Bommels05/Modrinth
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Move descriptions to database, switch to SHA-512 hashes, fix declining invites not working, allow user deletion, fix broken permission checks for many things, security fixes

Browse Source
This commit is contained in:
Geometrically 2021-01-14 10:08:38 -07:00
parent e2183c2214
commit ec3c31a106
No known key found for this signature in database
GPG Key ID: 90C056FDC8FC9FF0
23 changed files with 1106 additions and 699 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.env
View File

@ -22,7 +22,6 @@ S3_SECRET=none
S3_URL=none
S3_REGION=none
S3_BUCKET_NAME=none
S3_PROVIDER=none
# 1 hour
LOCAL_INDEX_INTERVAL=3600

1
Cargo.lock generated
View File

@ -1835,6 +1835,7 @@ dependencies = [
"serde_json",
"serde_with",
"sha1",
"sha2",
"sqlx",
"thiserror",
]

1
Cargo.toml
View File

@ -29,6 +29,7 @@ chrono = { version = "0.4", features = ["serde"] }
rand = "0.7.3"
base64 = "0.13.0"
sha1 = { version = "0.6.0", features = ["std"] }
sha2 = "0.9.2"
bitflags = "1.2.1"
gumdrop = "0.8.0"

15
migrations/20210113202021_add-descriptions.sql Normal file
View File

@ -0,0 +1,15 @@
ALTER TABLE mods
ADD COLUMN body varchar(65536) NOT NULL DEFAULT '';
ALTER TABLE mods
ALTER COLUMN body_url DROP NOT NULL;
ALTER TABLE versions
ADD COLUMN changelog varchar(65536) NOT NULL DEFAULT '';
INSERT INTO users (
id, github_id, username, name, email,
avatar_url, bio, created
)
VALUES (
127155982985829, 10137, 'Ghost', NULL, NULL,
'https://avatars2.githubusercontent.com/u/10137', 'A deleted user', NOW()
);

1154
sqlx-data.json
View File

File diff suppressed because it is too large Load Diff

18
src/database/models/mod_item.rs
View File

@ -36,7 +36,7 @@ pub struct ModBuilder {
pub team_id: TeamId,
pub title: String,
pub description: String,
pub body_url: String,
pub body: String,
pub icon_url: Option<String>,
pub issues_url: Option<String>,
pub source_url: Option<String>,
@ -63,7 +63,8 @@ impl ModBuilder {
team_id: self.team_id,
title: self.title,
description: self.description,
body_url: self.body_url,
body: self.body,
body_url: None,
published: chrono::Utc::now(),
updated: chrono::Utc::now(),
status: self.status,
@ -113,7 +114,8 @@ pub struct Mod {
pub team_id: TeamId,
pub title: String,
pub description: String,
pub body_url: String,
pub body: String,
pub body_url: Option<String>,
pub published: chrono::DateTime<chrono::Utc>,
pub updated: chrono::DateTime<chrono::Utc>,
pub status: StatusId,
@ -138,7 +140,7 @@ impl Mod {
sqlx::query!(
"
INSERT INTO mods (
id, team_id, title, description, body_url,
id, team_id, title, description, body,
published, downloads, icon_url, issues_url,
source_url, wiki_url, status, discord_url,
client_side, server_side, license_url, license,
@ -156,7 +158,7 @@ impl Mod {
self.team_id as TeamId,
&self.title,
&self.description,
&self.body_url,
&self.body,
self.published,
self.downloads,
self.icon_url.as_ref(),
@ -184,7 +186,7 @@ impl Mod {
let result = sqlx::query!(
"
SELECT title, description, downloads,
icon_url, body_url, published,
icon_url, body, body_url, published,
updated, status,
issues_url, source_url, wiki_url, discord_url, license_url,
team_id, client_side, server_side, license, slug
@ -217,6 +219,7 @@ impl Mod {
server_side: SideTypeId(row.server_side),
license: LicenseId(row.license),
slug: row.slug,
body: row.body,
}))
} else {
Ok(None)
@ -233,7 +236,7 @@ impl Mod {
let mods = sqlx::query!(
"
SELECT id, title, description, downloads,
icon_url, body_url, published,
icon_url, body, body_url, published,
updated, status,
issues_url, source_url, wiki_url, discord_url, license_url,
team_id, client_side, server_side, license, slug
@ -264,6 +267,7 @@ impl Mod {
server_side: SideTypeId(m.server_side),
license: LicenseId(m.license),
slug: m.slug,
body: m.body,
}))
})
.try_collect::<Vec<Mod>>()

