Skip to content

Commit

Permalink
Add permissions check
Browse files Browse the repository at this point in the history
  • Loading branch information
@lifegpc
lifegpc committed Feb 7, 2024
1 parent c976813 commit 21c05dd
Show file tree
Hide file tree
Showing 16 changed files with 122 additions and 15 deletions.
13 changes: 11 additions & 2 deletions routes/api/config.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import {
import { parse_bool } from "../../server/parse_form.ts";
import { return_json } from "../../server/utils.ts";
import { ExitTarget } from "../../signal_handler.ts";
import type { User } from "../../db.ts";

const UNSAFE_TYPE: (keyof ConfigType)[] = [
"base",
Expand All @@ -21,7 +22,11 @@ const UNSAFE_TYPE: (keyof ConfigType)[] = [
const UNSAFE_TYPE2 = UNSAFE_TYPE as string[];

export const handler: Handlers = {
async GET(req, _ctx) {
async GET(req, ctx) {
const user = <User | undefined> ctx.state.user;
if (user && !user.is_admin) {
return new Response("Permission denied", { status: 403 });
}
const u = new URL(req.url);
const current = await parse_bool(u.searchParams.get("current"), false);
if (current) {
Expand Down Expand Up @@ -76,7 +81,11 @@ export const handler: Handlers = {
const cfg = await load_settings(path);
return return_json(cfg.to_json());
},
async POST(req, _ctx) {
async POST(req, ctx) {
const user = <User | undefined> ctx.state.user;
if (user && !user.is_admin) {
return new Response("Permission denied", { status: 403 });
}
const content_type = req.headers.get("Content-Type");
if (content_type === "application/json") {
const d = await req.json();
Expand Down
7 changes: 5 additions & 2 deletions routes/api/eh/image_limit.ts
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,16 @@
import { Handlers } from "$fresh/server.ts";
import { User } from "../../../db.ts";
import { User, UserPermission } from "../../../db.ts";
import { get_task_manager } from "../../../server.ts";
import { EHImageLimit } from "../../../server/eh.ts";
import { return_data, return_error } from "../../../server/utils.ts";

export const handler: Handlers = {
async GET(_req, ctx) {
const user = <User | undefined> ctx.state.user;
if (user && !user.is_admin) {
if (
user && !user.is_admin &&
!(user.permissions & UserPermission.ManageTasks)
) {
return return_error(403, "Permission denied.");
}
const m = get_task_manager();
Expand Down
7 changes: 6 additions & 1 deletion routes/api/exit.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,14 @@ import { parse_bool } from "../../server/parse_form.ts";
import { get_task_manager } from "../../server.ts";
import { ExitTarget } from "../../signal_handler.ts";
import { AlreadyClosedError } from "../../task_manager.ts";
import type { User } from "../../db.ts";

export const handler: Handlers = {
async POST(req, _ctx) {
async POST(req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin) {
return new Response("Permission denied.", { status: 403 });
}
let force = false;
try {
const form = await req.formData();
Expand Down
5 changes: 5 additions & 0 deletions routes/api/export/gallery/zip/[gid].ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,9 +3,14 @@ import { get_task_manager } from "../../../../../server.ts";
import { get_export_zip_response } from "../../../../../server/export_zip.ts";
import { parse_bool, parse_int } from "../../../../../server/parse_form.ts";
import type { ExportZipConfig } from "../../../../../tasks/export_zip.ts";
import { User, UserPermission } from "../../../../../db.ts";

export const handler: Handlers = {
async GET(req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.ReadGallery)) {
return new Response("Permission denied", { status: 403 });
}
const gid = parseInt(ctx.params.gid);
if (isNaN(gid)) {
return new Response("Bad Request", { status: 400 });
Expand Down
8 changes: 8 additions & 0 deletions routes/api/file/[id].ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -9,9 +9,17 @@ import pbkdf2Hmac from "pbkdf2-hmac";
import { encodeBase64 as encode } from "std/encoding/base64.ts";
import { get_host, return_data, return_error } from "../../../server/utils.ts";
import type { EhFileExtend } from "../../../server/files.ts";
import { User, UserPermission } from "../../../db.ts";

export const handler: Handlers = {
async GET(req, ctx) {
const user = <User | undefined> ctx.state.user;
if (
user && !user.is_admin &&
!(user.permissions & UserPermission.ReadGallery)
) {
return return_error(403, "Permission denied.");
}
const u = new URL(req.url);
const data = await parse_bool(u.searchParams.get("data"), false);
const id = parseInt(ctx.params.id);
Expand Down
10 changes: 9 additions & 1 deletion routes/api/file/random.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,17 @@ import { Handlers } from "$fresh/server.ts";
import { get_task_manager } from "../../../server.ts";
import { parse_bool } from "../../../server/parse_form.ts";
import { get_host } from "../../../server/utils.ts";
import { User, UserPermission } from "../../../db.ts";

