eightequal/AstralRinth
1
0
Fork 0
forked from didirus/AstralRinth
Code Pull Requests Activity

Initial shared instances backend (#3800)

Browse Source 
* Create base shared instance migration and initial routes

* Fix build

* Add version uploads

* Add permissions field for shared instance users

* Actually use permissions field

* Add "public" flag to shared instances that allow GETing them without authorization

* Add the ability to get and list shared instance versions

* Add the ability to delete shared instance versions

* Fix build after merge

* Secured file hosting (#3784)

* Remove Backblaze-specific file-hosting backend

* Added S3_USES_PATH_STYLE_BUCKETS

* Remove unused file_id parameter from delete_file_version

* Add support for separate public and private buckets in labrinth::file_hosting

* Rename delete_file_version to delete_file

* Add (untested) get_url_for_private_file

* Remove url field from shared instance routes

* Remove url field from shared instance routes

* Use private bucket for shared instance versions

* Make S3 environment variables fully separate between public and private buckets

* Change file host expiry for shared instances to 180 seconds

* Fix lint

* Merge shared instance migrations into a single migration

* Replace shared instance owners with Ghost instead of deleting the instance
This commit is contained in:
Josiah Glosson
2025-06-19 14:46:12 -05:00
committed by GitHub
parent d4864deac5
commit cc34e69524
61 changed files with 2161 additions and 491 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
apps/labrinth/src/routes/internal/flows.rs
View File

@@ -4,7 +4,7 @@ use crate::auth::{AuthProvider, AuthenticationError, get_user_from_headers};
use crate::database::models::DBUser;
use crate::database::models::flow_item::DBFlow;
use crate::database::redis::RedisPool;
use crate::file_hosting::FileHost;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models::pats::Scopes;
use crate::models::users::{Badges, Role};
use crate::queue::session::AuthQueue;
@@ -136,6 +136,7 @@ impl TempUser {
let upload_result = upload_image_optimized(
&format!("user/{}", ariadne::ids::UserId::from(user_id)),
FileHostPublicity::Public,
bytes,
ext,
Some(96),

9
apps/labrinth/src/routes/v3/collections.rs
View File

@@ -4,7 +4,7 @@ use crate::database::models::{
collection_item, generate_collection_id, project_item,
};
use crate::database::redis::RedisPool;
use crate::file_hosting::FileHost;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models::collections::{Collection, CollectionStatus};
use crate::models::ids::{CollectionId, ProjectId};
use crate::models::pats::Scopes;
@@ -12,7 +12,7 @@ use crate::queue::session::AuthQueue;
use crate::routes::ApiError;
use crate::routes::v3::project_creation::CreateError;
use crate::util::img::delete_old_images;
use crate::util::routes::read_from_payload;
use crate::util::routes::read_limited_from_payload;
use crate::util::validate::validation_errors_to_string;
use crate::{database, models};
use actix_web::web::Data;
@@ -413,11 +413,12 @@ pub async fn collection_icon_edit(
delete_old_images(
collection_item.icon_url,
collection_item.raw_icon_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;
let bytes = read_from_payload(
let bytes = read_limited_from_payload(
&mut payload,
262144,
"Icons must be smaller than 256KiB",
@@ -427,6 +428,7 @@ pub async fn collection_icon_edit(
let collection_id: CollectionId = collection_item.id.into();
let upload_result = crate::util::img::upload_image_optimized(
&format!("data/{collection_id}"),
FileHostPublicity::Public,
bytes.freeze(),
&ext.ext,
Some(96),
@@ -493,6 +495,7 @@ pub async fn delete_collection_icon(
delete_old_images(
collection_item.icon_url,
collection_item.raw_icon_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;

7
apps/labrinth/src/routes/v3/images.rs
View File

@@ -8,13 +8,13 @@ use crate::database::models::{
project_item, report_item, thread_item, version_item,
};
use crate::database::redis::RedisPool;
use crate::file_hosting::FileHost;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models::ids::{ReportId, ThreadMessageId, VersionId};
use crate::models::images::{Image, ImageContext};
use crate::queue::session::AuthQueue;
use crate::routes::ApiError;
use crate::util::img::upload_image_optimized;
use crate::util::routes::read_from_payload;
use crate::util::routes::read_limited_from_payload;
use actix_web::{HttpRequest, HttpResponse, web};
use serde::{Deserialize, Serialize};
use sqlx::PgPool;
@@ -176,7 +176,7 @@ pub async fn images_add(
}
// Upload the image to the file host
let bytes = read_from_payload(
let bytes = read_limited_from_payload(
&mut payload,
1_048_576,
"Icons must be smaller than 1MiB",
@@ -186,6 +186,7 @@ pub async fn images_add(
let content_length = bytes.len();
let upload_result = upload_image_optimized(
"data/cached_images",
FileHostPublicity::Public, // FIXME: Maybe use private images for threads
bytes.freeze(),
&data.ext,
None,

