diff options
Diffstat (limited to 'server/src/api')
| -rw-r--r-- | server/src/api/comment.rs | 176 | ||||
| -rw-r--r-- | server/src/api/community.rs | 46 | ||||
| -rw-r--r-- | server/src/api/post.rs | 151 | ||||
| -rw-r--r-- | server/src/api/user.rs | 61 |
4 files changed, 291 insertions, 143 deletions
diff --git a/server/src/api/comment.rs b/server/src/api/comment.rs index 2007542f..f8bdf5d5 100644 --- a/server/src/api/comment.rs +++ b/server/src/api/comment.rs @@ -243,28 +243,28 @@ impl Perform for Oper<EditComment> { let orig_comment = blocking(pool, move |conn| CommentView::read(&conn, edit_id, None)).await??; + let mut editors: Vec<i32> = vec![orig_comment.creator_id]; + let mut moderators: Vec<i32> = vec![]; + + let community_id = orig_comment.community_id; + moderators.append( + &mut blocking(pool, move |conn| { + CommunityModeratorView::for_community(&conn, community_id) + .map(|v| v.into_iter().map(|m| m.user_id).collect()) + }) + .await??, + ); + moderators.append( + &mut blocking(pool, move |conn| { + UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect()) + }) + .await??, + ); + + editors.extend(&moderators); // You are allowed to mark the comment as read even if you're banned. if data.read.is_none() { // Verify its the creator or a mod, or an admin - let mut editors: Vec<i32> = vec![data.creator_id]; - let community_id = orig_comment.community_id; - editors.append( - &mut blocking(pool, move |conn| { - Ok( - CommunityModeratorView::for_community(&conn, community_id)? - .into_iter() - .map(|m| m.user_id) - .collect(), - ) as Result<_, LemmyError> - }) - .await??, - ); - editors.append( - &mut blocking(pool, move |conn| { - Ok(UserView::admins(conn)?.into_iter().map(|a| a.id).collect()) as Result<_, LemmyError> - }) - .await??, - ); if !editors.contains(&user_id) { return Err(APIError::err("no_comment_edit_allowed").into()); @@ -282,6 +282,25 @@ impl Perform for Oper<EditComment> { if user.banned { return Err(APIError::err("site_ban").into()); } + } else { + // check that user can mark as read + let parent_id = orig_comment.parent_id; + match parent_id { + Some(pid) => { + let parent_comment = + blocking(pool, move |conn| CommentView::read(&conn, pid, None)).await??; + if user_id != parent_comment.creator_id { + return Err(APIError::err("no_comment_edit_allowed").into()); + } + } + None => { + let parent_post_id = orig_comment.post_id; + let parent_post = blocking(pool, move |conn| Post::read(conn, parent_post_id)).await??; + if user_id != parent_post.creator_id { + return Err(APIError::err("no_comment_edit_allowed").into()); + } + } + } } let content_slurs_removed = remove_slurs(&data.content.to_owned()); @@ -289,22 +308,45 @@ impl Perform for Oper<EditComment> { let edit_id = data.edit_id; let read_comment = blocking(pool, move |conn| Comment::read(conn, edit_id)).await??; - let comment_form = CommentForm { - content: content_slurs_removed, - parent_id: data.parent_id, - post_id: data.post_id, - creator_id: data.creator_id, - removed: data.removed.to_owned(), - deleted: data.deleted.to_owned(), - read: data.read.to_owned(), - published: None, - updated: if data.read.is_some() { - orig_comment.updated + let comment_form = { + if data.read.is_none() { + // the ban etc checks should been made and have passed + // the comment can be properly edited + let post_removed = if moderators.contains(&user_id) { + data.removed + } else { + Some(read_comment.removed) + }; + + CommentForm { + content: content_slurs_removed, + parent_id: read_comment.parent_id, + post_id: read_comment.post_id, + creator_id: read_comment.creator_id, + removed: post_removed.to_owned(), + deleted: data.deleted.to_owned(), + read: Some(read_comment.read), + published: None, + updated: Some(naive_now()), + ap_id: read_comment.ap_id, + local: read_comment.local, + } } else { - Some(naive_now()) - }, - ap_id: read_comment.ap_id, - local: read_comment.local, + // the only field that can be updated it the read field + CommentForm { + content: read_comment.content, + parent_id: read_comment.parent_id, + post_id: read_comment.post_id, + creator_id: read_comment.creator_id, + removed: Some(read_comment.removed).to_owned(), + deleted: Some(read_comment.deleted).to_owned(), + read: data.read.to_owned(), + published: None, + updated: orig_comment.updated, + ap_id: read_comment.ap_id, + local: read_comment.local, + } + } }; let edit_id = data.edit_id; @@ -318,30 +360,47 @@ impl Perform for Oper<EditComment> { Err(_e) => return Err(APIError::err("couldnt_update_comment").into()), }; - if let Some(deleted) = data.deleted.to_owned() { - if deleted { - updated_comment - .send_delete(&user, &self.client, pool) - .await?; + if data.read.is_none() { + if let Some(deleted) = data.deleted.to_owned() { + if deleted { + updated_comment + .send_delete(&user, &self.client, pool) + .await?; + } else { + updated_comment + .send_undo_delete(&user, &self.client, pool) + .await?; + } + } else if let Some(removed) = data.removed.to_owned() { + if moderators.contains(&user_id) { + if removed { + updated_comment + .send_remove(&user, &self.client, pool) + .await?; + } else { + updated_comment + .send_undo_remove(&user, &self.client, pool) + .await?; + } + } } else { updated_comment - .send_undo_delete(&user, &self.client, pool) + .send_update(&user, &self.client, pool) .await?; } - } else if let Some(removed) = data.removed.to_owned() { - if removed { - updated_comment - .send_remove(&user, &self.client, pool) - .await?; - } else { - updated_comment - .send_undo_remove(&user, &self.client, pool) - .await?; + + // Mod tables + if moderators.contains(&user_id) { + if let Some(removed) = data.removed.to_owned() { + let form = ModRemoveCommentForm { + mod_user_id: user_id, + comment_id: data.edit_id, + removed: Some(removed), + reason: data.reason.to_owned(), + }; + blocking(pool, move |conn| ModRemoveComment::create(conn, &form)).await??; + } } - } else { - updated_comment - .send_update(&user, &self.client, pool) - .await?; } let post_id = data.post_id; @@ -350,17 +409,6 @@ impl Perform for Oper<EditComment> { let mentions = scrape_text_for_mentions(&comment_form.content); let recipient_ids = send_local_notifs(mentions, updated_comment, user, post, pool).await?; - // Mod tables - if let Some(removed) = data.removed.to_owned() { - let form = ModRemoveCommentForm { - mod_user_id: user_id, - comment_id: data.edit_id, - removed: Some(removed), - reason: data.reason.to_owned(), - }; - blocking(pool, move |conn| ModRemoveComment::create(conn, &form)).await??; - } - let edit_id = data.edit_id; let comment_view = blocking(pool, move |conn| { CommentView::read(conn, edit_id, Some(user_id)) diff --git a/server/src/api/community.rs b/server/src/api/community.rs index e703dcf4..e5063e0f 100644 --- a/server/src/api/community.rs +++ b/server/src/api/community.rs @@ -392,7 +392,7 @@ impl Perform for Oper<EditCommunity> { title: data.title.to_owned(), description: data.description.to_owned(), category_id: data.category_id.to_owned(), - creator_id: user_id, + creator_id: read_community.creator_id, removed: data.removed.to_owned(), deleted: data.deleted.to_owned(), nsfw: data.nsfw, @@ -652,6 +652,28 @@ impl Perform for Oper<BanFromCommunity> { let user_id = claims.id; + let mut community_moderators: Vec<i32> = vec![]; + + let community_id = data.community_id; + + community_moderators.append( + &mut blocking(pool, move |conn| { + CommunityModeratorView::for_community(&conn, community_id) + .map(|v| v.into_iter().map(|m| m.user_id).collect()) + }) + .await??, + ); + community_moderators.append( + &mut blocking(pool, move |conn| { + UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect()) + }) + .await??, + ); + + if !community_moderators.contains(&user_id) { + return Err(APIError::err("couldnt_update_community").into()); + } + let community_user_ban_form = CommunityUserBanForm { community_id: data.community_id, user_id: data.user_id, @@ -729,6 +751,28 @@ impl Perform for Oper<AddModToCommunity> { user_id: data.user_id, }; + let mut community_moderators: Vec<i32> = vec![]; + + let community_id = data.community_id; + + community_moderators.append( + &mut blocking(pool, move |conn| { + CommunityModeratorView::for_community(&conn, community_id) + .map(|v| v.into_iter().map(|m| m.user_id).collect()) + }) + .await??, + ); + community_moderators.append( + &mut blocking(pool, move |conn| { + UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect()) + }) + .await??, + ); + + if !community_moderators.contains(&user_id) { + return Err(APIError::err("couldnt_update_community").into()); + } + if data.added { let join = move |conn: &'_ _| CommunityModerator::join(conn, &community_moderator_form); if blocking(pool, join).await?.is_err() { diff --git a/server/src/api/post.rs b/server/src/api/post.rs index 6710a2cd..b9518f0e 100644 --- a/server/src/api/post.rs +++ b/server/src/api/post.rs @@ -540,28 +540,36 @@ impl Perform for Oper<EditPost> { let user_id = claims.id; + let edit_id = data.edit_id; + let read_post = blocking(pool, move |conn| Post::read(conn, edit_id)).await??; + // Verify its the creator or a mod or admin - let community_id = data.community_id; - let mut editors: Vec<i32> = vec![data.creator_id]; - editors.append( + let community_id = read_post.community_id; + let mut editors: Vec<i32> = vec![read_post.creator_id]; + let mut moderators: Vec<i32> = vec![]; + + moderators.append( &mut blocking(pool, move |conn| { CommunityModeratorView::for_community(conn, community_id) .map(|v| v.into_iter().map(|m| m.user_id).collect()) }) .await??, ); - editors.append( + moderators.append( &mut blocking(pool, move |conn| { UserView::admins(conn).map(|v| v.into_iter().map(|a| a.id).collect()) }) .await??, ); + + editors.extend(&moderators); + if !editors.contains(&user_id) { return Err(APIError::err("no_post_edit_allowed").into()); } // Check for a community ban - let community_id = data.community_id; + let community_id = read_post.community_id; let is_banned = move |conn: &'_ _| CommunityUserBanView::get(conn, user_id, community_id).is_ok(); if blocking(pool, is_banned).await? { @@ -578,28 +586,51 @@ impl Perform for Oper<EditPost> { let (iframely_title, iframely_description, iframely_html, pictrs_thumbnail) = fetch_iframely_and_pictrs_data(&self.client, data.url.to_owned()).await; - let edit_id = data.edit_id; - let read_post = blocking(pool, move |conn| Post::read(conn, edit_id)).await??; - - let post_form = PostForm { - name: data.name.trim().to_owned(), - url: data.url.to_owned(), - body: data.body.to_owned(), - creator_id: data.creator_id.to_owned(), - community_id: data.community_id, - removed: data.removed.to_owned(), - deleted: data.deleted.to_owned(), - nsfw: data.nsfw, - locked: data.locked.to_owned(), - stickied: data.stickied.to_owned(), - updated: Some(naive_now()), - embed_title: iframely_title, - embed_description: iframely_description, - embed_html: iframely_html, - thumbnail_url: pictrs_thumbnail, - ap_id: read_post.ap_id, - local: read_post.local, - published: None, + let post_form = { + // only modify some properties if they are a moderator + if moderators.contains(&user_id) { + PostForm { + name: data.name.trim().to_owned(), + url: data.url.to_owned(), + body: data.body.to_owned(), + creator_id: read_post.creator_id.to_owned(), + community_id: read_post.community_id, + removed: data.removed.to_owned(), + deleted: data.deleted.to_owned(), + nsfw: data.nsfw, + locked: data.locked.to_owned(), + stickied: data.stickied.to_owned(), + updated: Some(naive_now()), + embed_title: iframely_title, + embed_description: iframely_description, + embed_html: iframely_html, + thumbnail_url: pictrs_thumbnail, + ap_id: read_post.ap_id, + local: read_post.local, + published: None, + } + } else { + PostForm { + name: read_post.name.trim().to_owned(), + url: data.url.to_owned(), + body: data.body.to_owned(), + creator_id: read_post.creator_id.to_owned(), + community_id: read_post.community_id, + removed: Some(read_post.removed), + deleted: data.deleted.to_owned(), + nsfw: data.nsfw, + locked: Some(read_post.locked), + stickied: Some(read_post.stickied), + updated: Some(naive_now()), + embed_title: iframely_title, + embed_description: iframely_description, + embed_html: iframely_html, + thumbnail_url: pictrs_thumbnail, + ap_id: read_post.ap_id, + local: read_post.local, + published: None, + } + } }; let edit_id = data.edit_id; @@ -617,33 +648,35 @@ impl Perform for Oper<EditPost> { } }; - // Mod tables - if let Some(removed) = data.removed.to_owned() { - let form = ModRemovePostForm { - mod_user_id: user_id, - post_id: data.edit_id, - removed: Some(removed), - reason: data.reason.to_owned(), - }; - blocking(pool, move |conn| ModRemovePost::create(conn, &form)).await??; - } + if moderators.contains(&user_id) { + // Mod tables + if let Some(removed) = data.removed.to_owned() { + let form = ModRemovePostForm { + mod_user_id: user_id, + post_id: data.edit_id, + removed: Some(removed), + reason: data.reason.to_owned(), + }; + blocking(pool, move |conn| ModRemovePost::create(conn, &form)).await??; + } - if let Some(locked) = data.locked.to_owned() { - let form = ModLockPostForm { - mod_user_id: user_id, - post_id: data.edit_id, - locked: Some(locked), - }; - blocking(pool, move |conn| ModLockPost::create(conn, &form)).await??; - } + if let Some(locked) = data.locked.to_owned() { + let form = ModLockPostForm { + mod_user_id: user_id, + post_id: data.edit_id, + locked: Some(locked), + }; + blocking(pool, move |conn| ModLockPost::create(conn, &form)).await??; + } - if let Some(stickied) = data.stickied.to_owned() { - let form = ModStickyPostForm { - mod_user_id: user_id, - post_id: data.edit_id, - stickied: Some(stickied), - }; - blocking(pool, move |conn| ModStickyPost::create(conn, &form)).await??; + if let Some(stickied) = data.stickied.to_owned() { + let form = ModStickyPostForm { + mod_user_id: user_id, + post_id: data.edit_id, + stickied: Some(stickied), + }; + blocking(pool, move |conn| ModStickyPost::create(conn, &form)).await??; + } } if let Some(deleted) = data.deleted.to_owned() { @@ -655,12 +688,14 @@ impl Perform for Oper<EditPost> { .await?; } } else if let Some(removed) = data.removed.to_owned() { - if removed { - updated_post.send_remove(&user, &self.client, pool).await?; - } else { - updated_post - .send_undo_remove(&user, &self.client, pool) - .await?; + if moderators.contains(&user_id) { + if removed { + updated_post.send_remove(&user, &self.client, pool).await?; + } else { + updated_post + .send_undo_remove(&user, &self.client, pool) + .await?; + } } } else { updated_post.send_update(&user, &self.client, pool).await?; diff --git a/server/src/api/user.rs b/server/src/api/user.rs index 9f33843f..ddcf2ef2 100644 --- a/server/src/api/user.rs +++ b/server/src/api/user.rs @@ -880,6 +880,9 @@ impl Perform for Oper<EditUserMention> { }; let user_id = claims.id; + if user_id != data.user_mention_id { + return Err(APIError::err("couldnt_update_comment").into()); + } let user_mention_id = data.user_mention_id; let user_mention = @@ -1310,23 +1313,35 @@ impl Perform for Oper<EditPrivateMessage> { let content_slurs_removed = match &data.content { Some(content) => remove_slurs(content), - None => orig_private_message.content, + None => orig_private_message.content.clone(), }; - let private_message_form = PrivateMessageForm { - content: content_slurs_removed, - creator_id: orig_private_message.creator_id, - recipient_id: orig_private_message.recipient_id, - deleted: data.deleted.to_owned(), - read: data.read.to_owned(), - updated: if data.read.is_some() { - orig_private_message.updated + let private_message_form = { + if data.read.is_some() { + PrivateMessageForm { + content: orig_private_message.content.to_owned(), + creator_id: orig_private_message.creator_id, + recipient_id: orig_private_message.recipient_id, + read: data.read.to_owned(), + updated: orig_private_message.updated, + deleted: Some(orig_private_message.deleted), + ap_id: orig_private_message.ap_id, + local: orig_private_message.local, + published: None, + } } else { - Some(naive_now()) - }, - ap_id: orig_private_message.ap_id, - local: orig_private_message.local, - published: None, + PrivateMessageForm { + content: content_slurs_removed, + creator_id: orig_private_message.creator_id, + recipient_id: orig_private_message.recipient_id, + deleted: data.deleted.to_owned(), + read: Some(orig_private_message.read), + updated: Some(naive_now()), + ap_id: orig_private_message.ap_id, + local: orig_private_message.local, + published: None, + } + } }; let edit_id = data.edit_id; @@ -1339,14 +1354,20 @@ impl Perform for Oper<EditPrivateMessage> { Err(_e) => return Err(APIError::err("couldnt_update_private_message").into()), }; - if let Some(deleted) = data.deleted.to_owned() { - if deleted { - updated_private_message - .send_delete(&user, &self.client, pool) - .await?; + if data.read.is_none() { + if let Some(deleted) = data.deleted.to_owned() { + if deleted { + updated_private_message + .send_delete(&user, &self.client, pool) + .await?; + } else { + updated_private_message + .send_undo_delete(&user, &self.client, pool) + .await?; + } } else { updated_private_message - .send_undo_delete(&user, &self.client, pool) + .send_update(&user, &self.client, pool) .await?; } } else { |