Don't allow read-only users to manage subscriptions

This commit is contained in:
silverpill 2023-02-04 16:57:55 +00:00
parent 09b16599d9
commit 79404fdc71
6 changed files with 30 additions and 14 deletions

View file

@ -20,6 +20,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Ignore forwarded `Like` activities. - Ignore forwarded `Like` activities.
- Set 10 minute timeout on background job that processes incoming activities. - Set 10 minute timeout on background job that processes incoming activities.
- Use "warn" log level for delivery errors. - Use "warn" log level for delivery errors.
- Don't allow read-only users to manage subscriptions.
### Fixed ### Fixed

View file

@ -1658,6 +1658,7 @@ components:
enum: enum:
- create_follow_request - create_follow_request
- create_post - create_post
- manage_subscription_options
Signature: Signature:
type: object type: object
properties: properties:

View file

@ -77,6 +77,8 @@ impl ApiRole {
match permission { match permission {
Permission::CreateFollowRequest => "create_follow_request", Permission::CreateFollowRequest => "create_follow_request",
Permission::CreatePost => "create_post", Permission::CreatePost => "create_post",
Permission::ManageSubscriptionOptions =>
"manage_subscription_options",
}.to_string() }.to_string()
}) })
.collect(); .collect();

View file

@ -13,19 +13,22 @@ use crate::ethereum::subscriptions::{
}; };
use crate::mastodon_api::accounts::types::Account; use crate::mastodon_api::accounts::types::Account;
use crate::mastodon_api::oauth::auth::get_current_user; use crate::mastodon_api::oauth::auth::get_current_user;
use crate::models::invoices::queries::{create_invoice, get_invoice_by_id}; use crate::models::{
use crate::models::profiles::queries::{ invoices::queries::{create_invoice, get_invoice_by_id},
get_profile_by_id, profiles::queries::{
update_profile, get_profile_by_id,
update_profile,
},
profiles::types::{
MoneroSubscription,
PaymentOption,
PaymentType,
ProfileUpdateData,
},
subscriptions::queries::get_subscription_by_participants,
users::queries::get_user_by_id,
users::types::Permission,
}; };
use crate::models::profiles::types::{
MoneroSubscription,
PaymentOption,
PaymentType,
ProfileUpdateData,
};
use crate::models::subscriptions::queries::get_subscription_by_participants;
use crate::models::users::queries::get_user_by_id;
use crate::monero::{ use crate::monero::{
helpers::validate_monero_address, helpers::validate_monero_address,
wallet::create_monero_address, wallet::create_monero_address,
@ -91,6 +94,9 @@ pub async fn register_subscription_option(
) -> Result<HttpResponse, HttpError> { ) -> Result<HttpResponse, HttpError> {
let db_client = &**get_database_client(&db_pool).await?; let db_client = &**get_database_client(&db_pool).await?;
let mut current_user = get_current_user(db_client, auth.token()).await?; let mut current_user = get_current_user(db_client, auth.token()).await?;
if current_user.role.has_permission(Permission::ManageSubscriptionOptions) {
return Err(HttpError::PermissionError);
};
let maybe_payment_option = match subscription_option.into_inner() { let maybe_payment_option = match subscription_option.into_inner() {
SubscriptionOption::Ethereum => { SubscriptionOption::Ethereum => {

View file

@ -126,8 +126,7 @@ pub async fn can_view_post(
pub fn can_create_post( pub fn can_create_post(
user: &User, user: &User,
) -> bool { ) -> bool {
let permissions = user.role.get_permissions(); user.role.has_permission(Permission::CreatePost)
permissions.contains(&Permission::CreatePost)
} }
pub async fn get_local_post_by_id( pub async fn get_local_post_by_id(

View file

@ -16,6 +16,7 @@ use crate::utils::currencies::Currency;
pub enum Permission { pub enum Permission {
CreateFollowRequest, CreateFollowRequest,
CreatePost, CreatePost,
ManageSubscriptionOptions,
} }
#[derive(Clone, Debug, PartialEq)] #[derive(Clone, Debug, PartialEq)]
@ -47,16 +48,22 @@ impl Role {
Self::NormalUser => vec![ Self::NormalUser => vec![
Permission::CreateFollowRequest, Permission::CreateFollowRequest,
Permission::CreatePost, Permission::CreatePost,
Permission::ManageSubscriptionOptions,
], ],
Self::Admin => vec![ Self::Admin => vec![
Permission::CreateFollowRequest, Permission::CreateFollowRequest,
Permission::CreatePost, Permission::CreatePost,
Permission::ManageSubscriptionOptions,
], ],
Self::ReadOnlyUser => vec![ Self::ReadOnlyUser => vec![
Permission::CreateFollowRequest, Permission::CreateFollowRequest,
], ],
} }
} }
pub fn has_permission(&self, permission: Permission) -> bool {
self.get_permissions().contains(&permission)
}
} }
impl From<&Role> for i16 { impl From<&Role> for i16 {