71
src/database/models/team_item.rs
View File

@ -411,4 +411,75 @@ impl TeamMember {
Ok(())
}
pub async fn get_from_user_id_mod<'a, 'b, E>(
id: ModId,
user_id: UserId,
executor: E,
) -> Result<Option<Self>, super::DatabaseError>
where
E: sqlx::Executor<'a, Database = sqlx::Postgres>,
{
let result = sqlx::query!(
"
SELECT tm.id, tm.team_id, tm.user_id, tm.role, tm.permissions, tm.accepted FROM mods m
INNER JOIN team_members tm ON tm.team_id = m.team_id AND user_id = $2 AND accepted = TRUE
WHERE m.id = $1
",
id as ModId,
user_id as UserId
)
.fetch_optional(executor)
.await?;
if let Some(m) = result {
Ok(Some(TeamMember {
id: TeamMemberId(m.id),
team_id: TeamId(m.team_id),
user_id,
role: m.role,
permissions: Permissions::from_bits(m.permissions as u64)
.ok_or(super::DatabaseError::BitflagError)?,
accepted: m.accepted,
}))
} else {
Ok(None)
}
}
pub async fn get_from_user_id_version<'a, 'b, E>(
id: VersionId,
user_id: UserId,
executor: E,
) -> Result<Option<Self>, super::DatabaseError>
where
E: sqlx::Executor<'a, Database = sqlx::Postgres>,
{
let result = sqlx::query!(
"
SELECT tm.id, tm.team_id, tm.user_id, tm.role, tm.permissions, tm.accepted FROM versions v
INNER JOIN mods m ON m.id = v.mod_id
INNER JOIN team_members tm ON tm.team_id = m.team_id AND tm.user_id = $2 AND tm.accepted = TRUE
WHERE v.id = $1
",
id as VersionId,
user_id as UserId
)
.fetch_optional(executor)
.await?;
if let Some(m) = result {
Ok(Some(TeamMember {
id: TeamMemberId(m.id),
team_id: TeamId(m.team_id),
user_id,
role: m.role,
permissions: Permissions::from_bits(m.permissions as u64)
.ok_or(super::DatabaseError::BitflagError)?,
accepted: m.accepted,
}))
} else {
Ok(None)
}
}
}

117
src/database/models/user_item.rs
View File

@ -207,4 +207,121 @@ impl User {
Ok(mods)
}
pub async fn remove<'a, 'b, E>(id: UserId, exec: E) -> Result<Option<()>, sqlx::error::Error>
where
E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
{
let deleted_user: UserId = crate::models::users::DELETED_USER.into();
sqlx::query!(
"
UPDATE team_members
SET user_id = $1
WHERE (user_id = $2 AND role = $3)
",
deleted_user as UserId,
id as UserId,
crate::models::teams::OWNER_ROLE
)
.execute(exec)
.await?;
sqlx::query!(
"
UPDATE versions
SET author_id = $1
WHERE (author_id = $2)
",
deleted_user as UserId,
id as UserId,
)
.execute(exec)
.await?;
sqlx::query!(
"
DELETE FROM team_members
WHERE user_id = $1
",
id as UserId,
)
.execute(exec)
.await?;
sqlx::query!(
"
DELETE FROM users
WHERE id = $1
",
id as UserId,
)
.execute(exec)
.await?;
Ok(Some(()))
}
pub async fn remove_full<'a, 'b, E>(
id: UserId,
exec: E,
) -> Result<Option<()>, sqlx::error::Error>
where
E: sqlx::Executor<'a, Database = sqlx::Postgres> + Copy,
{
use futures::TryStreamExt;
let mods: Vec<ModId> = sqlx::query!(
"
SELECT m.id FROM mods m
INNER JOIN team_members tm ON tm.team_id = m.team_id
WHERE tm.user_id = $1 AND tm.role = $2
",
id as UserId,
crate::models::teams::OWNER_ROLE
)
.fetch_many(exec)
.try_filter_map(|e| async { Ok(e.right().map(|m| ModId(m.id))) })
.try_collect::<Vec<ModId>>()
.await?;
for mod_id in mods {
let _result = super::mod_item::Mod::remove_full(mod_id, exec).await?;
}
let deleted_user: UserId = crate::models::users::DELETED_USER.into();
sqlx::query!(
"
UPDATE versions
SET author_id = $1
WHERE (author_id = $2)
",
deleted_user as UserId,
id as UserId,
)
.execute(exec)
.await?;
sqlx::query!(
"
DELETE FROM team_members
WHERE user_id = $1
",
id as UserId,
)
.execute(exec)
.await?;
sqlx::query!(
"
DELETE FROM users
WHERE id = $1
",
id as UserId,
)
.execute(exec)
.await?;
Ok(Some(()))
}
}