4
apps/labrinth/src/routes/v3/mod.rs
View File

@@ -13,6 +13,8 @@ pub mod payouts;
pub mod project_creation;
pub mod projects;
pub mod reports;
pub mod shared_instance_version_creation;
pub mod shared_instances;
pub mod statistics;
pub mod tags;
pub mod teams;
@@ -36,6 +38,8 @@ pub fn config(cfg: &mut web::ServiceConfig) {
.configure(project_creation::config)
.configure(projects::config)
.configure(reports::config)
.configure(shared_instance_version_creation::config)
.configure(shared_instances::config)
.configure(statistics::config)
.configure(tags::config)
.configure(teams::config)

13
apps/labrinth/src/routes/v3/oauth_clients.rs
View File

@@ -1,6 +1,9 @@
use std::{collections::HashSet, fmt::Display, sync::Arc};
use super::ApiError;
use crate::file_hosting::FileHostPublicity;
use crate::models::ids::OAuthClientId;
use crate::util::img::{delete_old_images, upload_image_optimized};
use crate::{
auth::{checks::ValidateAuthorized, get_user_from_headers},
database::{
@@ -23,7 +26,7 @@ use crate::{
};
use crate::{
file_hosting::FileHost, models::oauth_clients::DeleteOAuthClientQueryParam,
util::routes::read_from_payload,
util::routes::read_limited_from_payload,
};
use actix_web::{
HttpRequest, HttpResponse, delete, get, patch, post,
@@ -38,9 +41,6 @@ use serde::{Deserialize, Serialize};
use sqlx::PgPool;
use validator::Validate;
use crate::models::ids::OAuthClientId;
use crate::util::img::{delete_old_images, upload_image_optimized};
pub fn config(cfg: &mut web::ServiceConfig) {
cfg.service(
scope("oauth")
@@ -381,11 +381,12 @@ pub async fn oauth_client_icon_edit(
delete_old_images(
client.icon_url.clone(),
client.raw_icon_url.clone(),
FileHostPublicity::Public,
&***file_host,
)
.await?;
let bytes = read_from_payload(
let bytes = read_limited_from_payload(
&mut payload,
262144,
"Icons must be smaller than 256KiB",
@@ -393,6 +394,7 @@ pub async fn oauth_client_icon_edit(
.await?;
let upload_result = upload_image_optimized(
&format!("data/{client_id}"),
FileHostPublicity::Public,
bytes.freeze(),
&ext.ext,
Some(96),
@@ -447,6 +449,7 @@ pub async fn oauth_client_icon_delete(
delete_old_images(
client.icon_url.clone(),
client.raw_icon_url.clone(),
FileHostPublicity::Public,
&***file_host,
)
.await?;

9
apps/labrinth/src/routes/v3/organizations.rs
View File

@@ -8,14 +8,14 @@ use crate::database::models::{
DBOrganization, generate_organization_id, team_item,
};
use crate::database::redis::RedisPool;
use crate::file_hosting::FileHost;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models::ids::OrganizationId;
use crate::models::pats::Scopes;
use crate::models::teams::{OrganizationPermissions, ProjectPermissions};
use crate::queue::session::AuthQueue;
use crate::routes::v3::project_creation::CreateError;
use crate::util::img::delete_old_images;
use crate::util::routes::read_from_payload;
use crate::util::routes::read_limited_from_payload;
use crate::util::validate::validation_errors_to_string;
use crate::{database, models};
use actix_web::{HttpRequest, HttpResponse, web};
@@ -1088,11 +1088,12 @@ pub async fn organization_icon_edit(
delete_old_images(
organization_item.icon_url,
organization_item.raw_icon_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;
let bytes = read_from_payload(
let bytes = read_limited_from_payload(
&mut payload,
262144,
"Icons must be smaller than 256KiB",
@@ -1102,6 +1103,7 @@ pub async fn organization_icon_edit(
let organization_id: OrganizationId = organization_item.id.into();
let upload_result = crate::util::img::upload_image_optimized(
&format!("data/{organization_id}"),
FileHostPublicity::Public,
bytes.freeze(),
&ext.ext,
Some(96),
@@ -1191,6 +1193,7 @@ pub async fn delete_organization_icon(
delete_old_images(
organization_item.icon_url,
organization_item.raw_icon_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;

