Make it impossible to write in a blog where you are not author

Fix #62
This commit is contained in:
Bat 2018-06-20 09:44:56 +01:00
parent 8ab25b1ca2
commit 65e819c425
7 changed files with 81 additions and 42 deletions

View file

@ -274,3 +274,9 @@ msgstr ""
msgid "The link that led you here may be broken."
msgstr ""
msgid "You are not authorized."
msgstr ""
msgid "You are not author in this blog."
msgstr ""

View file

@ -274,3 +274,9 @@ msgstr ""
msgid "The link that led you here may be broken."
msgstr ""
msgid "You are not authorized."
msgstr ""
msgid "You are not author in this blog."
msgstr ""

View file

@ -279,5 +279,11 @@ msgstr "Nie udało się odnaleźć tej strony."
msgid "The link that led you here may be broken."
msgstr "Odnośnik który Cię tu zaprowadził może być uszkodzony."
msgid "You are not authorized."
msgstr ""
msgid "You are not author in this blog."
msgstr ""
#~ msgid "Logowanie"
#~ msgstr "Zaloguj się"

View file

@ -269,3 +269,9 @@ msgstr ""
msgid "The link that led you here may be broken."
msgstr ""
msgid "You are not authorized."
msgstr ""
msgid "You are not author in this blog."
msgstr ""

View file

@ -86,6 +86,10 @@ pub struct NewUser {
impl User {
insert!(users, NewUser);
get!(users);
find_by!(users, find_by_email, email as String);
find_by!(users, find_by_name, username as String, instance_id as i32);
pub fn grant_admin_rights(&self, conn: &PgConnection) {
diesel::update(self)
@ -105,8 +109,6 @@ impl User {
.into_iter().nth(0).unwrap()
}
get!(users);
pub fn count_local(conn: &PgConnection) -> usize {
users::table.filter(users::instance_id.eq(Instance::local_id(conn)))
.load::<User>(conn)
@ -114,9 +116,6 @@ impl User {
.len()
}
find_by!(users, find_by_email, email as String);
find_by!(users, find_by_name, username as String, instance_id as i32);
pub fn find_local(conn: &PgConnection, username: String) -> Option<User> {
User::find_by_name(conn, username, Instance::local_id(conn))
}

View file

@ -55,11 +55,18 @@ fn new_auth(blog: String) -> Flash<Redirect> {
}
#[get("/~/<blog>/new", rank = 1)]
#[allow(unused_variables)]
fn new(blog: String, user: User) -> Template {
Template::render("posts/new", json!({
"account": user
}))
fn new(blog: String, user: User, conn: DbConn) -> Template {
let b = Blog::find_by_fqn(&*conn, blog.to_string()).unwrap();
if !user.is_author_in(&*conn, b.clone()) {
Template::render("errors/403", json!({
"error_message": "You are not author in this blog."
}))
} else {
Template::render("posts/new", json!({
"account": user
}))
}
}
#[derive(FromForm)]
@ -75,41 +82,45 @@ fn create(blog_name: String, data: Form<NewPostForm>, user: User, conn: DbConn)
let form = data.get();
let slug = form.title.to_string().to_kebab_case();
if slug == "new" || Post::find_by_slug(&*conn, slug.clone(), blog.id).is_some() {
Redirect::to(uri!(new: blog = blog_name))
if !user.is_author_in(&*conn, blog.clone()) {
Redirect::to(uri!(super::blogs::details: name = blog_name))
} else {
let content = markdown_to_html(form.content.to_string().as_ref(), &ComrakOptions{
smart: true,
safe: true,
ext_strikethrough: true,
ext_tagfilter: true,
ext_table: true,
ext_autolink: true,
ext_tasklist: true,
ext_superscript: true,
ext_header_ids: Some("title".to_string()),
ext_footnotes: true,
..ComrakOptions::default()
});
if slug == "new" || Post::find_by_slug(&*conn, slug.clone(), blog.id).is_some() {
Redirect::to(uri!(new: blog = blog_name))
} else {
let content = markdown_to_html(form.content.to_string().as_ref(), &ComrakOptions{
smart: true,
safe: true,
ext_strikethrough: true,
ext_tagfilter: true,
ext_table: true,
ext_autolink: true,
ext_tasklist: true,
ext_superscript: true,
ext_header_ids: Some("title".to_string()),
ext_footnotes: true,
..ComrakOptions::default()
});
let post = Post::insert(&*conn, NewPost {
blog_id: blog.id,
slug: slug.to_string(),
title: form.title.to_string(),
content: SafeString::new(&content),
published: true,
license: form.license.to_string(),
ap_url: "".to_string()
});
post.update_ap_url(&*conn);
PostAuthor::insert(&*conn, NewPostAuthor {
post_id: post.id,
author_id: user.id
});
let post = Post::insert(&*conn, NewPost {
blog_id: blog.id,
slug: slug.to_string(),
title: form.title.to_string(),
content: SafeString::new(&content),
published: true,
license: form.license.to_string(),
ap_url: "".to_string()
});
post.update_ap_url(&*conn);
PostAuthor::insert(&*conn, NewPostAuthor {
post_id: post.id,
author_id: user.id
});
let act = post.create_activity(&*conn);
broadcast(&*conn, &user, act, user.get_followers(&*conn));
let act = post.create_activity(&*conn);
broadcast(&*conn, &user, act, user.get_followers(&*conn));
Redirect::to(uri!(details: blog = blog_name, slug = slug))
Redirect::to(uri!(details: blog = blog_name, slug = slug))
}
}
}

View file

@ -0,0 +1,5 @@
{% extends "errors/base" %}
{% block error %}
<h1>{{ "You are not authorized." | _ }}</h1>
{% endblock error %}