Disallow interaction with medias owned by others (#410)

Notably prevent media deletion by other users
This commit is contained in:
fdb-hiroshima 2019-01-05 22:09:57 +01:00 committed by GitHub
parent c502ae73f6
commit 7c8599b0a2
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -3,7 +3,7 @@ use multipart::server::{Multipart, save::{SavedData, SaveResult}};
use rocket::{Data, http::ContentType, response::{Redirect, status}};
use rocket_i18n::I18n;
use std::fs;
use plume_models::{db_conn::DbConn, medias::*, users::User};
use plume_models::{Error, db_conn::DbConn, medias::*, users::User};
use template_utils::Ructe;
use routes::errors::ErrorPage;
@ -83,22 +83,30 @@ fn read(data: &SavedData) -> Result<String, status::BadRequest<&'static str>> {
#[get("/medias/<id>")]
pub fn details(id: i32, user: User, conn: DbConn, intl: I18n) -> Result<Ructe, ErrorPage> {
let media = Media::get(&*conn, id)?;
Ok(render!(medias::details(
&(&*conn, &intl.catalog, Some(user)),
media
)))
if media.owner_id == user.id {
Ok(render!(medias::details(
&(&*conn, &intl.catalog, Some(user)),
media
)))
} else {
Err(Error::Unauthorized.into())
}
}
#[post("/medias/<id>/delete")]
pub fn delete(id: i32, _user: User, conn: DbConn) -> Result<Redirect, ErrorPage> {
pub fn delete(id: i32, user: User, conn: DbConn) -> Result<Redirect, ErrorPage> {
let media = Media::get(&*conn, id)?;
media.delete(&*conn)?;
if media.owner_id == user.id {
media.delete(&*conn)?;
}
Ok(Redirect::to(uri!(list)))
}
#[post("/medias/<id>/avatar")]
pub fn set_avatar(id: i32, user: User, conn: DbConn) -> Result<Redirect, ErrorPage> {
let media = Media::get(&*conn, id)?;
user.set_avatar(&*conn, media.id)?;
if media.owner_id == user.id {
user.set_avatar(&*conn, media.id)?;
}
Ok(Redirect::to(uri!(details: id = id)))
}