32
apps/labrinth/src/routes/v3/project_creation.rs
View File

@@ -6,7 +6,7 @@ use crate::database::models::loader_fields::{
use crate::database::models::thread_item::ThreadBuilder;
use crate::database::models::{self, DBUser, image_item};
use crate::database::redis::RedisPool;
use crate::file_hosting::{FileHost, FileHostingError};
use crate::file_hosting::{FileHost, FileHostPublicity, FileHostingError};
use crate::models::error::ApiError;
use crate::models::ids::{ImageId, OrganizationId, ProjectId, VersionId};
use crate::models::images::{Image, ImageContext};
@@ -240,18 +240,16 @@ pub struct NewGalleryItem {
}
pub struct UploadedFile {
pub file_id: String,
pub file_name: String,
pub name: String,
pub publicity: FileHostPublicity,
}
pub async fn undo_uploads(
file_host: &dyn FileHost,
uploaded_files: &[UploadedFile],
) -> Result<(), CreateError> {
) -> Result<(), FileHostingError> {
for file in uploaded_files {
file_host
.delete_file_version(&file.file_id, &file.file_name)
.await?;
file_host.delete_file(&file.name, file.publicity).await?;
}
Ok(())
}
@@ -309,13 +307,13 @@ Get logged in user
2. Upload
- Icon: check file format & size
- Upload to backblaze & record URL
- Upload to S3 & record URL
- Project files
- Check for matching version
- File size limits?
- Check file type
- Eventually, malware scan
- Upload to backblaze & create VersionFileBuilder
- Upload to S3 & create VersionFileBuilder
-
3. Creation
@@ -334,7 +332,7 @@ async fn project_create_inner(
redis: &RedisPool,
session_queue: &AuthQueue,
) -> Result<HttpResponse, CreateError> {
// The base URL for files uploaded to backblaze
// The base URL for files uploaded to S3
let cdn_url = dotenvy::var("CDN_URL")?;
// The currently logged in user
@@ -516,6 +514,7 @@ async fn project_create_inner(
let url = format!("data/{project_id}/images");
let upload_result = upload_image_optimized(
&url,
FileHostPublicity::Public,
data.freeze(),
file_extension,
Some(350),
@@ -526,8 +525,8 @@ async fn project_create_inner(
.map_err(|e| CreateError::InvalidIconFormat(e.to_string()))?;
uploaded_files.push(UploadedFile {
file_id: upload_result.raw_url_path.clone(),
file_name: upload_result.raw_url_path,
name: upload_result.raw_url_path,
publicity: FileHostPublicity::Public,
});
gallery_urls.push(crate::models::projects::GalleryItem {
url: upload_result.url,
@@ -1010,6 +1009,7 @@ async fn process_icon_upload(
.await?;
let upload_result = crate::util::img::upload_image_optimized(
&format!("data/{}", to_base62(id)),
FileHostPublicity::Public,
data.freeze(),
file_extension,
Some(96),
@@ -1020,13 +1020,13 @@ async fn process_icon_upload(
.map_err(|e| CreateError::InvalidIconFormat(e.to_string()))?;
uploaded_files.push(UploadedFile {
file_id: upload_result.raw_url_path.clone(),
file_name: upload_result.raw_url_path,
name: upload_result.raw_url_path,
publicity: FileHostPublicity::Public,
});
uploaded_files.push(UploadedFile {
file_id: upload_result.url_path.clone(),
file_name: upload_result.url_path,
name: upload_result.url_path,
publicity: FileHostPublicity::Public,
});
Ok((

13
apps/labrinth/src/routes/v3/projects.rs
View File

@@ -9,7 +9,7 @@ use crate::database::models::thread_item::ThreadMessageBuilder;
use crate::database::models::{DBTeamMember, ids as db_ids, image_item};
use crate::database::redis::RedisPool;
use crate::database::{self, models as db_models};
use crate::file_hosting::FileHost;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models;
use crate::models::ids::ProjectId;
use crate::models::images::ImageContext;
@@ -28,7 +28,7 @@ use crate::search::indexing::remove_documents;
use crate::search::{SearchConfig, SearchError, search_for_project};
use crate::util::img;
use crate::util::img::{delete_old_images, upload_image_optimized};
use crate::util::routes::read_from_payload;
use crate::util::routes::read_limited_from_payload;
use crate::util::validate::validation_errors_to_string;
use actix_web::{HttpRequest, HttpResponse, web};
use ariadne::ids::base62_impl::parse_base62;
@@ -1487,11 +1487,12 @@ pub async fn project_icon_edit(
delete_old_images(
project_item.inner.icon_url,
project_item.inner.raw_icon_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;
let bytes = read_from_payload(
let bytes = read_limited_from_payload(
&mut payload,
262144,
"Icons must be smaller than 256KiB",
@@ -1501,6 +1502,7 @@ pub async fn project_icon_edit(
let project_id: ProjectId = project_item.inner.id.into();
let upload_result = upload_image_optimized(
&format!("data/{project_id}"),
FileHostPublicity::Public,
bytes.freeze(),
&ext.ext,
Some(96),
@@ -1597,6 +1599,7 @@ pub async fn delete_project_icon(
delete_old_images(
project_item.inner.icon_url,
project_item.inner.raw_icon_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;
@@ -1709,7 +1712,7 @@ pub async fn add_gallery_item(
}
}
let bytes = read_from_payload(
let bytes = read_limited_from_payload(
&mut payload,
2 * (1 << 20),
"Gallery image exceeds the maximum of 2MiB.",
@@ -1719,6 +1722,7 @@ pub async fn add_gallery_item(
let id: ProjectId = project_item.inner.id.into();
let upload_result = upload_image_optimized(
&format!("data/{id}/images"),
FileHostPublicity::Public,
bytes.freeze(),
&ext.ext,
Some(350),
@@ -2049,6 +2053,7 @@ pub async fn delete_gallery_item(
delete_old_images(
Some(item.image_url),
Some(item.raw_image_url),
FileHostPublicity::Public,
&***file_host,
)
.await?;

