From 06c66229fc517f1d0ac1aa6ab95b04c8420fdcf9 Mon Sep 17 00:00:00 2001 From: zijiren233 Date: Thu, 18 Apr 2024 17:38:41 +0800 Subject: [PATCH] Fix: admin api disable on guess user --- internal/db/user.go | 15 ++++++--- internal/op/room.go | 26 +++++++++++----- internal/op/user.go | 67 +++++++++++++++++++++++++++++++++------- internal/op/users.go | 9 +++++- server/handlers/admin.go | 6 ++-- server/handlers/root.go | 5 ++- 6 files changed, 97 insertions(+), 31 deletions(-) diff --git a/internal/db/user.go b/internal/db/user.go index da16bf7..2c82d88 100644 --- a/internal/db/user.go +++ b/internal/db/user.go @@ -386,13 +386,18 @@ func GetRoots() []*model.User { return users } -func SetRole(u *model.User, role model.Role) error { - u.Role = role - return SaveUser(u) +func SetAdminRoleByID(userID string) error { + err := db.Model(&model.User{}).Where("id = ?", userID).Update("role", model.RoleAdmin).Error + return HandleNotFound(err, "user") +} + +func SetRootRoleByID(userID string) error { + err := db.Model(&model.User{}).Where("id = ?", userID).Update("role", model.RoleRoot).Error + return HandleNotFound(err, "user") } -func SetRoleByID(userID string, role model.Role) error { - err := db.Model(&model.User{}).Where("id = ?", userID).Update("role", role).Error +func SetUserRoleByID(userID string) error { + err := db.Model(&model.User{}).Where("id = ?", userID).Update("role", model.RoleUser).Error return HandleNotFound(err, "user") } diff --git a/internal/op/room.go b/internal/op/room.go index 8389187..3204031 100644 --- a/internal/op/room.go +++ b/internal/op/room.go @@ -156,7 +156,7 @@ func (r *Room) HasPermission(userID string, permission model.RoomMemberPermissio } func (r *Room) HasAdminPermission(userID string, permission model.RoomAdminPermission) bool { - if r.CreatorID == userID { + if r.IsCreator(userID) { return true } @@ -467,30 +467,33 @@ func (r *Room) ResetMemberPermissions(userID string) error { } func (r *Room) SetMemberPermissions(userID string, permissions model.RoomMemberPermission) error { - if r.IsGuest(userID) { - return errors.New("cannot set guest permissions") + if r.IsCreator(userID) { + return errors.New("you are creator, cannot set permissions") } defer r.members.Delete(userID) return db.SetMemberPermissions(r.ID, userID, permissions) } func (r *Room) AddMemberPermissions(userID string, permissions model.RoomMemberPermission) error { - if r.IsGuest(userID) { - return errors.New("cannot add guest permissions") + if r.IsCreator(userID) { + return errors.New("you are creator, cannot add permissions") } defer r.members.Delete(userID) return db.AddMemberPermissions(r.ID, userID, permissions) } func (r *Room) RemoveMemberPermissions(userID string, permissions model.RoomMemberPermission) error { - if r.IsGuest(userID) { - return errors.New("cannot remove guest permissions") + if r.IsCreator(userID) { + return errors.New("you are creator, cannot remove permissions") } defer r.members.Delete(userID) return db.RemoveMemberPermissions(r.ID, userID, permissions) } func (r *Room) ApprovePendingMember(userID string) error { + if r.IsCreator(userID) { + return errors.New("you are creator, cannot approve") + } defer r.members.Delete(userID) return db.RoomApprovePendingMember(r.ID, userID) } @@ -519,6 +522,9 @@ func (r *Room) ResetAdminPermissions(userID string) error { } func (r *Room) SetAdminPermissions(userID string, permissions model.RoomAdminPermission) error { + if r.IsGuest(userID) { + return errors.New("cannot set admin permissions to guest") + } if member, err := r.LoadRoomMember(userID); err != nil { return err } else if !member.Role.IsAdmin() { @@ -529,6 +535,9 @@ func (r *Room) SetAdminPermissions(userID string, permissions model.RoomAdminPer } func (r *Room) AddAdminPermissions(userID string, permissions model.RoomAdminPermission) error { + if r.IsGuest(userID) { + return errors.New("cannot add admin permissions to guest") + } if member, err := r.LoadRoomMember(userID); err != nil { return err } else if !member.Role.IsAdmin() { @@ -539,6 +548,9 @@ func (r *Room) AddAdminPermissions(userID string, permissions model.RoomAdminPer } func (r *Room) RemoveAdminPermissions(userID string, permissions model.RoomAdminPermission) error { + if r.IsGuest(userID) { + return errors.New("cannot remove admin permissions from guest") + } if member, err := r.LoadRoomMember(userID); err != nil { return err } else if !member.Role.IsAdmin() { diff --git a/internal/op/user.go b/internal/op/user.go index f6a7470..a5014f0 100644 --- a/internal/op/user.go +++ b/internal/op/user.go @@ -66,6 +66,9 @@ func (u *User) CheckVersion(version uint32) bool { } func (u *User) SetPassword(password string) error { + if u.IsGuest() { + return errors.New("guest cannot set password") + } if u.CheckPassword(password) { return errors.New("password is the same") } @@ -79,9 +82,6 @@ func (u *User) SetPassword(password string) error { } func (u *User) CreateRoom(name, password