16
src/database/models/version_item.rs
View File

@ -7,7 +7,7 @@ pub struct VersionBuilder {
pub author_id: UserId,
pub name: String,
pub version_number: String,
pub changelog_url: Option<String>,
pub changelog: String,
pub files: Vec<VersionFileBuilder>,
pub dependencies: Vec<VersionId>,
pub game_versions: Vec<GameVersionId>,
@ -78,7 +78,8 @@ impl VersionBuilder {
author_id: self.author_id,
name: self.name,
version_number: self.version_number,
changelog_url: self.changelog_url,
changelog: self.changelog,
changelog_url: None,
date_published: chrono::Utc::now(),
downloads: 0,
release_channel: self.release_channel,
@ -152,6 +153,7 @@ pub struct Version {
pub author_id: UserId,
pub name: String,
pub version_number: String,
pub changelog: String,
pub changelog_url: Option<String>,
pub date_published: chrono::DateTime<chrono::Utc>,
pub downloads: i32,
@ -382,7 +384,7 @@ impl Version {
let result = sqlx::query!(
"
SELECT v.mod_id, v.author_id, v.name, v.version_number,
v.changelog_url, v.date_published, v.downloads,
v.changelog, v.changelog_url, v.date_published, v.downloads,
v.release_channel, v.accepted, v.featured
FROM versions v
WHERE v.id = $1
@ -399,6 +401,7 @@ impl Version {
author_id: UserId(row.author_id),
name: row.name,
version_number: row.version_number,
changelog: row.changelog,
changelog_url: row.changelog_url,
date_published: row.date_published,
downloads: row.downloads,
@ -424,7 +427,7 @@ impl Version {
let versions = sqlx::query!(
"
SELECT v.id, v.mod_id, v.author_id, v.name, v.version_number,
v.changelog_url, v.date_published, v.downloads,
v.changelog, v.changelog_url, v.date_published, v.downloads,
v.release_channel, v.accepted, v.featured
FROM versions v
WHERE v.id IN (SELECT * FROM UNNEST($1::bigint[]))
@ -439,6 +442,7 @@ impl Version {
author_id: UserId(v.author_id),
name: v.name,
version_number: v.version_number,
changelog: v.changelog,
changelog_url: v.changelog_url,
date_published: v.date_published,
downloads: v.downloads,
@ -463,7 +467,7 @@ impl Version {
let result = sqlx::query!(
"
SELECT v.mod_id, v.author_id, v.name, v.version_number,
v.changelog_url, v.date_published, v.downloads,
v.changelog, v.changelog_url, v.date_published, v.downloads,
release_channels.channel, v.accepted, v.featured
FROM versions v
INNER JOIN release_channels ON v.release_channel = release_channels.id
@ -545,6 +549,7 @@ impl Version {
author_id: UserId(row.author_id),
name: row.name,
version_number: row.version_number,
changelog: row.changelog,
changelog_url: row.changelog_url,
date_published: row.date_published,
downloads: row.downloads,
@ -599,6 +604,7 @@ pub struct QueryVersion {
pub author_id: UserId,
pub name: String,
pub version_number: String,
pub changelog: String,
pub changelog_url: Option<String>,
pub date_published: chrono::DateTime<chrono::Utc>,
pub downloads: i32,

4
src/file_hosting/backblaze.rs
View File

@ -1,5 +1,6 @@
use super::{DeleteFileData, FileHost, FileHostingError, UploadFileData};
use async_trait::async_trait;
use sha2::Digest;
mod authorization;
mod delete;
@ -32,12 +33,15 @@ impl FileHost for BackblazeHost {
file_name: &str,
file_bytes: Vec<u8>,
) -> Result<UploadFileData, FileHostingError> {
let content_sha512 = format!("{:x}", sha2::Sha512::digest(&file_bytes));
let upload_data =
upload::upload_file(&self.upload_url_data, content_type, file_name, file_bytes).await?;
Ok(UploadFileData {
file_id: upload_data.file_id,
file_name: upload_data.file_name,
content_length: upload_data.content_length,
content_sha512,
content_sha1: upload_data.content_sha1,
content_md5: upload_data.content_md5,
content_type: upload_data.content_type,

3
src/file_hosting/mock.rs
View File

@ -1,5 +1,6 @@
use super::{DeleteFileData, FileHost, FileHostingError, UploadFileData};
use async_trait::async_trait;
use sha2::Digest;
pub struct MockHost(());
@ -21,12 +22,14 @@ impl FileHost for MockHost {
.join(file_name.replace("../", ""));
std::fs::create_dir_all(path.parent().ok_or(FileHostingError::InvalidFilename)?)?;
let content_sha1 = sha1::Sha1::from(&file_bytes).hexdigest();
let content_sha512 = format!("{:x}", sha2::Sha512::digest(&file_bytes));
std::fs::write(path, &file_bytes)?;
Ok(UploadFileData {
file_id: String::from("MOCK_FILE_ID"),
file_name: file_name.to_string(),
content_length: file_bytes.len() as u32,
content_sha512,
content_sha1,
content_md5: None,
content_type: content_type.to_string(),