12
apps/labrinth/src/routes/v3/reports.rs
View File

@@ -14,11 +14,11 @@ use crate::models::threads::{MessageBody, ThreadType};
use crate::queue::session::AuthQueue;
use crate::routes::ApiError;
use crate::util::img;
use crate::util::routes::read_typed_from_payload;
use actix_web::{HttpRequest, HttpResponse, web};
use ariadne::ids::UserId;
use ariadne::ids::base62_impl::parse_base62;
use chrono::Utc;
use futures::StreamExt;
use serde::Deserialize;
use sqlx::PgPool;
use validator::Validate;
@@ -63,15 +63,7 @@ pub async fn report_create(
.await?
.1;
let mut bytes = web::BytesMut::new();
while let Some(item) = body.next().await {
bytes.extend_from_slice(&item.map_err(|_| {
ApiError::InvalidInput(
"Error while parsing request payload!".to_string(),
)
})?);
}
let new_report: CreateReport = serde_json::from_slice(bytes.as_ref())?;
let new_report: CreateReport = read_typed_from_payload(&mut body).await?;
let id =
crate::database::models::generate_report_id(&mut transaction).await?;

200
apps/labrinth/src/routes/v3/shared_instance_version_creation.rs Normal file
View File

@@ -0,0 +1,200 @@
use crate::auth::get_user_from_headers;
use crate::database::models::shared_instance_item::{
DBSharedInstance, DBSharedInstanceUser, DBSharedInstanceVersion,
};
use crate::database::models::{
DBSharedInstanceId, DBSharedInstanceVersionId,
generate_shared_instance_version_id,
};
use crate::database::redis::RedisPool;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models::ids::{SharedInstanceId, SharedInstanceVersionId};
use crate::models::pats::Scopes;
use crate::models::shared_instances::{
SharedInstanceUserPermissions, SharedInstanceVersion,
};
use crate::queue::session::AuthQueue;
use crate::routes::ApiError;
use crate::routes::v3::project_creation::UploadedFile;
use crate::util::ext::MRPACK_MIME_TYPE;
use actix_web::http::header::ContentLength;
use actix_web::web::Data;
use actix_web::{HttpRequest, HttpResponse, web};
use bytes::BytesMut;
use chrono::Utc;
use futures_util::StreamExt;
use hex::FromHex;
use sqlx::{PgPool, Postgres, Transaction};
use std::sync::Arc;
const MAX_FILE_SIZE: usize = 500 * 1024 * 1024;
const MAX_FILE_SIZE_TEXT: &str = "500 MB";
pub fn config(cfg: &mut web::ServiceConfig) {
cfg.route(
"shared-instance/{id}/version",
web::post().to(shared_instance_version_create),
);
}
#[allow(clippy::too_many_arguments)]
pub async fn shared_instance_version_create(
req: HttpRequest,
pool: Data<PgPool>,
payload: web::Payload,
web::Header(ContentLength(content_length)): web::Header<ContentLength>,
redis: Data<RedisPool>,
file_host: Data<Arc<dyn FileHost + Send + Sync>>,
info: web::Path<(SharedInstanceId,)>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
if content_length > MAX_FILE_SIZE {
return Err(ApiError::InvalidInput(format!(
"File size exceeds the maximum limit of {MAX_FILE_SIZE_TEXT}"
)));
}
let mut transaction = pool.begin().await?;
let mut uploaded_files = vec![];
let result = shared_instance_version_create_inner(
req,
&pool,
payload,
content_length,
&redis,
&***file_host,
info.into_inner().0.into(),
&session_queue,
&mut transaction,
&mut uploaded_files,
)
.await;
if result.is_err() {
let undo_result = super::project_creation::undo_uploads(
&***file_host,
&uploaded_files,
)
.await;
let rollback_result = transaction.rollback().await;
undo_result?;
if let Err(e) = rollback_result {
return Err(e.into());
}
} else {
transaction.commit().await?;
}
result
}
#[allow(clippy::too_many_arguments)]
async fn shared_instance_version_create_inner(
req: HttpRequest,
pool: &PgPool,
mut payload: web::Payload,
content_length: usize,
redis: &RedisPool,
file_host: &dyn FileHost,
instance_id: DBSharedInstanceId,
session_queue: &AuthQueue,
transaction: &mut Transaction<'_, Postgres>,
uploaded_files: &mut Vec<UploadedFile>,
) -> Result<HttpResponse, ApiError> {
let user = get_user_from_headers(
&req,
pool,
redis,
session_queue,
Scopes::SHARED_INSTANCE_VERSION_CREATE,
)
.await?
.1;
let Some(instance) = DBSharedInstance::get(instance_id, pool).await? else {
return Err(ApiError::NotFound);
};
if !user.role.is_mod() && instance.owner_id != user.id.into() {
let permissions = DBSharedInstanceUser::get_user_permissions(
instance_id,
user.id.into(),
pool,
)
.await?;
if let Some(permissions) = permissions {
if !permissions
.contains(SharedInstanceUserPermissions::UPLOAD_VERSION)
{
return Err(ApiError::CustomAuthentication(
"You do not have permission to upload a version for this shared instance.".to_string()
));
}
} else {
return Err(ApiError::NotFound);
}
}
let version_id =
generate_shared_instance_version_id(&mut *transaction).await?;
let mut file_data = BytesMut::new();
while let Some(chunk) = payload.next().await {
let chunk = chunk.map_err(|_| {
ApiError::InvalidInput(
"Unable to parse bytes in payload sent!".to_string(),
)
})?;
if file_data.len() + chunk.len() <= MAX_FILE_SIZE {
file_data.extend_from_slice(&chunk);
} else {
file_data
.extend_from_slice(&chunk[..MAX_FILE_SIZE - file_data.len()]);
break;
}
}
let file_data = file_data.freeze();
let file_path = format!(
"shared_instance/{}.mrpack",
SharedInstanceVersionId::from(version_id),
);
let upload_data = file_host
.upload_file(
MRPACK_MIME_TYPE,
&file_path,
FileHostPublicity::Private,
file_data,
)
.await?;
uploaded_files.push(UploadedFile {
name: file_path,
publicity: upload_data.file_publicity,
});
let sha512 = Vec::<u8>::from_hex(upload_data.content_sha512).unwrap();
let new_version = DBSharedInstanceVersion {
id: version_id,
shared_instance_id: instance_id,
size: content_length as u64,
sha512,
created: Utc::now(),
};
new_version.insert(transaction).await?;
sqlx::query!(
"UPDATE shared_instances SET current_version_id = $1 WHERE id = $2",
new_version.id as DBSharedInstanceVersionId,
instance_id as DBSharedInstanceId,
)
.execute(&mut **transaction)
.await?;
let version: SharedInstanceVersion = new_version.into();
Ok(HttpResponse::Created().json(version))
}

