From 7c8599b0a2a25485b5f2194576afe7b8b29f8a00 Mon Sep 17 00:00:00 2001 From: fdb-hiroshima <35889323+fdb-hiroshima@users.noreply.github.com> Date: Sat, 5 Jan 2019 22:09:57 +0100 Subject: [PATCH] Disallow interaction with medias owned by others (#410) Notably prevent media deletion by other users --- src/routes/medias.rs | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/src/routes/medias.rs b/src/routes/medias.rs index 58441437..224e3b51 100644 --- a/src/routes/medias.rs +++ b/src/routes/medias.rs @@ -3,7 +3,7 @@ use multipart::server::{Multipart, save::{SavedData, SaveResult}}; use rocket::{Data, http::ContentType, response::{Redirect, status}}; use rocket_i18n::I18n; use std::fs; -use plume_models::{db_conn::DbConn, medias::*, users::User}; +use plume_models::{Error, db_conn::DbConn, medias::*, users::User}; use template_utils::Ructe; use routes::errors::ErrorPage; @@ -83,22 +83,30 @@ fn read(data: &SavedData) -> Result> { #[get("/medias/")] pub fn details(id: i32, user: User, conn: DbConn, intl: I18n) -> Result { let media = Media::get(&*conn, id)?; - Ok(render!(medias::details( - &(&*conn, &intl.catalog, Some(user)), - media - ))) + if media.owner_id == user.id { + Ok(render!(medias::details( + &(&*conn, &intl.catalog, Some(user)), + media + ))) + } else { + Err(Error::Unauthorized.into()) + } } #[post("/medias//delete")] -pub fn delete(id: i32, _user: User, conn: DbConn) -> Result { +pub fn delete(id: i32, user: User, conn: DbConn) -> Result { let media = Media::get(&*conn, id)?; - media.delete(&*conn)?; + if media.owner_id == user.id { + media.delete(&*conn)?; + } Ok(Redirect::to(uri!(list))) } #[post("/medias//avatar")] pub fn set_avatar(id: i32, user: User, conn: DbConn) -> Result { let media = Media::get(&*conn, id)?; - user.set_avatar(&*conn, media.id)?; + if media.owner_id == user.id { + user.set_avatar(&*conn, media.id)?; + } Ok(Redirect::to(uri!(details: id = id))) }