From 6104150b774c6ac8e770535d63e5a71c80c61c88 Mon Sep 17 00:00:00 2001 From: Jai A Date: Thu, 11 Mar 2021 10:32:47 -0700 Subject: [PATCH] Fix users not being able to see their own unapproved mods --- sqlx-data.json | 20 ++++++++++++++++++++ src/database/models/user_item.rs | 25 +++++++++++++++++++++++++ src/routes/users.rs | 25 +++++++++++++++++++++---- 3 files changed, 66 insertions(+), 4 deletions(-) diff --git a/sqlx-data.json b/sqlx-data.json index dd424e545..0969b2c66 100644 --- a/sqlx-data.json +++ b/sqlx-data.json @@ -5180,6 +5180,26 @@ ] } }, + "fdb2a6ea649bb23c69af5c756d6137e216603708ffccd4e9162fb1c9765a56aa": { + "query": "\n SELECT m.id FROM mods m\n INNER JOIN team_members tm ON tm.team_id = m.team_id\n WHERE tm.user_id = $1\n ", + "describe": { + "columns": [ + { + "ordinal": 0, + "name": "id", + "type_info": "Int8" + } + ], + "parameters": { + "Left": [ + "Int8" + ] + }, + "nullable": [ + false + ] + } + }, "fe73b6928f13955840e8df248688908fb6d82dd1d35dc803676639a6e0864ed5": { "query": "\n DELETE FROM downloads\n WHERE date < (CURRENT_DATE - INTERVAL '30 minutes ago')\n ", "describe": { diff --git a/src/database/models/user_item.rs b/src/database/models/user_item.rs index 390d3acfe..d82c5ac5f 100644 --- a/src/database/models/user_item.rs +++ b/src/database/models/user_item.rs @@ -213,6 +213,31 @@ impl User { Ok(mods) } + pub async fn get_mods_private<'a, E>( + user_id: UserId, + exec: E, + ) -> Result, sqlx::Error> + where + E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy, + { + use futures::stream::TryStreamExt; + + let mods = sqlx::query!( + " + SELECT m.id FROM mods m + INNER JOIN team_members tm ON tm.team_id = m.team_id + WHERE tm.user_id = $1 + ", + user_id as UserId, + ) + .fetch_many(exec) + .try_filter_map(|e| async { Ok(e.right().map(|m| ModId(m.id))) }) + .try_collect::>() + .await?; + + Ok(mods) + } + pub async fn remove<'a, 'b, E>(id: UserId, exec: E) -> Result, sqlx::error::Error> where E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy, diff --git a/src/routes/users.rs b/src/routes/users.rs index a9195dacf..fec10f921 100644 --- a/src/routes/users.rs +++ b/src/routes/users.rs @@ -122,10 +122,13 @@ fn convert_user(data: crate::database::models::user_item::User) -> crate::models #[get("{user_id}/mods")] pub async fn mods_list( + req: HttpRequest, info: web::Path<(UserId,)>, pool: web::Data, ) -> Result { - let id = info.into_inner().0.into(); + let user = get_user_from_headers(req.headers(), &**pool).await.ok(); + + let id: crate::database::models::UserId = info.into_inner().0.into(); let user_exists = sqlx::query!( "SELECT EXISTS(SELECT 1 FROM users WHERE id = $1)", @@ -137,9 +140,23 @@ pub async fn mods_list( .exists; if user_exists.unwrap_or(false) { - let mod_data = User::get_mods(id, ModStatus::Approved.as_str(), &**pool) - .await - .map_err(|e| ApiError::DatabaseError(e.into()))?; + let user_id: UserId = id.into(); + + let mod_data = if let Some(current_user) = user { + if current_user.role.is_mod() || current_user.id == user_id { + User::get_mods_private(id, &**pool) + .await + .map_err(|e| ApiError::DatabaseError(e.into()))? + } else { + User::get_mods(id, ModStatus::Approved.as_str(), &**pool) + .await + .map_err(|e| ApiError::DatabaseError(e.into()))? + } + } else { + User::get_mods(id, ModStatus::Approved.as_str(), &**pool) + .await + .map_err(|e| ApiError::DatabaseError(e.into()))? + }; let response = mod_data .into_iter()