612
apps/labrinth/src/routes/v3/shared_instances.rs Normal file
View File

@@ -0,0 +1,612 @@
use crate::auth::get_user_from_headers;
use crate::auth::validate::get_maybe_user_from_headers;
use crate::database::models::shared_instance_item::{
DBSharedInstance, DBSharedInstanceUser, DBSharedInstanceVersion,
};
use crate::database::models::{
DBSharedInstanceId, DBSharedInstanceVersionId, generate_shared_instance_id,
};
use crate::database::redis::RedisPool;
use crate::file_hosting::FileHost;
use crate::models::ids::{SharedInstanceId, SharedInstanceVersionId};
use crate::models::pats::Scopes;
use crate::models::shared_instances::{
SharedInstance, SharedInstanceUserPermissions, SharedInstanceVersion,
};
use crate::models::users::User;
use crate::queue::session::AuthQueue;
use crate::routes::ApiError;
use crate::util::routes::read_typed_from_payload;
use actix_web::web::{Data, Redirect};
use actix_web::{HttpRequest, HttpResponse, web};
use futures_util::future::try_join_all;
use serde::Deserialize;
use sqlx::PgPool;
use std::sync::Arc;
use validator::Validate;
pub fn config(cfg: &mut web::ServiceConfig) {
cfg.route("shared-instance", web::post().to(shared_instance_create));
cfg.route("shared-instance", web::get().to(shared_instance_list));
cfg.service(
web::scope("shared-instance")
.route("{id}", web::get().to(shared_instance_get))
.route("{id}", web::patch().to(shared_instance_edit))
.route("{id}", web::delete().to(shared_instance_delete))
.route("{id}/version", web::get().to(shared_instance_version_list)),
);
cfg.service(
web::scope("shared-instance-version")
.route("{id}", web::get().to(shared_instance_version_get))
.route("{id}", web::delete().to(shared_instance_version_delete))
.route(
"{id}/download",
web::get().to(shared_instance_version_download),
),
);
}
#[derive(Deserialize, Validate)]
pub struct CreateSharedInstance {
#[validate(
length(min = 3, max = 64),
custom(function = "crate::util::validate::validate_name")
)]
pub title: String,
#[serde(default)]
pub public: bool,
}
pub async fn shared_instance_create(
req: HttpRequest,
pool: Data<PgPool>,
mut body: web::Payload,
redis: Data<RedisPool>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let new_instance: CreateSharedInstance =
read_typed_from_payload(&mut body).await?;
let mut transaction = pool.begin().await?;
let user = get_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_CREATE,
)
.await?
.1;
let id = generate_shared_instance_id(&mut transaction).await?;
let instance = DBSharedInstance {
id,
title: new_instance.title,
owner_id: user.id.into(),
public: new_instance.public,
current_version_id: None,
};
instance.insert(&mut transaction).await?;
transaction.commit().await?;
Ok(HttpResponse::Created().json(SharedInstance {
id: id.into(),
title: instance.title,
owner: user.id,
public: instance.public,
current_version: None,
additional_users: Some(vec![]),
}))
}
pub async fn shared_instance_list(
req: HttpRequest,
pool: Data<PgPool>,
redis: Data<RedisPool>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let user = get_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_READ,
)
.await?
.1;
// TODO: Something for moderators to be able to see all instances?
let instances =
DBSharedInstance::list_for_user(user.id.into(), &**pool).await?;
let instances = try_join_all(instances.into_iter().map(
async |instance| -> Result<SharedInstance, ApiError> {
let version = if let Some(version_id) = instance.current_version_id
{
DBSharedInstanceVersion::get(version_id, &**pool).await?
} else {
None
};
let instance_id = instance.id;
Ok(SharedInstance::from_db(
instance,
Some(
DBSharedInstanceUser::get_from_instance(
instance_id,
&**pool,
&redis,
)
.await?,
),
version,
))
},
))
.await?;
Ok(HttpResponse::Ok().json(instances))
}
pub async fn shared_instance_get(
req: HttpRequest,
pool: Data<PgPool>,
redis: Data<RedisPool>,
info: web::Path<(SharedInstanceId,)>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let id = info.into_inner().0.into();
let user = get_maybe_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_READ,
)
.await?
.map(|(_, user)| user);
let shared_instance = DBSharedInstance::get(id, &**pool).await?;
if let Some(shared_instance) = shared_instance {
let users =
DBSharedInstanceUser::get_from_instance(id, &**pool, &redis)
.await?;
let privately_accessible = user.is_some_and(|user| {
