discours.io/core
5
0
Fork 0
Code Pull Requests Actions Projects Activity

forbidden-fix
Some checks failed
Deploy on push / deploy (push) Failing after 20s
Details

Browse Source
This commit is contained in:
Untone 2024-03-06 10:44:08 +03:00
parent b09ea39668
commit cb535cffea
1 changed files with 44 additions and 52 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

42
resolvers/editor.py
View File

@ -33,13 +33,12 @@ async def get_my_shout(_, info, shout_id: int):
user_id = info.context.get('user_id', '') user_id = info.context.get('user_id', '')
roles = info.context.get('roles', []) roles = info.context.get('roles', [])
if not user_id: if not user_id:
error = 'user is not logged in' error = 'unauthorized'
elif shout.created_by != author.id: else:
error = 'author cannot edit this post' if 'editor' in roles or filter(lambda x: x.id == author.id, [x for x in shout.authors]):
elif 'editor' not in roles: return {"error": error, "shout": shout}
error = 'user has no editor role' else:
elif not any([x.id == author.id for x in shout.authors]): error = 'forbidden'
error = 'author have no permissions to read this not published shout'
return {"error": error, "shout": shout} return {"error": error, "shout": shout}
@ -232,13 +231,7 @@ async def update_shout(_, info, shout_id: int, shout_input=None, publish=False):
) )
shout_input['slug'] = slug shout_input['slug'] = slug
if ( if filter(lambda x: x.id == author.id, [x for x in shout_by_id.authors]) or 'editor' in roles:
shout_by_id.created_by != author.id
and not filter(lambda x: x == author.id, shout_by_id.authors)
and 'editor' not in roles
):
return {'error': 'access denied'}
# topics patch # topics patch
topics_input = shout_input.get('topics') topics_input = shout_input.get('topics')
if topics_input: if topics_input:
@ -265,7 +258,10 @@ async def update_shout(_, info, shout_id: int, shout_input=None, publish=False):
# search service indexing # search service indexing
search_service.index(shout_by_id) search_service.index(shout_by_id)
return {'shout': shout_dict} return {'shout': shout_dict, 'error': None}
else:
return {'error': 'access denied', 'shout': None}
except Exception as exc: except Exception as exc:
logger.error(exc) logger.error(exc)
logger.error(f' cannot update with data: {shout_input}') logger.error(f' cannot update with data: {shout_input}')
@ -275,7 +271,7 @@ async def update_shout(_, info, shout_id: int, shout_input=None, publish=False):
@mutation.field('delete_shout') @mutation.field('delete_shout')
@login_required @login_required
async def delete_shout(_, info, shout_id): async def delete_shout(_, info, shout_id: int):
user_id = info.context.get('user_id') user_id = info.context.get('user_id')
roles = info.context.get('roles') roles = info.context.get('roles')
if user_id: if user_id:
@ -285,13 +281,8 @@ async def delete_shout(_, info, shout_id):
if not shout: if not shout:
return {'error': 'invalid shout id'} return {'error': 'invalid shout id'}
if author and shout: if author and shout:
if ( # NOTE: only owner and editor can mark the shout as deleted
shout.created_by is not author.id if shout.created_by == author.id or 'editor' in roles:
and author.id not in shout.authors
and 'editor' not in roles
):
return {'error': 'access denied'}
for author_id in shout.authors: for author_id in shout.authors:
reactions_unfollow(author_id, shout_id) reactions_unfollow(author_id, shout_id)
@ -301,8 +292,9 @@ async def delete_shout(_, info, shout_id):
session.add(shout) session.add(shout)
session.commit() session.commit()
await notify_shout(shout_dict, 'delete') await notify_shout(shout_dict, 'delete')
return {'error': None}
return {} else:
return {'error': 'access denied'}
def handle_proposing(session, r, shout): def handle_proposing(session, r, shout):