1
src/file_hosting/mod.rs
View File

@ -32,6 +32,7 @@ pub struct UploadFileData {
pub file_id: String,
pub file_name: String,
pub content_length: u32,
pub content_sha512: String,
pub content_sha1: String,
pub content_md5: Option<String>,
pub content_type: String,

30
src/file_hosting/s3_host.rs
View File

@ -3,6 +3,7 @@ use async_trait::async_trait;
use s3::bucket::Bucket;
use s3::creds::Credentials;
use s3::region::Region;
use sha2::Digest;
pub struct S3Host {
bucket: Bucket,
@ -40,6 +41,7 @@ impl FileHost for S3Host {
file_bytes: Vec<u8>,
) -> Result<UploadFileData, FileHostingError> {
let content_sha1 = sha1::Sha1::from(&file_bytes).hexdigest();
let content_sha512 = format!("{:x}", sha2::Sha512::digest(&file_bytes));
self.bucket
.put_object_with_content_type(
@ -49,37 +51,11 @@ impl FileHost for S3Host {
)
.await?;
let provider = &*dotenv::var("S3_PROVIDER").unwrap();
if provider == "do" {
reqwest::Client::new()
.delete(&*format!(
"https://api.digitalocean.com/v2/cdn/endpoints/{}/cache",
self.bucket.name
))
.header(reqwest::header::CONTENT_TYPE, "application/json")
.header(
reqwest::header::AUTHORIZATION,
self.bucket
.credentials
.secret_key
.clone()
.unwrap_or_else(|| "".to_string()),
)
.body(
serde_json::json!({
"files": vec![file_name],
})
.to_string(),
)
.send()
.await?;
}
Ok(UploadFileData {
file_id: file_name.to_string(),
file_name: file_name.to_string(),
content_length: file_bytes.len() as u32,
content_sha512,
content_sha1,
content_md5: None,
content_type: content_type.to_string(),

1
src/main.rs
View File

@ -356,7 +356,6 @@ fn check_env_vars() -> bool {
failed |= check_var::<String>("S3_URL");
failed |= check_var::<String>("S3_REGION");
failed |= check_var::<String>("S3_BUCKET_NAME");
failed |= check_var::<String>("S3_PROVIDER");
} else if storage_backend.as_deref() == Some("local") {
failed |= check_var::<String>("MOCK_FILE_PATH");
} else if let Some(backend) = storage_backend {

10
src/models/mods.rs
View File

@ -29,8 +29,10 @@ pub struct Mod {
pub title: String,
/// A short description of the mod.
pub description: String,
/// The link to the long description of the mod.
pub body_url: String,
/// A long form description of the mod.
pub body: String,
/// The link to the long description of the mod. (Deprecated), being replaced by `body`
pub body_url: Option<String>,
/// The date at which the mod was first published.
pub published: DateTime<Utc>,
/// The date at which the mod was first published.
@ -192,7 +194,9 @@ pub struct Version {
pub name: String,
/// The version number. Ideally will follow semantic versioning
pub version_number: String,
/// A link to the changelog for this version of the mod.
/// The changelog for this version of the mod.
pub changelog: String,
/// A link to the changelog for this version of the mod. (Deprecated), being replaced by `changelog`
pub changelog_url: Option<String>,
/// The date that this version was published.
pub date_published: DateTime<Utc>,

2
src/models/users.rs
View File

@ -6,6 +6,8 @@ use serde::{Deserialize, Serialize};
#[serde(into = "Base62Id")]
pub struct UserId(pub u64);
pub const DELETED_USER: UserId = UserId(127155982985829);
#[derive(Serialize, Deserialize)]
pub struct User {
pub id: UserId,