can_access_instance_privately(&shared_instance, &users, &user)
});
if !shared_instance.public && !privately_accessible {
return Err(ApiError::NotFound);
}
let current_version =
if let Some(version_id) = shared_instance.current_version_id {
DBSharedInstanceVersion::get(version_id, &**pool).await?
} else {
None
};
let shared_instance = SharedInstance::from_db(
shared_instance,
privately_accessible.then_some(users),
current_version,
);
Ok(HttpResponse::Ok().json(shared_instance))
} else {
Err(ApiError::NotFound)
}
}
fn can_access_instance_privately(
instance: &DBSharedInstance,
users: &[DBSharedInstanceUser],
user: &User,
) -> bool {
user.role.is_mod()
|| instance.owner_id == user.id.into()
|| users.iter().any(|x| x.user_id == user.id.into())
}
#[derive(Deserialize, Validate)]
pub struct EditSharedInstance {
#[validate(
length(min = 3, max = 64),
custom(function = "crate::util::validate::validate_name")
)]
pub title: Option<String>,
pub public: Option<bool>,
}
pub async fn shared_instance_edit(
req: HttpRequest,
pool: Data<PgPool>,
mut body: web::Payload,
redis: Data<RedisPool>,
info: web::Path<(SharedInstanceId,)>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let id = info.into_inner().0.into();
let edit_instance: EditSharedInstance =
read_typed_from_payload(&mut body).await?;
let mut transaction = pool.begin().await?;
let user = get_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_WRITE,
)
.await?
.1;
let Some(instance) = DBSharedInstance::get(id, &**pool).await? else {
return Err(ApiError::NotFound);
};
if !user.role.is_mod() && instance.owner_id != user.id.into() {
let permissions = DBSharedInstanceUser::get_user_permissions(
id,
user.id.into(),
&**pool,
)
.await?;
if let Some(permissions) = permissions {
if !permissions.contains(SharedInstanceUserPermissions::EDIT) {
return Err(ApiError::CustomAuthentication(
"You do not have permission to edit this shared instance."
.to_string(),
));
}
} else {
return Err(ApiError::NotFound);
}
}
if let Some(title) = edit_instance.title {
sqlx::query!(
"
UPDATE shared_instances
SET title = $1
WHERE id = $2
",
title,
id as DBSharedInstanceId,
)
.execute(&mut *transaction)
.await?;
}
if let Some(public) = edit_instance.public {
sqlx::query!(
"
UPDATE shared_instances
SET public = $1
WHERE id = $2
",
public,
id as DBSharedInstanceId,
)
.execute(&mut *transaction)
.await?;
}
transaction.commit().await?;
Ok(HttpResponse::NoContent().body(""))
}
pub async fn shared_instance_delete(
req: HttpRequest,
pool: Data<PgPool>,
redis: Data<RedisPool>,
info: web::Path<(SharedInstanceId,)>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let id: DBSharedInstanceId = info.into_inner().0.into();
let user = get_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_DELETE,
)
.await?
.1;
let Some(instance) = DBSharedInstance::get(id, &**pool).await? else {
return Err(ApiError::NotFound);
};
if !user.role.is_mod() && instance.owner_id != user.id.into() {
let permissions = DBSharedInstanceUser::get_user_permissions(
id,
user.id.into(),
&**pool,
)
.await?;
if let Some(permissions) = permissions {
if !permissions.contains(SharedInstanceUserPermissions::DELETE) {
return Err(ApiError::CustomAuthentication(
"You do not have permission to delete this shared instance.".to_string()
));
}
} else {
return Err(ApiError::NotFound);
}
}
sqlx::query!(
"
DELETE FROM shared_instances
WHERE id = $1
",
id as DBSharedInstanceId,
)
.execute(&**pool)
.await?;
DBSharedInstanceUser::clear_cache(id, &redis).await?;
Ok(HttpResponse::NoContent().body(""))
}
pub async fn shared_instance_version_list(
req: HttpRequest,
pool: Data<PgPool>,
redis: Data<RedisPool>,
info: web::Path<(SharedInstanceId,)>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let id = info.into_inner().0.into();
let user = get_maybe_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_READ,
)
.await?
.map(|(_, user)| user);
let shared_instance = DBSharedInstance::get(id, &**pool).await?;
if let Some(shared_instance) = shared_instance {
if !can_access_instance_as_maybe_user(
&pool,
&redis,
&shared_instance,
user,
)
.await?
{
return Err(ApiError::NotFound);
}
let versions =
DBSharedInstanceVersion::get_for_instance(id, &**pool).await?;
let versions = versions
.into_iter()
.map(Into::into)
.collect::<Vec<SharedInstanceVersion>>();
Ok(HttpResponse::Ok().json(versions))
