Make it impossible to write in a blog where you are not author

Fix #62

po/en.po

@@ -274,3 +274,9 @@ msgstr ""
 
 msgid "The link that led you here may be broken."
 msgstr ""
+
+msgid "You are not authorized."
+msgstr ""
+
+msgid "You are not author in this blog."
+msgstr ""

po/fr.po

@@ -274,3 +274,9 @@ msgstr ""
 
 msgid "The link that led you here may be broken."
 msgstr ""
+
+msgid "You are not authorized."
+msgstr ""
+
+msgid "You are not author in this blog."
+msgstr ""

po/pl.po

@@ -279,5 +279,11 @@ msgstr "Nie udało się odnaleźć tej strony."
 msgid "The link that led you here may be broken."
 msgstr "Odnośnik który Cię tu zaprowadził może być uszkodzony."
 
+msgid "You are not authorized."
+msgstr ""
+
+msgid "You are not author in this blog."
+msgstr ""
+
 #~ msgid "Logowanie"
 #~ msgstr "Zaloguj się"

po/plume.pot

@@ -269,3 +269,9 @@ msgstr ""
 
 msgid "The link that led you here may be broken."
 msgstr ""
+
+msgid "You are not authorized."
+msgstr ""
+
+msgid "You are not author in this blog."
+msgstr ""

src/models/users.rs

@@ -86,6 +86,10 @@ pub struct NewUser {
 
 impl User {
     insert!(users, NewUser);
+    get!(users);
+    find_by!(users, find_by_email, email as String);
+    find_by!(users, find_by_name, username as String, instance_id as i32);
+
 
     pub fn grant_admin_rights(&self, conn: &PgConnection) {
         diesel::update(self)
@@ -105,8 +109,6 @@ impl User {
             .into_iter().nth(0).unwrap()
     }
 
-    get!(users);
-
     pub fn count_local(conn: &PgConnection) -> usize {
         users::table.filter(users::instance_id.eq(Instance::local_id(conn)))
             .load::<User>(conn)
@@ -114,9 +116,6 @@ impl User {
             .len()
     }
 
-    find_by!(users, find_by_email, email as String);
-    find_by!(users, find_by_name, username as String, instance_id as i32);
-
     pub fn find_local(conn: &PgConnection, username: String) -> Option<User> {
         User::find_by_name(conn, username, Instance::local_id(conn))
     }

src/routes/posts.rs

@@ -55,11 +55,18 @@ fn new_auth(blog: String) -> Flash<Redirect> {
 }
 
 #[get("/~/<blog>/new", rank = 1)]
-#[allow(unused_variables)]
-fn new(blog: String, user: User) -> Template {
-    Template::render("posts/new", json!({
-        "account": user
-    }))
+fn new(blog: String, user: User, conn: DbConn) -> Template {
+    let b = Blog::find_by_fqn(&*conn, blog.to_string()).unwrap();
+
+    if !user.is_author_in(&*conn, b.clone()) {
+        Template::render("errors/403", json!({
+            "error_message": "You are not author in this blog."
+        }))
+    } else {
+        Template::render("posts/new", json!({
+            "account": user
+        }))
+    }
 }
 
 #[derive(FromForm)]
@@ -75,41 +82,45 @@ fn create(blog_name: String, data: Form<NewPostForm>, user: User, conn: DbConn)
     let form = data.get();
     let slug = form.title.to_string().to_kebab_case();
 
-    if slug == "new" || Post::find_by_slug(&*conn, slug.clone(), blog.id).is_some() {
-        Redirect::to(uri!(new: blog = blog_name))
+    if !user.is_author_in(&*conn, blog.clone()) {
+        Redirect::to(uri!(super::blogs::details: name = blog_name))
     } else {
-        let content = markdown_to_html(form.content.to_string().as_ref(), &ComrakOptions{
-            smart: true,
-            safe: true,
-            ext_strikethrough: true,
-            ext_tagfilter: true,
-            ext_table: true,
-            ext_autolink: true,
-            ext_tasklist: true,
-            ext_superscript: true,
-            ext_header_ids: Some("title".to_string()),
-            ext_footnotes: true,
-            ..ComrakOptions::default()
-        });
+        if slug == "new" || Post::find_by_slug(&*conn, slug.clone(), blog.id).is_some() {
+            Redirect::to(uri!(new: blog = blog_name))
+        } else {
+            let content = markdown_to_html(form.content.to_string().as_ref(), &ComrakOptions{
+                smart: true,
+                safe: true,
+                ext_strikethrough: true,
+                ext_tagfilter: true,
+                ext_table: true,
+                ext_autolink: true,
+                ext_tasklist: true,
+                ext_superscript: true,
+                ext_header_ids: Some("title".to_string()),
+                ext_footnotes: true,
+                ..ComrakOptions::default()
+            });
 
-        let post = Post::insert(&*conn, NewPost {
-            blog_id: blog.id,
-            slug: slug.to_string(),
-            title: form.title.to_string(),
-            content: SafeString::new(&content),
-            published: true,
-            license: form.license.to_string(),
-            ap_url: "".to_string()
-        });
-        post.update_ap_url(&*conn);
-        PostAuthor::insert(&*conn, NewPostAuthor {
-            post_id: post.id,
-            author_id: user.id
-        });
+            let post = Post::insert(&*conn, NewPost {
+                blog_id: blog.id,
+                slug: slug.to_string(),
+                title: form.title.to_string(),
+                content: SafeString::new(&content),
+                published: true,
+                license: form.license.to_string(),
+                ap_url: "".to_string()
+            });
+            post.update_ap_url(&*conn);
+            PostAuthor::insert(&*conn, NewPostAuthor {
+                post_id: post.id,
+                author_id: user.id
+            });
 
-        let act = post.create_activity(&*conn);
-        broadcast(&*conn, &user, act, user.get_followers(&*conn));
+            let act = post.create_activity(&*conn);
+            broadcast(&*conn, &user, act, user.get_followers(&*conn));
 
-        Redirect::to(uri!(details: blog = blog_name, slug = slug))
+            Redirect::to(uri!(details: blog = blog_name, slug = slug))
+        }
     }
 }

templates/errors/403.html.tera

@@ -0,0 +1,5 @@
+{% extends "errors/base" %}
+
+{% block error %}
+    <h1>{{ "You are not authorized." | _ }}</h1>
+{% endblock error %}