73
src/routes/mod_creation.rs
View File

@ -48,6 +48,8 @@ pub enum CreateError {
InvalidFileType(String),
#[error("Authentication Error: {0}")]
Unauthorized(#[from] AuthenticationError),
#[error("Authentication Error: {0}")]
CustomAuthenticationError(String),
}
impl actix_web::ResponseError for CreateError {
@ -68,6 +70,7 @@ impl actix_web::ResponseError for CreateError {
CreateError::InvalidCategory(..) => StatusCode::BAD_REQUEST,
CreateError::InvalidFileType(..) => StatusCode::BAD_REQUEST,
CreateError::Unauthorized(..) => StatusCode::UNAUTHORIZED,
CreateError::CustomAuthenticationError(..) => StatusCode::UNAUTHORIZED,
}
}
@ -89,6 +92,7 @@ impl actix_web::ResponseError for CreateError {
CreateError::InvalidCategory(..) => "invalid_input",
CreateError::InvalidFileType(..) => "invalid_input",
CreateError::Unauthorized(..) => "unauthorized",
CreateError::CustomAuthenticationError(..) => "unauthorized",
},
description: &self.to_string(),
})
@ -334,18 +338,8 @@ async fn mod_create_inner(
)));
}
}
versions.push(
create_initial_version(
data,
mod_id,
current_user.id,
&cdn_url,
transaction,
file_host,
uploaded_files,
)
.await?,
);
versions
.push(create_initial_version(data, mod_id, current_user.id, transaction).await?);
}
mod_create_data = create_data;
@ -436,24 +430,6 @@ async fn mod_create_inner(
categories.push(id);
}
// Upload the mod desciption markdown to the CDN
// TODO: Should we also process and upload an html version here for SSR?
let body_path = format!("data/{}/description.md", mod_id);
{
let upload_data = file_host
.upload_file(
"text/plain",
&body_path,
mod_create_data.mod_body.into_bytes(),
)
.await?;
uploaded_files.push(UploadedFile {
file_id: upload_data.file_id,
file_name: upload_data.file_name,
});
}
let team = models::team_item::TeamBuilder {
members: vec![models::team_item::TeamMemberBuilder {
user_id: current_user.id.into(),
@ -527,7 +503,7 @@ async fn mod_create_inner(
team_id,
title: mod_create_data.mod_name,
description: mod_create_data.mod_description,
body_url: format!("{}/{}", cdn_url, body_path),
body: mod_create_data.mod_body,
icon_url,
issues_url: mod_create_data.issues_url,
source_url: mod_create_data.source_url,
@ -553,7 +529,8 @@ async fn mod_create_inner(
team: team_id.into(),
title: mod_builder.title.clone(),
description: mod_builder.description.clone(),
body_url: mod_builder.body_url.clone(),
body: mod_builder.body.clone(),
body_url: None,
published: now,
updated: now,
status: status.clone(),
@ -596,10 +573,7 @@ async fn create_initial_version(
version_data: &InitialVersionData,
mod_id: ModId,
author: UserId,
cdn_url: &str,
transaction: &mut sqlx::Transaction<'_, sqlx::Postgres>,
file_host: &dyn FileHost,
uploaded_files: &mut Vec<UploadedFile>,
) -> Result<models::version_item::VersionBuilder, CreateError> {
if version_data.mod_id.is_some() {
return Err(CreateError::InvalidInput(String::from(
@ -613,30 +587,6 @@ async fn create_initial_version(
// Randomly generate a new id to be used for the version
let version_id: VersionId = models::generate_version_id(transaction).await?.into();
// Upload the version's changelog to the CDN
let changelog_path = if let Some(changelog) = &version_data.version_body {
let changelog_path = format!(
"data/{}/versions/{}/changelog.md",
mod_id, version_data.version_number
);
let uploaded_text = file_host
.upload_file(
"text/plain",
&changelog_path,
changelog.clone().into_bytes(),
)
.await?;
uploaded_files.push(UploadedFile {
file_id: uploaded_text.file_id,
file_name: uploaded_text.file_name,
});
Some(changelog_path)
} else {
None
};
let release_channel =
models::ChannelId::get_id(version_data.release_channel.as_str(), &mut *transaction)
.await?
@ -670,7 +620,10 @@ async fn create_initial_version(
author_id: author.into(),
name: version_data.version_title.clone(),
version_number: version_data.version_number.clone(),
changelog_url: changelog_path.map(|path| format!("{}/{}", cdn_url, path)),
changelog: version_data
.version_body
.clone()
.unwrap_or_else(|| "".to_string()),
files: Vec::new(),
dependencies,
game_versions,

7
src/routes/moderation.rs
View File

@ -32,8 +32,8 @@ pub struct ModerationMod {
pub title: String,
/// A short description of the mod.
pub description: String,
/// The link to the long description of the mod.
pub body_url: String,
/// The long description of the mod.
pub body: String,
/// The date at which the mod was first published.
pub published: DateTime<Utc>,
/// The date at which the mod was first published.
@ -85,7 +85,7 @@ pub async fn mods(
team: database::models::ids::TeamId(m.team_id).into(),
title: m.title,
description: m.description,
body_url: m.body_url,
body: m.body,
published: m.published,
icon_url: m.icon_url,
issues_url: m.issues_url,
@ -133,6 +133,7 @@ pub async fn versions(
featured: m.featured,
name: m.name,
version_number: m.version_number,
changelog: m.changelog,
changelog_url: m.changelog_url,
date_published: m.date_published,
downloads: m.downloads as u32,