} else {
Err(ApiError::NotFound)
}
}
pub async fn shared_instance_version_get(
req: HttpRequest,
pool: Data<PgPool>,
redis: Data<RedisPool>,
info: web::Path<(SharedInstanceVersionId,)>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let version_id = info.into_inner().0.into();
let user = get_maybe_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_READ,
)
.await?
.map(|(_, user)| user);
let version = DBSharedInstanceVersion::get(version_id, &**pool).await?;
if let Some(version) = version {
let instance =
DBSharedInstance::get(version.shared_instance_id, &**pool).await?;
if let Some(instance) = instance {
if !can_access_instance_as_maybe_user(
&pool, &redis, &instance, user,
)
.await?
{
return Err(ApiError::NotFound);
}
let version: SharedInstanceVersion = version.into();
Ok(HttpResponse::Ok().json(version))
} else {
Err(ApiError::NotFound)
}
} else {
Err(ApiError::NotFound)
}
}
async fn can_access_instance_as_maybe_user(
pool: &PgPool,
redis: &RedisPool,
instance: &DBSharedInstance,
user: Option<User>,
) -> Result<bool, ApiError> {
if instance.public {
return Ok(true);
}
let users =
DBSharedInstanceUser::get_from_instance(instance.id, pool, redis)
.await?;
Ok(user.is_some_and(|user| {
can_access_instance_privately(instance, &users, &user)
}))
}
pub async fn shared_instance_version_delete(
req: HttpRequest,
pool: Data<PgPool>,
redis: Data<RedisPool>,
info: web::Path<(SharedInstanceVersionId,)>,
session_queue: Data<AuthQueue>,
) -> Result<HttpResponse, ApiError> {
let version_id = info.into_inner().0.into();
let user = get_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_VERSION_DELETE,
)
.await?
.1;
let shared_instance_version =
DBSharedInstanceVersion::get(version_id, &**pool).await?;
if let Some(shared_instance_version) = shared_instance_version {
let shared_instance = DBSharedInstance::get(
shared_instance_version.shared_instance_id,
&**pool,
)
.await?;
if let Some(shared_instance) = shared_instance {
if !user.role.is_mod() && shared_instance.owner_id != user.id.into()
{
let permissions = DBSharedInstanceUser::get_user_permissions(
shared_instance.id,
user.id.into(),
&**pool,
)
.await?;
if let Some(permissions) = permissions {
if !permissions
.contains(SharedInstanceUserPermissions::DELETE)
{
return Err(ApiError::CustomAuthentication(
"You do not have permission to delete this shared instance version.".to_string()
));
}
} else {
return Err(ApiError::NotFound);
}
}
delete_instance_version(shared_instance.id, version_id, &pool)
.await?;
Ok(HttpResponse::NoContent().body(""))
} else {
Err(ApiError::NotFound)
}
} else {
Err(ApiError::NotFound)
}
}
async fn delete_instance_version(
instance_id: DBSharedInstanceId,
version_id: DBSharedInstanceVersionId,
pool: &PgPool,
) -> Result<(), ApiError> {
let mut transaction = pool.begin().await?;
sqlx::query!(
"
DELETE FROM shared_instance_versions
WHERE id = $1
",
version_id as DBSharedInstanceVersionId,
)
.execute(&mut *transaction)
.await?;
sqlx::query!(
"
UPDATE shared_instances
SET current_version_id = (
SELECT id FROM shared_instance_versions
WHERE shared_instance_id = $1
ORDER BY created DESC
LIMIT 1
)
WHERE id = $1
",
instance_id as DBSharedInstanceId,
)
.execute(&mut *transaction)
.await?;
transaction.commit().await?;
Ok(())
}
pub async fn shared_instance_version_download(
req: HttpRequest,
pool: Data<PgPool>,
redis: Data<RedisPool>,
file_host: Data<Arc<dyn FileHost + Send + Sync>>,
info: web::Path<(SharedInstanceVersionId,)>,
session_queue: Data<AuthQueue>,
) -> Result<Redirect, ApiError> {
let version_id = info.into_inner().0.into();
let user = get_maybe_user_from_headers(
&req,
&**pool,
&redis,
&session_queue,
Scopes::SHARED_INSTANCE_VERSION_READ,
)
.await?
.map(|(_, user)| user);
let version = DBSharedInstanceVersion::get(version_id, &**pool).await?;
if let Some(version) = version {
let instance =
DBSharedInstance::get(version.shared_instance_id, &**pool).await?;
if let Some(instance) = instance {
if !can_access_instance_as_maybe_user(
&pool, &redis, &instance, user,
)
.await?
{
return Err(ApiError::NotFound);
}
let file_name = format!(
"shared_instance/{}.mrpack",
SharedInstanceVersionId::from(version_id)
);
let url =
file_host.get_url_for_private_file(&file_name, 180).await?;
Ok(Redirect::to(url).see_other())
} else {
Err(ApiError::NotFound)
}
} else {
Err(ApiError::NotFound)
}
}

