Don't allow read-only users to manage subscriptions

This commit is contained in:
silverpill 2023-02-04 16:57:55 +00:00
parent 09b16599d9
commit 79404fdc71
6 changed files with 30 additions and 14 deletions

View file

@ -20,6 +20,7 @@ The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/).
- Ignore forwarded `Like` activities.
- Set 10 minute timeout on background job that processes incoming activities.
- Use "warn" log level for delivery errors.
- Don't allow read-only users to manage subscriptions.
### Fixed

View file

@ -1658,6 +1658,7 @@ components:
enum:
- create_follow_request
- create_post
- manage_subscription_options
Signature:
type: object
properties:

View file

@ -77,6 +77,8 @@ impl ApiRole {
match permission {
Permission::CreateFollowRequest => "create_follow_request",
Permission::CreatePost => "create_post",
Permission::ManageSubscriptionOptions =>
"manage_subscription_options",
}.to_string()
})
.collect();

View file

@ -13,19 +13,22 @@ use crate::ethereum::subscriptions::{
};
use crate::mastodon_api::accounts::types::Account;
use crate::mastodon_api::oauth::auth::get_current_user;
use crate::models::invoices::queries::{create_invoice, get_invoice_by_id};
use crate::models::profiles::queries::{
use crate::models::{
invoices::queries::{create_invoice, get_invoice_by_id},
profiles::queries::{
get_profile_by_id,
update_profile,
};
use crate::models::profiles::types::{
},
profiles::types::{
MoneroSubscription,
PaymentOption,
PaymentType,
ProfileUpdateData,
},
subscriptions::queries::get_subscription_by_participants,
users::queries::get_user_by_id,
users::types::Permission,
};
use crate::models::subscriptions::queries::get_subscription_by_participants;
use crate::models::users::queries::get_user_by_id;
use crate::monero::{
helpers::validate_monero_address,
wallet::create_monero_address,
@ -91,6 +94,9 @@ pub async fn register_subscription_option(
) -> Result<HttpResponse, HttpError> {
let db_client = &**get_database_client(&db_pool).await?;
let mut current_user = get_current_user(db_client, auth.token()).await?;
if current_user.role.has_permission(Permission::ManageSubscriptionOptions) {
return Err(HttpError::PermissionError);
};
let maybe_payment_option = match subscription_option.into_inner() {
SubscriptionOption::Ethereum => {

View file

@ -126,8 +126,7 @@ pub async fn can_view_post(
pub fn can_create_post(
user: &User,
) -> bool {
let permissions = user.role.get_permissions();
permissions.contains(&Permission::CreatePost)
user.role.has_permission(Permission::CreatePost)
}
pub async fn get_local_post_by_id(

View file

@ -16,6 +16,7 @@ use crate::utils::currencies::Currency;
pub enum Permission {
CreateFollowRequest,
CreatePost,
ManageSubscriptionOptions,
}
#[derive(Clone, Debug, PartialEq)]
@ -47,16 +48,22 @@ impl Role {
Self::NormalUser => vec![
Permission::CreateFollowRequest,
Permission::CreatePost,
Permission::ManageSubscriptionOptions,
],
Self::Admin => vec![
Permission::CreateFollowRequest,
Permission::CreatePost,
Permission::ManageSubscriptionOptions,
],
Self::ReadOnlyUser => vec![
Permission::CreateFollowRequest,
],
}
}
pub fn has_permission(&self, permission: Permission) -> bool {
self.get_permissions().contains(&permission)
}
}
impl From<&Role> for i16 {