Perform additional checks when uploading images

LittleBigRefresh · Mar 25, 2024 · 3a85728 · 3a85728
1 parent 0df0ecf
commit 3a85728
Show file tree

Hide file tree

Showing 3 changed files with 11 additions and 5 deletions.
diff --git a/Refresh.GameServer/Configuration/GameServerConfig.cs b/Refresh.GameServer/Configuration/GameServerConfig.cs
@@ -27,8 +27,4 @@ protected override void Migrate(int oldVer, dynamic oldConfig) {}
     public string WebExternalUrl { get; set; } = "https://refresh.example.com";
     public bool AllowInvalidTextureGuids { get; set; } = false;
     public bool BlockAssetUploads { get; set; } = false;
-    /// <summary>
-    /// The amount of data the user is allowed to upload before all resource uploads get blocked, defaults to 100mb.
-    /// </summary>
-    public int UserFilesizeQuota { get; set; } = 100 * 1_048_576;
 }
diff --git a/Refresh.GameServer/Endpoints/ApiV3/ApiTypes/Errors/ApiAuthenticationError.cs b/Refresh.GameServer/Endpoints/ApiV3/ApiTypes/Errors/ApiAuthenticationError.cs
@@ -6,6 +6,9 @@ public class ApiAuthenticationError : ApiError
     public const string NoPermissionsForObjectWhen = "You do not lack the permissions to manage or view this resource.";
     public static readonly ApiAuthenticationError NoPermissionsForObject = new(NoPermissionsForObjectWhen);
 
+    public const string NoPermissionsForCreationWhen = "You do not lack the permissions to create this type of resource.";
+    public static readonly ApiAuthenticationError NoPermissionsForCreation = new(NoPermissionsForCreationWhen);
+
     public bool Warning { get; init; }
 
     public ApiAuthenticationError(string message, bool warning = false) : base(message, Forbidden)

diff --git a/Refresh.GameServer/Endpoints/ApiV3/ResourceApiEndpoints.cs b/Refresh.GameServer/Endpoints/ApiV3/ResourceApiEndpoints.cs
@@ -6,12 +6,14 @@
 using Bunkum.Listener.Protocol;
 using Bunkum.Protocols.Http;
 using Refresh.GameServer.Authentication;
+using Refresh.GameServer.Configuration;
 using Refresh.GameServer.Database;
 using Refresh.GameServer.Endpoints.ApiV3.ApiTypes;
 using Refresh.GameServer.Endpoints.ApiV3.ApiTypes.Errors;
 using Refresh.GameServer.Endpoints.ApiV3.DataTypes.Response;
 using Refresh.GameServer.Importing;
 using Refresh.GameServer.Types.Assets;
+using Refresh.GameServer.Types.Roles;
 using Refresh.GameServer.Types.UserData;
 using Refresh.GameServer.Verification;
 
@@ -136,10 +138,15 @@ public ApiResponse<ApiGameAssetResponse> GetPspAssetInfo(RequestContext context,
     [DocError(typeof(ApiValidationError), ApiValidationError.BodyTooLongErrorWhen)]
     [DocError(typeof(ApiValidationError), ApiValidationError.CannotReadAssetErrorWhen)]
     [DocError(typeof(ApiValidationError), ApiValidationError.BodyMustBeImageErrorWhen)]
-    public ApiResponse<ApiGameAssetResponse> UploadImageAsset(RequestContext context, GameDatabaseContext database, IDataStore dataStore, AssetImporter importer,
+    [DocError(typeof(ApiAuthenticationError), ApiAuthenticationError.NoPermissionsForCreationWhen)]
+    public ApiResponse<ApiGameAssetResponse> UploadImageAsset(RequestContext context, GameDatabaseContext database, IDataStore dataStore, AssetImporter importer, GameServerConfig config,
         [DocSummary("The SHA1 hash of the asset")] string hash,
         byte[] body, GameUser user)
     {
+        //If we block asset uploads, return unauthorized, unless the user is an admin
+        if (config.BlockAssetUploads && user.Role != GameUserRole.Admin)
+            return ApiAuthenticationError.NoPermissionsForCreation;
+
         if (!CommonPatterns.Sha1Regex().IsMatch(hash)) return ApiValidationError.HashInvalidError;
 
         if (dataStore.ExistsInStore(hash))