9
apps/labrinth/src/routes/v3/threads.rs
View File

@@ -6,7 +6,7 @@ use crate::database::models::image_item;
use crate::database::models::notification_item::NotificationBuilder;
use crate::database::models::thread_item::ThreadMessageBuilder;
use crate::database::redis::RedisPool;
use crate::file_hosting::FileHost;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models::ids::{ThreadId, ThreadMessageId};
use crate::models::images::{Image, ImageContext};
use crate::models::notifications::NotificationBody;
@@ -606,7 +606,12 @@ pub async fn message_delete(
for image in images {
let name = image.url.split(&format!("{cdn_url}/")).nth(1);
if let Some(icon_path) = name {
file_host.delete_file_version("", icon_path).await?;
file_host
.delete_file(
icon_path,
FileHostPublicity::Public, // FIXME: Consider using private file storage?
)
.await?;
}
database::DBImage::remove(image.id, &mut transaction, &redis)
.await?;

11
apps/labrinth/src/routes/v3/users.rs
View File

@@ -1,6 +1,7 @@
use std::{collections::HashMap, sync::Arc};
use super::{ApiError, oauth_clients::get_user_clients};
use crate::file_hosting::FileHostPublicity;
use crate::util::img::delete_old_images;
use crate::{
auth::{filter_visible_projects, get_user_from_headers},
@@ -14,7 +15,10 @@ use crate::{
users::{Badges, Role},
},
queue::session::AuthQueue,
util::{routes::read_from_payload, validate::validation_errors_to_string},
util::{
routes::read_limited_from_payload,
validate::validation_errors_to_string,
},
};
use actix_web::{HttpRequest, HttpResponse, web};
use ariadne::ids::UserId;
@@ -576,11 +580,12 @@ pub async fn user_icon_edit(
delete_old_images(
actual_user.avatar_url,
actual_user.raw_avatar_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;
let bytes = read_from_payload(
let bytes = read_limited_from_payload(
&mut payload,
262144,
"Icons must be smaller than 256KiB",
@@ -590,6 +595,7 @@ pub async fn user_icon_edit(
let user_id: UserId = actual_user.id.into();
let upload_result = crate::util::img::upload_image_optimized(
&format!("data/{user_id}"),
FileHostPublicity::Public,
bytes.freeze(),
&ext.ext,
Some(96),
@@ -648,6 +654,7 @@ pub async fn user_icon_delete(
delete_old_images(
actual_user.avatar_url,
actual_user.raw_avatar_url,
FileHostPublicity::Public,
&***file_host,
)
.await?;

8
apps/labrinth/src/routes/v3/version_creation.rs
View File

@@ -9,7 +9,7 @@ use crate::database::models::version_item::{
};
use crate::database::models::{self, DBOrganization, image_item};
use crate::database::redis::RedisPool;
use crate::file_hosting::FileHost;
use crate::file_hosting::{FileHost, FileHostPublicity};
use crate::models::ids::{ImageId, ProjectId, VersionId};
use crate::models::images::{Image, ImageContext};
use crate::models::notifications::NotificationBody;
@@ -952,12 +952,12 @@ pub async fn upload_file(
format!("data/{}/versions/{}/{}", project_id, version_id, &file_name);
let upload_data = file_host
.upload_file(content_type, &file_path, data)
.upload_file(content_type, &file_path, FileHostPublicity::Public, data)
.await?;
uploaded_files.push(UploadedFile {
file_id: upload_data.file_id,
file_name: file_path,
name: file_path,
publicity: FileHostPublicity::Public,
});
let sha1_bytes = upload_data.content_sha1.into_bytes();