36
src/routes/mods.rs
View File

@ -203,6 +203,7 @@ fn convert_mod(data: database::models::mod_item::QueryMod) -> models::mods::Mod
team: m.team_id.into(),
title: m.title,
description: m.description,
body: m.body,
body_url: m.body_url,
published: m.published,
updated: m.updated,
@ -282,7 +283,6 @@ pub async fn mod_edit(
info: web::Path<(models::ids::ModId,)>,
pool: web::Data<PgPool>,
config: web::Data<SearchConfig>,
file_host: web::Data<Arc<dyn FileHost + Send + Sync>>,
new_mod: web::Json<EditMod>,
indexing_queue: Data<Arc<CreationQueue>>,
) -> Result<HttpResponse, ApiError> {
@ -729,13 +729,18 @@ pub async fn mod_edit(
));
}
let body_path = format!("data/{}/description.md", mod_id);
file_host.delete_file_version("", &*body_path).await?;
file_host
.upload_file("text/plain", &body_path, body.clone().into_bytes())
.await?;
sqlx::query!(
"
UPDATE mods
SET body = $1
WHERE (id = $2)
",
body,
id as database::models::ids::ModId,
)
.execute(&mut *transaction)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?;
}
transaction
@ -857,18 +862,13 @@ pub async fn mod_delete(
let id = info.into_inner().0;
if !user.role.is_mod() {
let mod_item = database::models::Mod::get(id.into(), &**pool)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?
.ok_or_else(|| ApiError::InvalidInputError("Invalid Mod ID specified!".to_string()))?;
let team_member = database::models::TeamMember::get_from_user_id(
mod_item.team_id,
user.id.into(),
&**pool,
)
let team_member =
database::models::TeamMember::get_from_user_id_mod(id.into(), user.id.into(), &**pool)
.await
.map_err(ApiError::DatabaseError)?
.ok_or_else(|| ApiError::InvalidInputError("Invalid Mod ID specified!".to_string()))?;
.ok_or_else(|| {
ApiError::InvalidInputError("Invalid Mod ID specified!".to_string())
})?;
if !team_member.permissions.contains(Permissions::DELETE_MOD) {
return Err(ApiError::CustomAuthenticationError(

7
src/routes/teams.rs
View File

@ -287,7 +287,8 @@ pub async fn remove_team_member(
let user_id = ids.1.into();
let current_user = get_user_from_headers(req.headers(), &**pool).await?;
let team_member = TeamMember::get_from_user_id(id, current_user.id.into(), &**pool).await?;
let team_member =
TeamMember::get_from_user_id_pending(id, current_user.id.into(), &**pool).await?;
let member = match team_member {
Some(m) => m,
@ -312,7 +313,7 @@ pub async fn remove_team_member(
// Members other than the owner can either leave the team, or be
// removed by a member with the REMOVE_MEMBER permission.
if delete_member.user_id == member.user_id
|| member.permissions.contains(Permissions::REMOVE_MEMBER)
|| (member.permissions.contains(Permissions::REMOVE_MEMBER) && member.accepted)
{
TeamMember::delete(id, user_id, &**pool).await?;
} else {
@ -321,7 +322,7 @@ pub async fn remove_team_member(
));
}
} else if delete_member.user_id == member.user_id
|| member.permissions.contains(Permissions::MANAGE_INVITES)
|| (member.permissions.contains(Permissions::MANAGE_INVITES) && member.accepted)
{
// This is a pending invite rather than a member, so the
// user being invited or team members with the MANAGE_INVITES

42
src/routes/users.rs
View File

@ -1,4 +1,4 @@
use crate::auth::{check_is_moderator_from_headers, get_user_from_headers};
use crate::auth::get_user_from_headers;
use crate::database::models::{TeamMember, User};
use crate::file_hosting::FileHost;
use crate::models::users::{Role, UserId};
@ -420,24 +420,42 @@ pub async fn user_icon_edit(
}
}
// TODO: Make this actually do stuff
#[derive(Deserialize)]
pub struct RemovalType {
#[serde(default = "default_removal")]
removal_type: String,
}
fn default_removal() -> String {
"partial".into()
}
#[delete("{id}")]
pub async fn user_delete(
req: HttpRequest,
info: web::Path<(UserId,)>,
pool: web::Data<PgPool>,
removal_type: web::Query<RemovalType>,
) -> Result<HttpResponse, ApiError> {
check_is_moderator_from_headers(
req.headers(),
&mut *pool
.acquire()
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?,
)
.await?;
let user = get_user_from_headers(req.headers(), &**pool).await?;
let id = info.into_inner().0;
let _id = info.0;
let result = Some(());
if !user.role.is_mod() && user.id == user.id {
return Err(ApiError::CustomAuthenticationError(
"You do not have permission to delete this user!".to_string(),
));
}
let result;
if removal_type.removal_type == "full".to_string() {
result = crate::database::models::User::remove_full(id.into(), &**pool)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?;
} else {
result = crate::database::models::User::remove(id.into(), &**pool)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?;
};
if result.is_some() {
Ok(HttpResponse::Ok().body(""))