export const handler: Handlers = {
async GET(req, _ctx) {
async GET(req, ctx) {
const user = <User | undefined> ctx.state.user;
if (
user && !user.is_admin &&
!(user.permissions & UserPermission.ReadGallery)
) {
return new Response("Permission denied", { status: 403 });
}
const m = get_task_manager();
const u = new URL(req.url);
const is_nsfw = await parse_bool(u.searchParams.get("is_nsfw"), null);
Expand Down
12 changes: 10 additions & 2 deletions routes/api/file/upload.ts
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,23 @@
import { Handlers } from "$fresh/server.ts";
import type { EhFile } from "../../../db.ts";
import type { EhFile, User } from "../../../db.ts";
import { get_task_manager } from "../../../server.ts";
import { return_data, return_error } from "../../../server/utils.ts";
import { get_string, parse_bool } from "../../../server/parse_form.ts";
import { fb_get_size } from "../../../thumbnail/ffmpeg_binary.ts";
import { sure_dir } from "../../../utils.ts";
import mime from "mime";
import { extname, join, resolve } from "std/path/mod.ts";
import { UserPermission } from "../../../db.ts";

export const handler: Handlers = {
async POST(req, _ctx) {
async POST(req, ctx) {
const user = <User | undefined> ctx.state.user;
if (
user && !user.is_admin &&
!(user.permissions & UserPermission.EditGallery)
) {
return return_error(403, "Permission denied.");
}
const m = get_task_manager();
try {
const form = await req.formData();
Expand Down
22 changes: 19 additions & 3 deletions routes/api/filemeta.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3,6 +3,7 @@ import type { EhFileMeta } from "../../db.ts";
import { get_task_manager } from "../../server.ts";
import { get_string, parse_bool, parse_int } from "../../server/parse_form.ts";
import { return_data, return_error } from "../../server/utils.ts";
import { User, UserPermission } from "../../db.ts";

export function get_filemeta(token: string) {
const m = get_task_manager();
Expand Down Expand Up @@ -44,13 +45,24 @@ export function put_gallery_filemeta(
}

export const handler: Handlers = {
GET(req, _ctx) {
GET(req, ctx) {
const user = <User | undefined> ctx.state.user;
if (
user && !user.is_admin &&
!(user.permissions & UserPermission.ReadGallery)
) {
return return_error(403, "Permission denied.");
}
const u = new URL(req.url);
const token = u.searchParams.get("token");
if (token) return get_filemeta(token);
return return_error(400, "token is needed.");
},
async POST(req, _ctx) {
async POST(req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.EditGallery)) {
return return_error(403, "Permission denied.");
}
const ct = req.headers.get("Content-Type")?.split(";")[0].trim() || "";
if (ct === "application/json") {
if (!req.body) return_error(1, "Body not found.");
Expand Down Expand Up @@ -198,7 +210,11 @@ export const handler: Handlers = {
}
return return_error(4, "Unknown format.");
},
async PUT(req, _ctx) {
async PUT(req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.EditGallery)) {
return return_error(403, "Permission denied.");
}
const ct = req.headers.get("Content-Type")?.split(";")[0].trim() || "";
if (ct === "application/json") {
if (!req.body) return_error(1, "Body not found.");
Expand Down
5 changes: 5 additions & 0 deletions routes/api/filemeta/[token].ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
import { Handlers } from "$fresh/server.ts";
import { return_error } from "../../../server/utils.ts";
import { get_filemeta } from "../filemeta.ts";
import { User, UserPermission } from "../../../db.ts";

export const handler: Handlers = {
GET(_req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.ReadGallery)) {
return return_error(403, "Permission denied.");
}
const token = ctx.params.token;
if (token) return get_filemeta(token);
return return_error(400, "token is needed.");
Expand Down
7 changes: 6 additions & 1 deletion routes/api/files/[token].ts
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,15 @@
import { Handlers } from "$fresh/server.ts";
import { get_task_manager } from "../../../server.ts";
import type { EhFiles } from "../../../server/files.ts";
import { return_data } from "../../../server/utils.ts";
import { return_data, return_error } from "../../../server/utils.ts";
import { User, UserPermission } from "../../../db.ts";

export const handler: Handlers = {
GET(_req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.ReadGallery)) {
return return_error(403, "Permission denied.");
}
const tokens = ctx.params.token.split(",");
const m = get_task_manager();
const data: EhFiles = {};
Expand Down
5 changes: 5 additions & 0 deletions routes/api/gallery/[gid].ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,14 @@ import { Handlers } from "$fresh/server.ts";
import { get_task_manager } from "../../../server.ts";
import type { GalleryData } from "../../../server/gallery.ts";
import { return_data, return_error } from "../../../server/utils.ts";
import { User, UserPermission } from "../../../db.ts";