string, conf ...db.CreateRoomConfig) (*RoomEntry, error) { - if u.IsBanned() { - return nil, errors.New("user banned") - } if u.IsAdmin() { conf = append(conf, db.WithStatus(model.RoomStatusActive)) } else { @@ -208,6 +208,9 @@ func (u *User) HasRoomAdminPermission(room *Room, permission model.RoomAdminPerm if u.IsAdmin() { return true } + if u.IsGuest() { + return false + } return room.HasAdminPermission(u.ID, permission) } @@ -236,11 +239,55 @@ func (u *User) SetRoomPassword(room *Room, password string) error { return room.SetPassword(password) } -func (u *User) SetRole(role model.Role) error { - if err := db.SetRoleByID(u.ID, role); err != nil { +func (u *User) SetUserRole() error { + if u.IsGuest() { + return errors.New("cannot set guest role") + } + if err := db.SetUserRoleByID(u.ID); err != nil { + return err + } + u.Role = model.RoleUser + return nil +} + +func (u *User) SetAdminRole() error { + if u.IsGuest() { + return errors.New("guest cannot be admin") + } + if err := db.SetAdminRoleByID(u.ID); err != nil { + return err + } + u.Role = model.RoleAdmin + return nil +} + +func (u *User) SetRootRole() error { + if u.IsGuest() { + return errors.New("guest cannot be root") + } + if err := db.SetRootRoleByID(u.ID); err != nil { + return err + } + u.Role = model.RoleRoot + return nil +} + +func (u *User) Ban() error { + if u.IsGuest() { + return errors.New("guest cannot be banned") + } + if err := db.BanUserByID(u.ID); err != nil { + return err + } + u.Role = model.RoleBanned + return nil +} + +func (u *User) Unban() error { + if err := db.UnbanUserByID(u.ID); err != nil { return err } - u.Role = role + u.Role = model.RoleUser return nil } @@ -253,14 +300,10 @@ func (u *User) SetUsername(username string) error { } func (u *User) UpdateRoomMovie(room *Room, movieID string, movie *model.BaseMovie) error { - m, err := room.GetMovieByID(movieID) - if err != nil { - return err - } - if m.Movie.CreatorID != u.ID && !u.HasRoomPermission(room, model.PermissionEditMovie) { + if !u.HasRoomPermission(room, model.PermissionEditMovie) { return model.ErrNoPermission } - err = room.UpdateMovie(movieID, movie) + err := room.UpdateMovie(movieID, movie) if err != nil { return err } diff --git a/internal/op/users.go b/internal/op/users.go index e593437..3c623bd 100644 --- a/internal/op/users.go +++ b/internal/op/users.go @@ -122,7 +122,11 @@ func GetUserByProvider(p provider.OAuth2Provider, pid string) (*UserEntry, error } func CompareAndDeleteUser(user *UserEntry) error { - err := db.DeleteUserByID(user.Value().ID) + id := user.Value().ID + if id == db.GuestUserID { + return errors.New("cannot delete guest user") + } + err := db.DeleteUserByID(id) if err != nil { return err } @@ -130,6 +134,9 @@ func CompareAndDeleteUser(user *UserEntry) error { } func DeleteUserByID(id string) error { + if id == db.GuestUserID { + return errors.New("cannot delete guest user") + } err := db.DeleteUserByID(id) if err != nil { return err diff --git a/server/handlers/admin.go b/server/handlers/admin.go index 006bcf1..a58d3af 100644 --- a/server/handlers/admin.go +++ b/server/handlers/admin.go @@ -349,7 +349,7 @@ func ApprovePendingUser(ctx *gin.Context) { return } - err = user.SetRole(dbModel.RoleUser) + err = user.SetUserRole() if err != nil { log.WithError(err).Error("set role by id error") ctx.AbortWithStatusJSON(http.StatusInternalServerError, model.NewApiErrorResp(err)) @@ -388,7 +388,7 @@ func BanUser(ctx *gin.Context) { return } - err = u.Value().SetRole(dbModel.RoleBanned) + err = u.Value().Ban() if err != nil { log.WithError(err).Error("set role error") ctx.AbortWithStatusJSON(http.StatusInternalServerError, model.NewApiErrorResp(err)) @@ -421,7 +421,7 @@ func UnBanUser(ctx *gin.Context) { return } - err = u.Value().SetRole(dbModel.RoleUser) + err = u.Value().Unban() if err != nil { log.WithError(err).Error("set role error") ctx.AbortWithStatusJSON(http.StatusInternalServerError, model.NewApiErrorResp(err)) diff --git a/server/handlers/root.go b/server/handlers/root.go index a47d902..d325b54 100644 --- a/server/handlers/root.go +++ b/server/handlers/root.go @@ -5,7 +5,6 @@ import ( "github.com/gin-gonic/gin" "github.com/sirupsen/logrus" - dbModel "github.com/synctv-org/synctv/internal/model" "github.com/synctv-org/synctv/internal/op" "github.com/synctv-org/synctv/server/model" ) @@ -38,7 +37,7 @@ func AddAdmin(ctx *gin.Context) { return } - if err := u.Value().SetRole(dbModel.RoleAdmin); err != nil { + if err := u.Value().SetAdminRole(); err != nil { log.Errorf("failed to set role: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, model.NewApiErrorResp(err)) return @@ -75,7 +74,7 @@ func DeleteAdmin(ctx *gin.Context) { return } - if err := u.Value().SetRole(dbModel.RoleUser); err != nil { + if err := u.Value().SetUserRole(); err != nil { log.Errorf("failed to set role: %v", err) ctx.AbortWithStatusJSON(http.StatusInternalServerError, model.NewApiErrorResp(err)) return