Don't allow read-only users to manage subscriptions

CHANGELOG.md

@@ -20,6 +20,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
 - Ignore forwarded `Like` activities.
 - Set 10 minute timeout on background job that processes incoming activities.
 - Use "warn" log level for delivery errors.
+- Don't allow read-only users to manage subscriptions.
 
 ### Fixed
 

docs/openapi.yaml

@@ -1658,6 +1658,7 @@ components:
             enum:
               - create_follow_request
               - create_post
+              - manage_subscription_options
     Signature:
       type: object
       properties:

src/mastodon_api/accounts/types.rs

@@ -77,6 +77,8 @@ impl ApiRole {
                 match permission {
                     Permission::CreateFollowRequest => "create_follow_request",
                     Permission::CreatePost => "create_post",
+                    Permission::ManageSubscriptionOptions =>
+                        "manage_subscription_options",
                 }.to_string()
             })
             .collect();

src/mastodon_api/subscriptions/views.rs

@@ -13,19 +13,22 @@ use crate::ethereum::subscriptions::{
 };
 use crate::mastodon_api::accounts::types::Account;
 use crate::mastodon_api::oauth::auth::get_current_user;
-use crate::models::invoices::queries::{create_invoice, get_invoice_by_id};
-use crate::models::profiles::queries::{
+use crate::models::{
+    invoices::queries::{create_invoice, get_invoice_by_id},
+    profiles::queries::{
         get_profile_by_id,
         update_profile,
-};
-use crate::models::profiles::types::{
+    },
+    profiles::types::{
         MoneroSubscription,
         PaymentOption,
         PaymentType,
         ProfileUpdateData,
+    },
+    subscriptions::queries::get_subscription_by_participants,
+    users::queries::get_user_by_id,
+    users::types::Permission,
 };
-use crate::models::subscriptions::queries::get_subscription_by_participants;
-use crate::models::users::queries::get_user_by_id;
 use crate::monero::{
     helpers::validate_monero_address,
     wallet::create_monero_address,
@@ -91,6 +94,9 @@ pub async fn register_subscription_option(
 ) -> Result<HttpResponse, HttpError> {
     let db_client = &**get_database_client(&db_pool).await?;
     let mut current_user = get_current_user(db_client, auth.token()).await?;
+    if current_user.role.has_permission(Permission::ManageSubscriptionOptions) {
+        return Err(HttpError::PermissionError);
+    };
 
     let maybe_payment_option = match subscription_option.into_inner() {
         SubscriptionOption::Ethereum => {

src/models/posts/helpers.rs

@@ -126,8 +126,7 @@ pub async fn can_view_post(
 pub fn can_create_post(
     user: &User,
 ) -> bool {
-    let permissions = user.role.get_permissions();
-    permissions.contains(&Permission::CreatePost)
+    user.role.has_permission(Permission::CreatePost)
 }
 
 pub async fn get_local_post_by_id(

src/models/users/types.rs

@@ -16,6 +16,7 @@ use crate::utils::currencies::Currency;
 pub enum Permission {
     CreateFollowRequest,
     CreatePost,
+    ManageSubscriptionOptions,
 }
 
 #[derive(Clone, Debug, PartialEq)]
@@ -47,16 +48,22 @@ impl Role {
             Self::NormalUser => vec![
                 Permission::CreateFollowRequest,
                 Permission::CreatePost,
+                Permission::ManageSubscriptionOptions,
             ],
             Self::Admin => vec![
                 Permission::CreateFollowRequest,
                 Permission::CreatePost,
+                Permission::ManageSubscriptionOptions,
             ],
             Self::ReadOnlyUser => vec![
                 Permission::CreateFollowRequest,
             ],
         }
     }
+
+    pub fn has_permission(&self, permission: Permission) -> bool {
+        self.get_permissions().contains(&permission)
+    }
 }
 
 impl From<&Role> for i16 {