export const handler: Handlers = {
GET(_req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.ReadGallery)) {
return return_error(403, "Permission denied.");
}
const gid = parseInt(ctx.params.gid);
if (isNaN(gid)) {
return return_error(400, "Failed to parse gid.");
Expand Down
8 changes: 8 additions & 0 deletions routes/api/gallery/list.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,7 @@ import { Handlers } from "$fresh/server.ts";
import { get_task_manager } from "../../../server.ts";
import { parse_bool, parse_int } from "../../../server/parse_form.ts";
import { return_data, return_error } from "../../../server/utils.ts";
import { User, UserPermission } from "../../../db.ts";

const ALLOW_FIELDS = [
"gid",
Expand All @@ -23,6 +24,13 @@ const ALLOW_FIELDS = [

export const handler: Handlers = {
async GET(req, _ctx) {
const user = <User | undefined> _ctx.state.user;
if (
user && !user.is_admin &&
!(user.permissions & UserPermission.ReadGallery)
) {
return return_error(403, "Permission denied.");
}
const u = new URL(req.url);
const t = get_task_manager();
const all = await parse_bool(u.searchParams.get("all"), false);
Expand Down
7 changes: 6 additions & 1 deletion routes/api/tag/[id].ts
View file
Original file line number Diff line number Diff line change
@@ -1,15 +1,20 @@
import { Handlers } from "$fresh/server.ts";
import { get_task_manager } from "../../../server.ts";
import { Tag } from "../../../db.ts";
import { Tag, User, UserPermission } from "../../../db.ts";
import {
gen_data,
gen_error,
JSONResult,
return_data,
return_error,
} from "../../../server/utils.ts";

export const handler: Handlers = {
GET(_req, ctx) {
const u = <User | undefined> ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.ReadGallery)) {
return return_error(403, "Permission denied.");
}
const ids = ctx.params.id.split(",");
const r: Record<string, JSONResult<Tag>> = {};
for (const _id of ids) {
Expand Down
7 changes: 6 additions & 1 deletion routes/api/tag/rows.ts
View file
Original file line number Diff line number Diff line change
@@ -1,9 +1,14 @@
import { Handlers } from "$fresh/server.ts";
import { get_task_manager } from "../../../server.ts";
import { return_data } from "../../../server/utils.ts";
import { return_data, return_error } from "../../../server/utils.ts";
import { User, UserPermission } from "../../../db.ts";

export const handler: Handlers = {
GET(_req, _ctx) {
const u = <User | undefined> _ctx.state.user;
if (u && !u.is_admin && !(u.permissions & UserPermission.ReadGallery)) {
return return_error(403, "Permission denied.");
}
const m = get_task_manager();
return return_data(m.db.get_tag_rows());
},
Expand Down
8 changes: 8 additions & 0 deletions routes/api/thumbnail/[id].ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,11 +22,19 @@ import pbkdf2Hmac from "pbkdf2-hmac";
import { encodeBase64 as encode } from "std/encoding/base64.ts";
import { SortableURLSearchParams } from "../../../server/SortableURLSearchParams.ts";
import type * as FFMPEG_API from "../../../thumbnail/ffmpeg_api.ts";
import { User, UserPermission } from "../../../db.ts";

let ffmpeg_api: typeof FFMPEG_API | undefined;

export const handler: Handlers = {
async GET(req, ctx) {
const user = <User | undefined> ctx.state.user;
if (
user && !user.is_admin &&
!(user.permissions & UserPermission.ReadGallery)
) {
return new Response("Permission denied", { status: 403 });
}
const id = parseInt(ctx.params.id);
if (isNaN(id)) {
return new Response("Bad Request", { status: 400 });
Expand Down
6 changes: 5 additions & 1 deletion routes/api/token.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ import { return_data, return_error } from "../../server/utils.ts";
import { get_task_manager } from "../../server.ts";
import pbkdf2Hmac from "pbkdf2-hmac";
import isEqual from "lodash/isEqual";
import type { Token } from "../../db.ts";
import type { Token, User } from "../../db.ts";
import { Mutex } from "async/mutex.ts";

const USER_PASSWORD_ERROR = "Incorrect username or password.";
Expand Down Expand Up @@ -58,6 +58,10 @@ export const handler: Handlers = {
const m = get_task_manager();
const token = m.db.get_token(t);
if (!token) return return_error(404, "token not found.");
const user = <User | undefined> ctx.state.user;
if (user && !user.is_admin && token.uid !== user.id) {
return return_error(403, "Permission denied.");
}
m.db.delete_token(t);
const headers: HeadersInit = {};
if (is_from_auth && is_from_cookie) {
Expand Down

0 comments on commit 21c05dd

Please sign in to comment.