+            Role::Admin => true,
+        }
+    }
 }

src/routes/notifications.rs

@@ -39,7 +39,7 @@ pub async fn notifications_get(
 
     let notifications: Vec<Notification> = notifications_data
         .into_iter()
-        .filter(|n| n.user_id == user.id.into() || user.role.is_mod())
+        .filter(|n| n.user_id == user.id.into() || user.role.is_admin())
         .map(Notification::from)
         .collect();
 
@@ -64,7 +64,7 @@ pub async fn notification_get(
         .await?;
 
     if let Some(data) = notification_data {
-        if user.id == data.user_id.into() || user.role.is_mod() {
+        if user.id == data.user_id.into() || user.role.is_admin() {
             Ok(HttpResponse::Ok().json(Notification::from(data)))
         } else {
             Ok(HttpResponse::NotFound().body(""))
@@ -92,7 +92,7 @@ pub async fn notification_delete(
         .await?;
 
     if let Some(data) = notification_data {
-        if data.user_id == user.id.into() || user.role.is_mod() {
+        if data.user_id == user.id.into() || user.role.is_admin() {
             let mut transaction = pool.begin().await?;
 
             database::models::notification_item::Notification::remove(
@@ -142,7 +142,7 @@ pub async fn notifications_delete(
         Vec::new();
 
     for notification in notifications_data {
-        if notification.user_id == user.id.into() || user.role.is_mod() {
+        if notification.user_id == user.id.into() || user.role.is_admin() {
             notifications.push(notification.id);
         }
     }

src/routes/projects.rs

@@ -357,10 +357,13 @@ pub async fn project_edit(
         .await?;
         let permissions;
 
-        if let Some(member) = team_member {
+        if user.role.is_admin() {
+            permissions = Some(Permissions::ALL)
+        } else if let Some(member) = team_member {
             permissions = Some(member.permissions)
         } else if user.role.is_mod() {
-            permissions = Some(Permissions::ALL)
+            permissions =
+                Some(Permissions::EDIT_DETAILS | Permissions::EDIT_BODY)
         } else {
             permissions = None
         }
@@ -1117,7 +1120,7 @@ pub async fn add_gallery_item(
                 )
             })?;
 
-        if !user.role.is_mod() {
+        if !user.role.is_admin() {
             let team_member = database::models::TeamMember::get_from_user_id(
                 project_item.team_id,
                 user.id.into(),
@@ -1446,7 +1449,7 @@ pub async fn project_delete(
         )
     })?;
 
-    if !user.role.is_mod() {
+    if !user.role.is_admin() {
         let team_member =
             database::models::TeamMember::get_from_user_id_project(
                 project.id,

src/routes/teams.rs

@@ -386,7 +386,7 @@ pub async fn transfer_ownership(
 
     let current_user = get_user_from_headers(req.headers(), &**pool).await?;
 
-    if !current_user.role.is_mod() {
+    if !current_user.role.is_admin() {
         let member = TeamMember::get_from_user_id(
             id.into(),
             current_user.id.into(),

src/routes/users.rs

@@ -255,7 +255,7 @@ pub async fn user_edit(
             }
 
             if let Some(role) = &new_user.role {
-                if !user.role.is_mod() {
+                if !user.role.is_admin() {
                     return Err(ApiError::CustomAuthentication(
                         "You do not have the permissions to edit the role of this user!"
                             .to_string(),
@@ -410,7 +410,7 @@ pub async fn user_delete(
     .await?;
 
     if let Some(id) = id_option {
-        if !user.role.is_mod() && user.id != id.into() {
+        if !user.role.is_admin() && user.id != id.into() {
             return Err(ApiError::CustomAuthentication(
                 "You do not have permission to delete this user!".to_string(),
             ));
@@ -451,7 +451,7 @@ pub async fn user_follows(
     .await?;
 
     if let Some(id) = id_option {
-        if !user.role.is_mod() && user.id != id.into() {
+        if !user.role.is_admin() && user.id != id.into() {
             return Err(ApiError::CustomAuthentication(
                 "You do not have permission to see the projects this user follows!".to_string(),
             ));
@@ -501,7 +501,7 @@ pub async fn user_notifications(
     .await?;
 
     if let Some(id) = id_option {
-        if !user.role.is_mod() && user.id != id.into() {
+        if !user.role.is_admin() && user.id != id.into() {
             return Err(ApiError::CustomAuthentication(
                 "You do not have permission to see the notifications of this user!".to_string(),
             ));

src/routes/v1/users.rs

@@ -65,7 +65,7 @@ pub async fn user_follows(
     .await?;
 
     if let Some(id) = id_option {
-        if !user.role.is_mod() && user.id != id.into() {
+        if !user.role.is_admin() && user.id != id.into() {
             return Err(ApiError::CustomAuthentication(
                 "You do not have permission to see the projects this user follows!".to_string(),
             ));

src/routes/v1/versions.rs

@@ -309,7 +309,7 @@ pub async fn delete_file(
         ?;
 
     if let Some(row) = result {
-        if !user.role.is_mod() {
+        if !user.role.is_admin() {
             let team_member =
                 database::models::TeamMember::get_from_user_id_version(
                     database::models::ids::VersionId(row.version_id),

src/routes/version_file.rs

@@ -136,7 +136,7 @@ pub async fn delete_file(
         ?;
 
     if let Some(row) = result {
-        if !user.role.is_mod() {
+        if !user.role.is_admin() {
             let team_member =
                 database::models::TeamMember::get_from_user_id_version(
                     database::models::ids::VersionId(row.version_id),

src/routes/versions.rs

@@ -217,10 +217,13 @@ pub async fn version_edit(
             .await?;
         let permissions;
 
-        if let Some(member) = team_member {
+        if user.role.is_admin() {
+            permissions = Some(Permissions::ALL)
+        } else if let Some(member) = team_member {
             permissions = Some(member.permissions)
         } else if user.role.is_mod() {
-            permissions = Some(Permissions::ALL)
+            permissions =
+                Some(Permissions::EDIT_DETAILS | Permissions::EDIT_BODY)
         } else {
             permissions = None
         }
@@ -521,7 +524,7 @@ pub async fn version_delete(
     let user = get_user_from_headers(req.headers(), &**pool).await?;
     let id = info.into_inner().0;
 
-    if !user.role.is_mod() {
+    if !user.role.is_admin() {
         let team_member = database::models::TeamMember::get_from_user_id_version(
             id.into(),
             user.id.into(),