From b864791fa6148f8d82516d69c0791b30a09ffb50 Mon Sep 17 00:00:00 2001 From: wafflecoffee Date: Sat, 23 Jul 2022 21:47:32 -0400 Subject: [PATCH] Limit 'superuser' status of current moderators (#386) Resolves MOD-88 Co-authored-by: Geometrically <18202329+Geometrically@users.noreply.github.com> --- src/models/users.rs | 7 +++++++ src/routes/notifications.rs | 8 ++++---- src/routes/projects.rs | 11 +++++++---- src/routes/teams.rs | 2 +- src/routes/users.rs | 8 ++++---- src/routes/v1/users.rs | 2 +- src/routes/v1/versions.rs | 2 +- src/routes/version_file.rs | 2 +- src/routes/versions.rs | 9 ++++++--- 9 files changed, 32 insertions(+), 19 deletions(-) diff --git a/src/models/users.rs b/src/models/users.rs index e45f6bb01..e5f4b3958 100644 --- a/src/models/users.rs +++ b/src/models/users.rs @@ -77,4 +77,11 @@ impl Role { Role::Moderator | Role::Admin => true, } } + + pub fn is_admin(&self) -> bool { + match self { + Role::Developer | Role::Moderator => false, + Role::Admin => true, + } + } } diff --git a/src/routes/notifications.rs b/src/routes/notifications.rs index 69de2357e..b9a95ce96 100644 --- a/src/routes/notifications.rs +++ b/src/routes/notifications.rs @@ -39,7 +39,7 @@ pub async fn notifications_get( let notifications: Vec = notifications_data .into_iter() - .filter(|n| n.user_id == user.id.into() || user.role.is_mod()) + .filter(|n| n.user_id == user.id.into() || user.role.is_admin()) .map(Notification::from) .collect(); @@ -64,7 +64,7 @@ pub async fn notification_get( .await?; if let Some(data) = notification_data { - if user.id == data.user_id.into() || user.role.is_mod() { + if user.id == data.user_id.into() || user.role.is_admin() { Ok(HttpResponse::Ok().json(Notification::from(data))) } else { Ok(HttpResponse::NotFound().body("")) @@ -92,7 +92,7 @@ pub async fn notification_delete( .await?; if let Some(data) = notification_data { - if data.user_id == user.id.into() || user.role.is_mod() { + if data.user_id == user.id.into() || user.role.is_admin() { let mut transaction = pool.begin().await?; database::models::notification_item::Notification::remove( @@ -142,7 +142,7 @@ pub async fn notifications_delete( Vec::new(); for notification in notifications_data { - if notification.user_id == user.id.into() || user.role.is_mod() { + if notification.user_id == user.id.into() || user.role.is_admin() { notifications.push(notification.id); } } diff --git a/src/routes/projects.rs b/src/routes/projects.rs index 04a7accb6..2cb6073f7 100644 --- a/src/routes/projects.rs +++ b/src/routes/projects.rs @@ -357,10 +357,13 @@ pub async fn project_edit( .await?; let permissions; - if let Some(member) = team_member { + if user.role.is_admin() { + permissions = Some(Permissions::ALL) + } else if let Some(member) = team_member { permissions = Some(member.permissions) } else if user.role.is_mod() { - permissions = Some(Permissions::ALL) + permissions = + Some(Permissions::EDIT_DETAILS | Permissions::EDIT_BODY) } else { permissions = None } @@ -1117,7 +1120,7 @@ pub async fn add_gallery_item( ) })?; - if !user.role.is_mod() { + if !user.role.is_admin() { let team_member = database::models::TeamMember::get_from_user_id( project_item.team_id, user.id.into(), @@ -1446,7 +1449,7 @@ pub async fn project_delete( ) })?; - if !user.role.is_mod() { + if !user.role.is_admin() { let team_member = database::models::TeamMember::get_from_user_id_project( project.id, diff --git a/src/routes/teams.rs b/src/routes/teams.rs index 44a001a56..bf5fccd4f 100644 --- a/src/routes/teams.rs +++ b/src/routes/teams.rs @@ -386,7 +386,7 @@ pub async fn transfer_ownership( let current_user = get_user_from_headers(req.headers(), &**pool).await?; - if !current_user.role.is_mod() { + if !current_user.role.is_admin() { let member = TeamMember::get_from_user_id( id.into(), current_user.id.into(), diff --git a/src/routes/users.rs b/src/routes/users.rs index f05722d2c..5501e2455 100644 --- a/src/routes/users.rs +++ b/src/routes/users.rs @@ -255,7 +255,7 @@ pub async fn user_edit( } if let Some(role) = &new_user.role { - if !user.role.is_mod() { + if !user.role.is_admin() { return Err(ApiError::CustomAuthentication( "You do not have the permissions to edit the role of this user!" .to_string(), @@ -410,7 +410,7 @@ pub async fn user_delete( .await?; if let Some(id) = id_option { - if !user.role.is_mod() && user.id != id.into() { + if !user.role.is_admin() && user.id != id.into() { return Err(ApiError::CustomAuthentication( "You do not have permission to delete this user!".to_string(), )); @@ -451,7 +451,7 @@ pub async fn user_follows( .await?; if let Some(id) = id_option { - if !user.role.is_mod() && user.id != id.into() { + if !user.role.is_admin() && user.id != id.into() { return Err(ApiError::CustomAuthentication( "You do not have permission to see the projects this user follows!".to_string(), )); @@ -501,7 +501,7 @@ pub async fn user_notifications( .await?; if let Some(id) = id_option { - if !user.role.is_mod() && user.id != id.into() { + if !user.role.is_admin() && user.id != id.into() { return Err(ApiError::CustomAuthentication( "You do not have permission to see the notifications of this user!".to_string(), )); diff --git a/src/routes/v1/users.rs b/src/routes/v1/users.rs index 52e428698..553bb172f 100644 --- a/src/routes/v1/users.rs +++ b/src/routes/v1/users.rs @@ -65,7 +65,7 @@ pub async fn user_follows( .await?; if let Some(id) = id_option { - if !user.role.is_mod() && user.id != id.into() { + if !user.role.is_admin() && user.id != id.into() { return Err(ApiError::CustomAuthentication( "You do not have permission to see the projects this user follows!".to_string(), )); diff --git a/src/routes/v1/versions.rs b/src/routes/v1/versions.rs index 9cb335c8f..336104a63 100644 --- a/src/routes/v1/versions.rs +++ b/src/routes/v1/versions.rs @@ -309,7 +309,7 @@ pub async fn delete_file( ?; if let Some(row) = result { - if !user.role.is_mod() { + if !user.role.is_admin() { let team_member = database::models::TeamMember::get_from_user_id_version( database::models::ids::VersionId(row.version_id), diff --git a/src/routes/version_file.rs b/src/routes/version_file.rs index 45bf7c638..c1044e935 100644 --- a/src/routes/version_file.rs +++ b/src/routes/version_file.rs @@ -136,7 +136,7 @@ pub async fn delete_file( ?; if let Some(row) = result { - if !user.role.is_mod() { + if !user.role.is_admin() { let team_member = database::models::TeamMember::get_from_user_id_version( database::models::ids::VersionId(row.version_id), diff --git a/src/routes/versions.rs b/src/routes/versions.rs index 5515947f2..adc6fa79a 100644 --- a/src/routes/versions.rs +++ b/src/routes/versions.rs @@ -217,10 +217,13 @@ pub async fn version_edit( .await?; let permissions; - if let Some(member) = team_member { + if user.role.is_admin() { + permissions = Some(Permissions::ALL) + } else if let Some(member) = team_member { permissions = Some(member.permissions) } else if user.role.is_mod() { - permissions = Some(Permissions::ALL) + permissions = + Some(Permissions::EDIT_DETAILS | Permissions::EDIT_BODY) } else { permissions = None } @@ -521,7 +524,7 @@ pub async fn version_delete( let user = get_user_from_headers(req.headers(), &**pool).await?; let id = info.into_inner().0; - if !user.role.is_mod() { + if !user.role.is_admin() { let team_member = database::models::TeamMember::get_from_user_id_version( id.into(), user.id.into(),