Permission check for author editing.

Fixed manifest.json. Signed-off-by: Armored Dragon <publicmail@armoreddragon.com>
2024-05-01 11:21:11 -05:00 · 2024-05-01 11:21:11 -05:00 · b3ee9aec10
parent e76bb6c493
commit b3ee9aec10
3 changed files with 12 additions and 4 deletions
--- a/backend/core/core.js
+++ b/backend/core/core.js
@ -98,6 +98,7 @@ async function getUser({ user_id, username, include_password = false }) {
  return { success: true, data: user };
 }
 // TODO: Rename patchUser
 async function editUser({ requester_id, user_id, user_content }) {
  let user = await getUser({ user_id: user_id });
  if (!user.success) return _r(false, "User not found");
@ -229,6 +230,7 @@ async function getPost({ requester_id, post_id, visibility = "PUBLISHED" } = {},
    return pageList.slice(0, 5);
  }
 }
 // TODO: Rename patchPost
 async function editPost({ requester_id, post_id, post_content }) {
  let user = await getUser({ user_id: requester_id });
  let post = await getPost({ post_id: post_id });
@ -324,18 +326,19 @@ async function getBiography({ requester_id, author_id }) {
  return { success: true, data: post };
 }
 // TODO: Rename to patchBiography
 async function updateBiography({ requester_id, author_id, biography_content }) {
  let user = await getUser({ user_id: requester_id });
  let biography = await getBiography({ author_id: author_id });
  if (!user.success) return _r(false, user.message || "Author not found");
  user = user.data;
  if (!biography.success) return _r(false, biography.message || "Post not found");
  biography = biography.data;
-  let can_update = biography.owner.id === user.id || user.role === "ADMIN";
+  // Permission check
-  if (!can_update) return _r(false, "User not permitted");
+  const can_act = permissions.patchBiography(biography_content, user);
  if (!can_act.success) return _r(false, "User not permitted");
  let formatted = {
    content: biography_content.content,
--- a/backend/permissions.js
+++ b/backend/permissions.js
@ -15,8 +15,12 @@ function patchPost(post_content, user) {
  // User is not permitted
  return _r(false, "User is not permitted to preform action.");
 }
 function patchBiography(biography, user) {
  // Biographies are just fancy posts right now.
  return patchPost(biography, user);
 }
 function _r(s, m, d) {
  return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
 }
-module.exports = { patchPost };
+module.exports = { patchPost, patchBiography };
--- a/frontend/views/themes/default/manifest.json
+++ b/frontend/views/themes/default/manifest.json
@ -7,6 +7,7 @@
    "login": "/ejs/login.ejs",
    "register": "/ejs/register.ejs",
    "author": "/ejs/author.ejs",
    "authorEdit": "/ejs/authorEdit.ejs",
    "post": "/ejs/post.ejs",
    "postSearch": "/ejs/postSearch.ejs",
    "postNew": "/ejs/postNew.ejs",