Don't allow read-only users to manage subscriptions
This commit is contained in:
parent
09b16599d9
commit
79404fdc71
6 changed files with 30 additions and 14 deletions
|
@ -20,6 +20,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
|
|||
- Ignore forwarded `Like` activities.
|
||||
- Set 10 minute timeout on background job that processes incoming activities.
|
||||
- Use "warn" log level for delivery errors.
|
||||
- Don't allow read-only users to manage subscriptions.
|
||||
|
||||
### Fixed
|
||||
|
||||
|
|
|
@ -1658,6 +1658,7 @@ components:
|
|||
enum:
|
||||
- create_follow_request
|
||||
- create_post
|
||||
- manage_subscription_options
|
||||
Signature:
|
||||
type: object
|
||||
properties:
|
||||
|
|
|
@ -77,6 +77,8 @@ impl ApiRole {
|
|||
match permission {
|
||||
Permission::CreateFollowRequest => "create_follow_request",
|
||||
Permission::CreatePost => "create_post",
|
||||
Permission::ManageSubscriptionOptions =>
|
||||
"manage_subscription_options",
|
||||
}.to_string()
|
||||
})
|
||||
.collect();
|
||||
|
|
|
@ -13,19 +13,22 @@ use crate::ethereum::subscriptions::{
|
|||
};
|
||||
use crate::mastodon_api::accounts::types::Account;
|
||||
use crate::mastodon_api::oauth::auth::get_current_user;
|
||||
use crate::models::invoices::queries::{create_invoice, get_invoice_by_id};
|
||||
use crate::models::profiles::queries::{
|
||||
get_profile_by_id,
|
||||
update_profile,
|
||||
use crate::models::{
|
||||
invoices::queries::{create_invoice, get_invoice_by_id},
|
||||
profiles::queries::{
|
||||
get_profile_by_id,
|
||||
update_profile,
|
||||
},
|
||||
profiles::types::{
|
||||
MoneroSubscription,
|
||||
PaymentOption,
|
||||
PaymentType,
|
||||
ProfileUpdateData,
|
||||
},
|
||||
subscriptions::queries::get_subscription_by_participants,
|
||||
users::queries::get_user_by_id,
|
||||
users::types::Permission,
|
||||
};
|
||||
use crate::models::profiles::types::{
|
||||
MoneroSubscription,
|
||||
PaymentOption,
|
||||
PaymentType,
|
||||
ProfileUpdateData,
|
||||
};
|
||||
use crate::models::subscriptions::queries::get_subscription_by_participants;
|
||||
use crate::models::users::queries::get_user_by_id;
|
||||
use crate::monero::{
|
||||
helpers::validate_monero_address,
|
||||
wallet::create_monero_address,
|
||||
|
@ -91,6 +94,9 @@ pub async fn register_subscription_option(
|
|||
) -> Result<HttpResponse, HttpError> {
|
||||
let db_client = &**get_database_client(&db_pool).await?;
|
||||
let mut current_user = get_current_user(db_client, auth.token()).await?;
|
||||
if current_user.role.has_permission(Permission::ManageSubscriptionOptions) {
|
||||
return Err(HttpError::PermissionError);
|
||||
};
|
||||
|
||||
let maybe_payment_option = match subscription_option.into_inner() {
|
||||
SubscriptionOption::Ethereum => {
|
||||
|
|
|
@ -126,8 +126,7 @@ pub async fn can_view_post(
|
|||
pub fn can_create_post(
|
||||
user: &User,
|
||||
) -> bool {
|
||||
let permissions = user.role.get_permissions();
|
||||
permissions.contains(&Permission::CreatePost)
|
||||
user.role.has_permission(Permission::CreatePost)
|
||||
}
|
||||
|
||||
pub async fn get_local_post_by_id(
|
||||
|
|
|
@ -16,6 +16,7 @@ use crate::utils::currencies::Currency;
|
|||
pub enum Permission {
|
||||
CreateFollowRequest,
|
||||
CreatePost,
|
||||
ManageSubscriptionOptions,
|
||||
}
|
||||
|
||||
#[derive(Clone, Debug, PartialEq)]
|
||||
|
@ -47,16 +48,22 @@ impl Role {
|
|||
Self::NormalUser => vec![
|
||||
Permission::CreateFollowRequest,
|
||||
Permission::CreatePost,
|
||||
Permission::ManageSubscriptionOptions,
|
||||
],
|
||||
Self::Admin => vec![
|
||||
Permission::CreateFollowRequest,
|
||||
Permission::CreatePost,
|
||||
Permission::ManageSubscriptionOptions,
|
||||
],
|
||||
Self::ReadOnlyUser => vec![
|
||||
Permission::CreateFollowRequest,
|
||||
],
|
||||
}
|
||||
}
|
||||
|
||||
pub fn has_permission(&self, permission: Permission) -> bool {
|
||||
self.get_permissions().contains(&permission)
|
||||
}
|
||||
}
|
||||
|
||||
impl From<&Role> for i16 {
|
||||
|
|
Loading…
Reference in a new issue