From 79404fdc7102ae05f8ae41ae8ec26be427d2e915 Mon Sep 17 00:00:00 2001
From: silverpill <silverpill@firemail.cc>
Date: Sat, 4 Feb 2023 16:57:55 +0000
Subject: [PATCH] Don't allow read-only users to manage subscriptions

---
 CHANGELOG.md                            |  1 +
 docs/openapi.yaml                       |  1 +
 src/mastodon_api/accounts/types.rs      |  2 ++
 src/mastodon_api/subscriptions/views.rs | 30 +++++++++++++++----------
 src/models/posts/helpers.rs             |  3 +--
 src/models/users/types.rs               |  7 ++++++
 6 files changed, 30 insertions(+), 14 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a31fe02..d7bb7bf 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -20,6 +20,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Ignore forwarded `Like` activities.
 - Set 10 minute timeout on background job that processes incoming activities.
 - Use "warn" log level for delivery errors.
+- Don't allow read-only users to manage subscriptions.
 
 ### Fixed
 
diff --git a/docs/openapi.yaml b/docs/openapi.yaml
index f833d85..435916b 100644
--- a/docs/openapi.yaml
+++ b/docs/openapi.yaml
@@ -1658,6 +1658,7 @@ components:
             enum:
               - create_follow_request
               - create_post
+              - manage_subscription_options
     Signature:
       type: object
       properties:
diff --git a/src/mastodon_api/accounts/types.rs b/src/mastodon_api/accounts/types.rs
index 52ec509..6e02ba2 100644
--- a/src/mastodon_api/accounts/types.rs
+++ b/src/mastodon_api/accounts/types.rs
@@ -77,6 +77,8 @@ impl ApiRole {
                 match permission {
                     Permission::CreateFollowRequest => "create_follow_request",
                     Permission::CreatePost => "create_post",
+                    Permission::ManageSubscriptionOptions =>
+                        "manage_subscription_options",
                 }.to_string()
             })
             .collect();
diff --git a/src/mastodon_api/subscriptions/views.rs b/src/mastodon_api/subscriptions/views.rs
index ed6518e..2372d3b 100644
--- a/src/mastodon_api/subscriptions/views.rs
+++ b/src/mastodon_api/subscriptions/views.rs
@@ -13,19 +13,22 @@ use crate::ethereum::subscriptions::{
 };
 use crate::mastodon_api::accounts::types::Account;
 use crate::mastodon_api::oauth::auth::get_current_user;
-use crate::models::invoices::queries::{create_invoice, get_invoice_by_id};
-use crate::models::profiles::queries::{
-    get_profile_by_id,
-    update_profile,
+use crate::models::{
+    invoices::queries::{create_invoice, get_invoice_by_id},
+    profiles::queries::{
+        get_profile_by_id,
+        update_profile,
+    },
+    profiles::types::{
+        MoneroSubscription,
+        PaymentOption,
+        PaymentType,
+        ProfileUpdateData,
+    },
+    subscriptions::queries::get_subscription_by_participants,
+    users::queries::get_user_by_id,
+    users::types::Permission,
 };
-use crate::models::profiles::types::{
-    MoneroSubscription,
-    PaymentOption,
-    PaymentType,
-    ProfileUpdateData,
-};
-use crate::models::subscriptions::queries::get_subscription_by_participants;
-use crate::models::users::queries::get_user_by_id;
 use crate::monero::{
     helpers::validate_monero_address,
     wallet::create_monero_address,
@@ -91,6 +94,9 @@ pub async fn register_subscription_option(
 ) -> Result<HttpResponse, HttpError> {
     let db_client = &**get_database_client(&db_pool).await?;
     let mut current_user = get_current_user(db_client, auth.token()).await?;
+    if current_user.role.has_permission(Permission::ManageSubscriptionOptions) {
+        return Err(HttpError::PermissionError);
+    };
 
     let maybe_payment_option = match subscription_option.into_inner() {
         SubscriptionOption::Ethereum => {
diff --git a/src/models/posts/helpers.rs b/src/models/posts/helpers.rs
index 4a542e2..8fe936f 100644
--- a/src/models/posts/helpers.rs
+++ b/src/models/posts/helpers.rs
@@ -126,8 +126,7 @@ pub async fn can_view_post(
 pub fn can_create_post(
     user: &User,
 ) -> bool {
-    let permissions = user.role.get_permissions();
-    permissions.contains(&Permission::CreatePost)
+    user.role.has_permission(Permission::CreatePost)
 }
 
 pub async fn get_local_post_by_id(
diff --git a/src/models/users/types.rs b/src/models/users/types.rs
index 17c44d3..e35fd98 100644
--- a/src/models/users/types.rs
+++ b/src/models/users/types.rs
@@ -16,6 +16,7 @@ use crate::utils::currencies::Currency;
 pub enum Permission {
     CreateFollowRequest,
     CreatePost,
+    ManageSubscriptionOptions,
 }
 
 #[derive(Clone, Debug, PartialEq)]
@@ -47,16 +48,22 @@ impl Role {
             Self::NormalUser => vec![
                 Permission::CreateFollowRequest,
                 Permission::CreatePost,
+                Permission::ManageSubscriptionOptions,
             ],
             Self::Admin => vec![
                 Permission::CreateFollowRequest,
                 Permission::CreatePost,
+                Permission::ManageSubscriptionOptions,
             ],
             Self::ReadOnlyUser => vec![
                 Permission::CreateFollowRequest,
             ],
         }
     }
+
+    pub fn has_permission(&self, permission: Permission) -> bool {
+        self.get_permissions().contains(&permission)
+    }
 }
 
 impl From<&Role> for i16 {