From e76bb6c493a8662ef490773ccefc8bc894783e5a Mon Sep 17 00:00:00 2001
From: Armored Dragon <publicmail@armoreddragon.com>
Date: Wed, 1 May 2024 10:53:03 -0500
Subject: [PATCH] Post updating permission check. Moved validation action from
 internal_api to core. Updated form validation to delete unneeded data.

Signed-off-by: Armored Dragon <publicmail@armoreddragon.com>
---
 backend/core/core.js         | 27 +++++++++++----------------
 backend/core/internal_api.js | 13 +------------
 backend/form_validation.js   |  5 ++++-
 backend/permissions.js       | 23 +++++++++++++++++++++--
 4 files changed, 37 insertions(+), 31 deletions(-)

diff --git a/backend/core/core.js b/backend/core/core.js
index fe39f0c..f017e5b 100644
--- a/backend/core/core.js
+++ b/backend/core/core.js
@@ -6,6 +6,7 @@ const { getSignedUrl } = require("@aws-sdk/s3-request-presigner");
 let s3;
 const crypto = require("crypto");
 const validate = require("../form_validation");
+const permissions = require("../permissions");
 const md = require("markdown-it")()
   .use(require("markdown-it-underline"))
   .use(require("markdown-it-footnote"))
@@ -231,24 +232,20 @@ async function getPost({ requester_id, post_id, visibility = "PUBLISHED" } = {},
 async function editPost({ requester_id, post_id, post_content }) {
   let user = await getUser({ user_id: requester_id });
   let post = await getPost({ post_id: post_id });
-  let publish_date = null;
 
   if (!user.success) return _r(false, post.message || "User not found");
   user = user.data;
   if (!post.success) return _r(false, post.message || "Post not found");
   post = post.data;
 
-  // Check to see if the requester can update the post
-  // TODO: Permissions
-  let can_update = post.owner.id === user.id || user.role === "ADMIN";
+  // Check if the user can preform the action
+  const can_act = permissions.patchPost(post, user);
+  if (!can_act.success) return _r(false, can_act.message);
 
-  // FIXME: Unsure if this actually works
-  // Check if we already have a formatted publish date
-  if (typeof post.publish_date !== "object") {
-    const [year, month, day] = post.date.split("-");
-    const [hour, minute] = post.time.split(":");
-    publish_date = new Date(year, month - 1, day, hour, minute);
-  }
+  // Validate the post content
+  let validated_post = validate.patchPost(post_content);
+  if (!validated_post.success) return _r(false, can_act.message);
+  validated_post = validated_post.data;
 
   // Handle tags ----
   let database_tag_list = [];
@@ -266,12 +263,10 @@ async function editPost({ requester_id, post_id, post_content }) {
 
   // Rebuild the post to save
   let post_formatted = {
-    title: post_content.title,
-    description: post_content.description,
-    content: post_content.content,
-    visibility: post_content.visibility || "PRIVATE",
-    publish_date: publish_date || post_content.publish_date,
+    ...validated_post,
+    // Handle tag changes
     tags: { disconnect: [...existing_tags], connect: [...database_tag_list] },
+    // Handle media changes
     media: [...post.raw_media, ...post_content.media],
   };
 
diff --git a/backend/core/internal_api.js b/backend/core/internal_api.js
index 91ecfd3..51ee1f2 100644
--- a/backend/core/internal_api.js
+++ b/backend/core/internal_api.js
@@ -57,18 +57,7 @@ async function deleteBlog(req, res) {
   return res.json(await core.deletePost({ post_id: req.body.id, requester_id: req.session.user.id }));
 }
 async function patchBlog(req, res) {
-  // FIXME: validate does not return post id
-  // Can user change post?
-  // User is admin, or user is author
-
-  // Validate blog info
-  let valid = await validate.patchPost(req.body);
-
-  if (!valid.success) return { success: false, message: valid.message || "Post failed validation" };
-  valid = valid.data;
-
-  // TODO: Permissions for updating blog
-  return res.json(await core.editPost({ requester_id: req.session.user.id, post_id: req.body.id, post_content: valid }));
+  return res.json(await core.editPost({ requester_id: req.session.user.id, post_id: req.body.id, post_content: req.body }));
 }
 async function patchBiography(request, response) {
   // TODO: Validate
diff --git a/backend/form_validation.js b/backend/form_validation.js
index 1d2f771..686d628 100644
--- a/backend/form_validation.js
+++ b/backend/form_validation.js
@@ -41,6 +41,9 @@ function patchPost(post_content) {
     if (tag.length !== 0) tags.push(tag);
   });
 
+  delete post_content.date;
+  delete post_content.time;
+
   // Format the post content
   post_formatted = {
     // Autofill the given data
@@ -62,7 +65,7 @@ function _isUrlSafe(str) {
   return pattern.test(str);
 }
 function _r(s, m, d) {
-  return { success: s, m: m ? m || "Unknown error" : undefined, data: d };
+  return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
 }
 
 module.exports = { newUser, patchPost };
diff --git a/backend/permissions.js b/backend/permissions.js
index b8117a0..56b8d05 100644
--- a/backend/permissions.js
+++ b/backend/permissions.js
@@ -1,3 +1,22 @@
-function postBlog(user) {}
+//
+// Permissions
+//
+// Check if a given user has permissions to preform an action
+//
 
-module.exports = { postBlog };
+// Updating a blog post
+function patchPost(post_content, user) {
+  // Admins can always update any post
+  if (user.role === "ADMIN") return _r(true);
+
+  // User owns the post
+  if (post_content.owner.id === user.id) return _r(true);
+
+  // User is not permitted
+  return _r(false, "User is not permitted to preform action.");
+}
+
+function _r(s, m, d) {
+  return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
+}
+module.exports = { patchPost };