100
src/routes/version_creation.rs
View File

@ -5,6 +5,7 @@ use crate::file_hosting::FileHost;
use crate::models::mods::{
GameVersion, ModId, ModLoader, Version, VersionFile, VersionId, VersionType,
};
use crate::models::teams::Permissions;
use crate::routes::mod_creation::{CreateError, UploadedFile};
use actix_multipart::{Field, Multipart};
use actix_web::web::Data;
@ -180,53 +181,29 @@ async fn version_create_inner(
// Check that the user creating this version is a team member
// of the mod the version is being added to.
let member_ids = sqlx::query!(
"
SELECT user_id FROM team_members tm
INNER JOIN mods ON mods.team_id = tm.team_id
WHERE mods.id = $1
",
mod_id as models::ModId,
let team_member = models::TeamMember::get_from_user_id_mod(
mod_id.into(),
user.id.into(),
&mut *transaction,
)
.fetch_all(&mut *transaction)
.await?;
.await?
.ok_or_else(|| {
CreateError::CustomAuthenticationError(
"You don't have permission to upload this version!".to_string(),
)
})?;
let member_ids: Vec<models::UserId> = member_ids
.iter()
.map(|m| models::UserId(m.user_id))
.collect();
if !member_ids.contains(&user.id.into()) {
// TODO: Some team members may not have the permissions
// to upload mods; We need a more in depth permissions
// system.
return Err(CreateError::InvalidInput("Unauthorized".to_string()));
if !team_member
.permissions
.contains(Permissions::UPLOAD_VERSION)
{
return Err(CreateError::CustomAuthenticationError(
"You don't have permission to upload this version!".to_string(),
));
}
let version_id: VersionId = models::generate_version_id(transaction).await?.into();
let body_path;
if let Some(body) = &version_create_data.version_body {
let path = format!(
"data/{}/versions/{}/changelog.md",
version_create_data.mod_id.unwrap(),
version_create_data.version_number
);
let uploaded_text = file_host
.upload_file("text/plain", &path, body.clone().into_bytes())
.await?;
uploaded_files.push(UploadedFile {
file_id: uploaded_text.file_id,
file_name: uploaded_text.file_name.clone(),
});
body_path = Some(path);
} else {
body_path = None;
}
let release_channel = models::ChannelId::get_id(
version_create_data.release_channel.as_str(),
&mut *transaction,
@ -256,7 +233,10 @@ async fn version_create_inner(
author_id: user.id.into(),
name: version_create_data.version_title.clone(),
version_number: version_create_data.version_number.clone(),
changelog_url: body_path.map(|path| format!("{}/{}", cdn_url, path)),
changelog: version_create_data
.version_body
.clone()
.unwrap_or_else(|| "".to_string()),
files: Vec::new(),
dependencies: version_create_data
.dependencies
@ -303,7 +283,8 @@ async fn version_create_inner(
featured: builder.featured,
name: builder.name.clone(),
version_number: builder.version_number.clone(),
changelog_url: builder.changelog_url.clone(),
changelog: builder.changelog.clone(),
changelog_url: None,
date_published: chrono::Utc::now(),
downloads: 0,
version_type: version_data.release_channel,
@ -418,8 +399,25 @@ async fn upload_file_to_version_inner(
}
};
if version.author_id as u64 != user.id.0 {
return Err(CreateError::InvalidInput("Unauthorized".to_string()));
let team_member = models::TeamMember::get_from_user_id_version(
version_id.into(),
user.id.into(),
&mut *transaction,
)
.await?
.ok_or_else(|| {
CreateError::CustomAuthenticationError(
"You don't have permission to upload files to this version!".to_string(),
)
})?;
if team_member
.permissions
.contains(Permissions::UPLOAD_VERSION)
{
return Err(CreateError::CustomAuthenticationError(
"You don't have permission to upload files to this version!".to_string(),
));
}
let mod_id = ModId(version.mod_id as u64);
@ -526,12 +524,20 @@ pub async fn upload_file(
Ok(models::version_item::VersionFileBuilder {
filename: file_name.to_string(),
url: format!("{}/{}", cdn_url, upload_data.file_name),
hashes: vec![models::version_item::HashBuilder {
hashes: vec![
models::version_item::HashBuilder {
algorithm: "sha1".to_string(),
// This is an invalid cast - the database expects the hash's
// bytes, but this is the string version.
hash: upload_data.content_sha1.into_bytes(),
}],
},
models::version_item::HashBuilder {
algorithm: "sha512".to_string(),
// This is an invalid cast - the database expects the hash's
// bytes, but this is the string version.
hash: upload_data.content_sha512.into_bytes(),
},
],
primary: uploaded_files.len() == 1,
})
}

