Fix users not being able to see their own unapproved mods

2021-03-11 10:32:47 -07:00 · 2021-03-11 10:32:47 -07:00 · 6104150b77
commit 6104150b77
parent a13bae2f39
3 changed files with 66 additions and 4 deletions
--- a/sqlx-data.json
+++ b/sqlx-data.json
@ -5180,6 +5180,26 @@
      ]
    }
  },
+  "fdb2a6ea649bb23c69af5c756d6137e216603708ffccd4e9162fb1c9765a56aa": {
+    "query": "\n            SELECT m.id FROM mods m\n            INNER JOIN team_members tm ON tm.team_id = m.team_id\n            WHERE tm.user_id = $1\n            ",
+    "describe": {
+      "columns": [
+        {
+          "ordinal": 0,
+          "name": "id",
+          "type_info": "Int8"
+        }
+      ],
+      "parameters": {
+        "Left": [
+          "Int8"
+        ]
+      },
+      "nullable": [
+        false
+      ]
+    }
+  },
  "fe73b6928f13955840e8df248688908fb6d82dd1d35dc803676639a6e0864ed5": {
    "query": "\n                DELETE FROM downloads\n                WHERE date < (CURRENT_DATE - INTERVAL '30 minutes ago')\n                ",
    "describe": {
--- a/src/database/models/user_item.rs
+++ b/src/database/models/user_item.rs
@ -213,6 +213,31 @@ impl User {
        Ok(mods)
    }

+    pub async fn get_mods_private<'a, E>(
+        user_id: UserId,
+        exec: E,
+    ) -> Result<Vec<ModId>, sqlx::Error>
+    where
+        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
+    {
+        use futures::stream::TryStreamExt;
+
+        let mods = sqlx::query!(
+            "
+            SELECT m.id FROM mods m
+            INNER JOIN team_members tm ON tm.team_id = m.team_id
+            WHERE tm.user_id = $1
+            ",
+            user_id as UserId,
+        )
+        .fetch_many(exec)
+        .try_filter_map(|e| async { Ok(e.right().map(|m| ModId(m.id))) })
+        .try_collect::<Vec<ModId>>()
+        .await?;
+
+        Ok(mods)
+    }
+
    pub async fn remove<'a, 'b, E>(id: UserId, exec: E) -> Result<Option<()>, sqlx::error::Error>
    where
        E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
--- a/src/routes/users.rs
+++ b/src/routes/users.rs
@ -122,10 +122,13 @@ fn convert_user(data: crate::database::models::user_item::User) -> crate::models

 #[get("{user_id}/mods")]
 pub async fn mods_list(
+    req: HttpRequest,
    info: web::Path<(UserId,)>,
    pool: web::Data<PgPool>,
 ) -> Result<HttpResponse, ApiError> {
-    let id = info.into_inner().0.into();
+    let user = get_user_from_headers(req.headers(), &**pool).await.ok();
+
+    let id: crate::database::models::UserId = info.into_inner().0.into();

    let user_exists = sqlx::query!(
        "SELECT EXISTS(SELECT 1 FROM users WHERE id = $1)",
@ -137,9 +140,23 @@ pub async fn mods_list(
    .exists;

    if user_exists.unwrap_or(false) {
-        let mod_data = User::get_mods(id, ModStatus::Approved.as_str(), &**pool)
-            .await
-            .map_err(|e| ApiError::DatabaseError(e.into()))?;
+        let user_id: UserId = id.into();
+
+        let mod_data = if let Some(current_user) = user {
+            if current_user.role.is_mod() || current_user.id == user_id {
+                User::get_mods_private(id, &**pool)
+                    .await
+                    .map_err(|e| ApiError::DatabaseError(e.into()))?
+            } else {
+                User::get_mods(id, ModStatus::Approved.as_str(), &**pool)
+                    .await
+                    .map_err(|e| ApiError::DatabaseError(e.into()))?
+            }
+        } else {
+            User::get_mods(id, ModStatus::Approved.as_str(), &**pool)
+                .await
+                .map_err(|e| ApiError::DatabaseError(e.into()))?
+        };

        let response = mod_data
            .into_iter()