Disallow interaction with medias owned by others (#410)
Notably prevent media deletion by other users
This commit is contained in:
parent
c502ae73f6
commit
7c8599b0a2
@ -3,7 +3,7 @@ use multipart::server::{Multipart, save::{SavedData, SaveResult}};
|
|||||||
use rocket::{Data, http::ContentType, response::{Redirect, status}};
|
use rocket::{Data, http::ContentType, response::{Redirect, status}};
|
||||||
use rocket_i18n::I18n;
|
use rocket_i18n::I18n;
|
||||||
use std::fs;
|
use std::fs;
|
||||||
use plume_models::{db_conn::DbConn, medias::*, users::User};
|
use plume_models::{Error, db_conn::DbConn, medias::*, users::User};
|
||||||
use template_utils::Ructe;
|
use template_utils::Ructe;
|
||||||
use routes::errors::ErrorPage;
|
use routes::errors::ErrorPage;
|
||||||
|
|
||||||
@ -83,22 +83,30 @@ fn read(data: &SavedData) -> Result<String, status::BadRequest<&'static str>> {
|
|||||||
#[get("/medias/<id>")]
|
#[get("/medias/<id>")]
|
||||||
pub fn details(id: i32, user: User, conn: DbConn, intl: I18n) -> Result<Ructe, ErrorPage> {
|
pub fn details(id: i32, user: User, conn: DbConn, intl: I18n) -> Result<Ructe, ErrorPage> {
|
||||||
let media = Media::get(&*conn, id)?;
|
let media = Media::get(&*conn, id)?;
|
||||||
|
if media.owner_id == user.id {
|
||||||
Ok(render!(medias::details(
|
Ok(render!(medias::details(
|
||||||
&(&*conn, &intl.catalog, Some(user)),
|
&(&*conn, &intl.catalog, Some(user)),
|
||||||
media
|
media
|
||||||
)))
|
)))
|
||||||
|
} else {
|
||||||
|
Err(Error::Unauthorized.into())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
#[post("/medias/<id>/delete")]
|
#[post("/medias/<id>/delete")]
|
||||||
pub fn delete(id: i32, _user: User, conn: DbConn) -> Result<Redirect, ErrorPage> {
|
pub fn delete(id: i32, user: User, conn: DbConn) -> Result<Redirect, ErrorPage> {
|
||||||
let media = Media::get(&*conn, id)?;
|
let media = Media::get(&*conn, id)?;
|
||||||
|
if media.owner_id == user.id {
|
||||||
media.delete(&*conn)?;
|
media.delete(&*conn)?;
|
||||||
|
}
|
||||||
Ok(Redirect::to(uri!(list)))
|
Ok(Redirect::to(uri!(list)))
|
||||||
}
|
}
|
||||||
|
|
||||||
#[post("/medias/<id>/avatar")]
|
#[post("/medias/<id>/avatar")]
|
||||||
pub fn set_avatar(id: i32, user: User, conn: DbConn) -> Result<Redirect, ErrorPage> {
|
pub fn set_avatar(id: i32, user: User, conn: DbConn) -> Result<Redirect, ErrorPage> {
|
||||||
let media = Media::get(&*conn, id)?;
|
let media = Media::get(&*conn, id)?;
|
||||||
|
if media.owner_id == user.id {
|
||||||
user.set_avatar(&*conn, media.id)?;
|
user.set_avatar(&*conn, media.id)?;
|
||||||
|
}
|
||||||
Ok(Redirect::to(uri!(details: id = id)))
|
Ok(Redirect::to(uri!(details: id = id)))
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user