From b3ee9aec10345c41856661cf9164a3e56bb7bc54 Mon Sep 17 00:00:00 2001
From: Armored Dragon <publicmail@armoreddragon.com>
Date: Wed, 1 May 2024 11:21:11 -0500
Subject: [PATCH] Permission check for author editing. Fixed manifest.json.

Signed-off-by: Armored Dragon <publicmail@armoreddragon.com>
---
 backend/core/core.js                        | 9 ++++++---
 backend/permissions.js                      | 6 +++++-
 frontend/views/themes/default/manifest.json | 1 +
 3 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/backend/core/core.js b/backend/core/core.js
index f017e5b..0c66da4 100644
--- a/backend/core/core.js
+++ b/backend/core/core.js
@@ -98,6 +98,7 @@ async function getUser({ user_id, username, include_password = false }) {
 
   return { success: true, data: user };
 }
+// TODO: Rename patchUser
 async function editUser({ requester_id, user_id, user_content }) {
   let user = await getUser({ user_id: user_id });
   if (!user.success) return _r(false, "User not found");
@@ -229,6 +230,7 @@ async function getPost({ requester_id, post_id, visibility = "PUBLISHED" } = {},
     return pageList.slice(0, 5);
   }
 }
+// TODO: Rename patchPost
 async function editPost({ requester_id, post_id, post_content }) {
   let user = await getUser({ user_id: requester_id });
   let post = await getPost({ post_id: post_id });
@@ -324,18 +326,19 @@ async function getBiography({ requester_id, author_id }) {
 
   return { success: true, data: post };
 }
+// TODO: Rename to patchBiography
 async function updateBiography({ requester_id, author_id, biography_content }) {
   let user = await getUser({ user_id: requester_id });
   let biography = await getBiography({ author_id: author_id });
 
   if (!user.success) return _r(false, user.message || "Author not found");
   user = user.data;
-
   if (!biography.success) return _r(false, biography.message || "Post not found");
   biography = biography.data;
 
-  let can_update = biography.owner.id === user.id || user.role === "ADMIN";
-  if (!can_update) return _r(false, "User not permitted");
+  // Permission check
+  const can_act = permissions.patchBiography(biography_content, user);
+  if (!can_act.success) return _r(false, "User not permitted");
 
   let formatted = {
     content: biography_content.content,
diff --git a/backend/permissions.js b/backend/permissions.js
index 56b8d05..cbb57f8 100644
--- a/backend/permissions.js
+++ b/backend/permissions.js
@@ -15,8 +15,12 @@ function patchPost(post_content, user) {
   // User is not permitted
   return _r(false, "User is not permitted to preform action.");
 }
+function patchBiography(biography, user) {
+  // Biographies are just fancy posts right now.
+  return patchPost(biography, user);
+}
 
 function _r(s, m, d) {
   return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
 }
-module.exports = { patchPost };
+module.exports = { patchPost, patchBiography };
diff --git a/frontend/views/themes/default/manifest.json b/frontend/views/themes/default/manifest.json
index 0d22884..6dab71f 100644
--- a/frontend/views/themes/default/manifest.json
+++ b/frontend/views/themes/default/manifest.json
@@ -7,6 +7,7 @@
     "login": "/ejs/login.ejs",
     "register": "/ejs/register.ejs",
     "author": "/ejs/author.ejs",
+    "authorEdit": "/ejs/authorEdit.ejs",
     "post": "/ejs/post.ejs",
     "postSearch": "/ejs/postSearch.ejs",
     "postNew": "/ejs/postNew.ejs",