From 65e819c425bb9eff14fa337f6e3a6d9b749add31 Mon Sep 17 00:00:00 2001 From: Bat Date: Wed, 20 Jun 2018 09:44:56 +0100 Subject: [PATCH] Make it impossible to write in a blog where you are not author Fix #62 --- po/en.po | 6 +++ po/fr.po | 6 +++ po/pl.po | 6 +++ po/plume.pot | 6 +++ src/models/users.rs | 9 ++-- src/routes/posts.rs | 85 +++++++++++++++++++--------------- templates/errors/403.html.tera | 5 ++ 7 files changed, 81 insertions(+), 42 deletions(-) create mode 100644 templates/errors/403.html.tera diff --git a/po/en.po b/po/en.po index 31d93560..899ae1a8 100644 --- a/po/en.po +++ b/po/en.po @@ -274,3 +274,9 @@ msgstr "" msgid "The link that led you here may be broken." msgstr "" + +msgid "You are not authorized." +msgstr "" + +msgid "You are not author in this blog." +msgstr "" diff --git a/po/fr.po b/po/fr.po index 000b8152..ebf655b2 100644 --- a/po/fr.po +++ b/po/fr.po @@ -274,3 +274,9 @@ msgstr "" msgid "The link that led you here may be broken." msgstr "" + +msgid "You are not authorized." +msgstr "" + +msgid "You are not author in this blog." +msgstr "" diff --git a/po/pl.po b/po/pl.po index 2254305d..f2910acd 100644 --- a/po/pl.po +++ b/po/pl.po @@ -279,5 +279,11 @@ msgstr "Nie udało się odnaleźć tej strony." msgid "The link that led you here may be broken." msgstr "Odnośnik który Cię tu zaprowadził może być uszkodzony." +msgid "You are not authorized." +msgstr "" + +msgid "You are not author in this blog." +msgstr "" + #~ msgid "Logowanie" #~ msgstr "Zaloguj się" diff --git a/po/plume.pot b/po/plume.pot index 6eaebfb9..0ba8c259 100644 --- a/po/plume.pot +++ b/po/plume.pot @@ -269,3 +269,9 @@ msgstr "" msgid "The link that led you here may be broken." msgstr "" + +msgid "You are not authorized." +msgstr "" + +msgid "You are not author in this blog." +msgstr "" diff --git a/src/models/users.rs b/src/models/users.rs index 5b5b1c10..64b6ddd2 100644 --- a/src/models/users.rs +++ b/src/models/users.rs @@ -86,6 +86,10 @@ pub struct NewUser { impl User { insert!(users, NewUser); + get!(users); + find_by!(users, find_by_email, email as String); + find_by!(users, find_by_name, username as String, instance_id as i32); + pub fn grant_admin_rights(&self, conn: &PgConnection) { diesel::update(self) @@ -105,8 +109,6 @@ impl User { .into_iter().nth(0).unwrap() } - get!(users); - pub fn count_local(conn: &PgConnection) -> usize { users::table.filter(users::instance_id.eq(Instance::local_id(conn))) .load::(conn) @@ -114,9 +116,6 @@ impl User { .len() } - find_by!(users, find_by_email, email as String); - find_by!(users, find_by_name, username as String, instance_id as i32); - pub fn find_local(conn: &PgConnection, username: String) -> Option { User::find_by_name(conn, username, Instance::local_id(conn)) } diff --git a/src/routes/posts.rs b/src/routes/posts.rs index 875db015..616160f5 100644 --- a/src/routes/posts.rs +++ b/src/routes/posts.rs @@ -55,11 +55,18 @@ fn new_auth(blog: String) -> Flash { } #[get("/~//new", rank = 1)] -#[allow(unused_variables)] -fn new(blog: String, user: User) -> Template { - Template::render("posts/new", json!({ - "account": user - })) +fn new(blog: String, user: User, conn: DbConn) -> Template { + let b = Blog::find_by_fqn(&*conn, blog.to_string()).unwrap(); + + if !user.is_author_in(&*conn, b.clone()) { + Template::render("errors/403", json!({ + "error_message": "You are not author in this blog." + })) + } else { + Template::render("posts/new", json!({ + "account": user + })) + } } #[derive(FromForm)] @@ -75,41 +82,45 @@ fn create(blog_name: String, data: Form, user: User, conn: DbConn) let form = data.get(); let slug = form.title.to_string().to_kebab_case(); - if slug == "new" || Post::find_by_slug(&*conn, slug.clone(), blog.id).is_some() { - Redirect::to(uri!(new: blog = blog_name)) + if !user.is_author_in(&*conn, blog.clone()) { + Redirect::to(uri!(super::blogs::details: name = blog_name)) } else { - let content = markdown_to_html(form.content.to_string().as_ref(), &ComrakOptions{ - smart: true, - safe: true, - ext_strikethrough: true, - ext_tagfilter: true, - ext_table: true, - ext_autolink: true, - ext_tasklist: true, - ext_superscript: true, - ext_header_ids: Some("title".to_string()), - ext_footnotes: true, - ..ComrakOptions::default() - }); + if slug == "new" || Post::find_by_slug(&*conn, slug.clone(), blog.id).is_some() { + Redirect::to(uri!(new: blog = blog_name)) + } else { + let content = markdown_to_html(form.content.to_string().as_ref(), &ComrakOptions{ + smart: true, + safe: true, + ext_strikethrough: true, + ext_tagfilter: true, + ext_table: true, + ext_autolink: true, + ext_tasklist: true, + ext_superscript: true, + ext_header_ids: Some("title".to_string()), + ext_footnotes: true, + ..ComrakOptions::default() + }); - let post = Post::insert(&*conn, NewPost { - blog_id: blog.id, - slug: slug.to_string(), - title: form.title.to_string(), - content: SafeString::new(&content), - published: true, - license: form.license.to_string(), - ap_url: "".to_string() - }); - post.update_ap_url(&*conn); - PostAuthor::insert(&*conn, NewPostAuthor { - post_id: post.id, - author_id: user.id - }); + let post = Post::insert(&*conn, NewPost { + blog_id: blog.id, + slug: slug.to_string(), + title: form.title.to_string(), + content: SafeString::new(&content), + published: true, + license: form.license.to_string(), + ap_url: "".to_string() + }); + post.update_ap_url(&*conn); + PostAuthor::insert(&*conn, NewPostAuthor { + post_id: post.id, + author_id: user.id + }); - let act = post.create_activity(&*conn); - broadcast(&*conn, &user, act, user.get_followers(&*conn)); + let act = post.create_activity(&*conn); + broadcast(&*conn, &user, act, user.get_followers(&*conn)); - Redirect::to(uri!(details: blog = blog_name, slug = slug)) + Redirect::to(uri!(details: blog = blog_name, slug = slug)) + } } } diff --git a/templates/errors/403.html.tera b/templates/errors/403.html.tera new file mode 100644 index 00000000..82bae8eb --- /dev/null +++ b/templates/errors/403.html.tera @@ -0,0 +1,5 @@ +{% extends "errors/base" %} + +{% block error %} +

{{ "You are not authorized." | _ }}

+{% endblock error %}