83
src/routes/versions.rs
View File

@ -1,5 +1,5 @@
use super::ApiError;
use crate::auth::{check_is_moderator_from_headers, get_user_from_headers};
use crate::auth::get_user_from_headers;
use crate::file_hosting::FileHost;
use crate::models;
use crate::models::teams::Permissions;
@ -159,6 +159,7 @@ fn convert_version(data: database::models::version_item::QueryVersion) -> models
featured: data.featured,
name: data.name,
version_number: data.version_number,
changelog: data.changelog,
changelog_url: data.changelog_url,
date_published: data.date_published,
downloads: data.downloads as u32,
@ -220,7 +221,6 @@ pub async fn version_edit(
req: HttpRequest,
info: web::Path<(models::ids::VersionId,)>,
pool: web::Data<PgPool>,
file_host: web::Data<Arc<dyn FileHost + Send + Sync>>,
new_version: web::Json<EditVersion>,
) -> Result<HttpResponse, ApiError> {
let user = get_user_from_headers(req.headers(), &**pool).await?;
@ -233,18 +233,8 @@ pub async fn version_edit(
.map_err(|e| ApiError::DatabaseError(e.into()))?;
if let Some(version_item) = result {
let mod_item = database::models::Mod::get(version_item.mod_id, &**pool)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?
.ok_or_else(|| {
ApiError::InvalidInputError(
"Attempted to edit version not attached to mod. How did this happen?"
.to_string(),
)
})?;
let team_member = database::models::TeamMember::get_from_user_id(
mod_item.team_id,
let team_member = database::models::TeamMember::get_from_user_id_version(
version_item.id,
user.id.into(),
&**pool,
)
@ -494,17 +484,18 @@ pub async fn version_edit(
}
if let Some(body) = &new_version.changelog {
let mod_id: models::mods::ModId = version_item.mod_id.into();
let body_path = format!(
"data/{}/versions/{}/changelog.md",
mod_id, version_item.version_number
);
file_host.delete_file_version("", &*body_path).await?;
file_host
.upload_file("text/plain", &body_path, body.clone().into_bytes())
.await?;
sqlx::query!(
"
UPDATE versions
SET changelog = $1
WHERE (id = $2)
",
body,
id as database::models::ids::VersionId,
)
.execute(&mut *transaction)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?;
}
transaction
@ -532,20 +523,8 @@ pub async fn version_delete(
let id = info.into_inner().0;
if !user.role.is_mod() {
let version = database::models::Version::get(id.into(), &**pool)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?
.ok_or_else(|| {
ApiError::InvalidInputError("An invalid version ID was specified".to_string())
})?;
let mod_item = database::models::Mod::get(version.mod_id, &**pool)
.await
.map_err(|e| ApiError::DatabaseError(e.into()))?
.ok_or_else(|| {
ApiError::InvalidInputError("The version is not attached to a mod".to_string())
})?;
let team_member = database::models::TeamMember::get_from_user_id(
mod_item.team_id,
let team_member = database::models::TeamMember::get_from_user_id_version(
id.into(),
user.id.into(),
&**pool,
)
@ -735,7 +714,7 @@ pub async fn delete_file(
file_host: web::Data<Arc<dyn FileHost + Send + Sync>>,
algorithm: web::Query<Algorithm>,
) -> Result<HttpResponse, ApiError> {
check_is_moderator_from_headers(req.headers(), &**pool).await?;
let user = get_user_from_headers(req.headers(), &**pool).await?;
let hash = info.into_inner().0;
@ -754,6 +733,30 @@ pub async fn delete_file(
.map_err(|e| ApiError::DatabaseError(e.into()))?;
if let Some(row) = result {
if !user.role.is_mod() {
let team_member = database::models::TeamMember::get_from_user_id_version(
database::models::ids::VersionId(row.version_id),
user.id.into(),
&**pool,
)
.await
.map_err(ApiError::DatabaseError)?
.ok_or_else(|| {
ApiError::CustomAuthenticationError(
"You don't have permission to delete this file!".to_string(),
)
})?;
if !team_member
.permissions
.contains(Permissions::DELETE_VERSION)
{
return Err(ApiError::CustomAuthenticationError(
"You don't have permission to delete this file!".to_string(),
));
}
}
let mut transaction = pool
.begin()
.await