ArmoredDragon
/
yet-another-blog
mirror of https://github.com/Armored-Dragon/yet-another-blog
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Post updating permission check. 

Moved validation action from internal_api to core.
Updated form validation to delete unneeded data.

Signed-off-by: Armored Dragon <publicmail@armoreddragon.com>
pull/3/head
Armored Dragon 2024-05-01 10:53:03 -05:00
parent 59c3f4a333
commit e76bb6c493
Signed by: ArmoredDragon
GPG Key ID: C7207ACC3382AD8B
4 changed files with 37 additions and 31 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

27
backend/core/core.js
View File

@ -6,6 +6,7 @@ const { getSignedUrl } = require("@aws-sdk/s3-request-presigner");
let s3; let s3;
const crypto = require("crypto"); const crypto = require("crypto");
const validate = require("../form_validation"); const validate = require("../form_validation");
const permissions = require("../permissions");
const md = require("markdown-it")() const md = require("markdown-it")()
.use(require("markdown-it-underline")) .use(require("markdown-it-underline"))
.use(require("markdown-it-footnote")) .use(require("markdown-it-footnote"))
@ -231,24 +232,20 @@ async function getPost({ requester_id, post_id, visibility = "PUBLISHED" } = {},
async function editPost({ requester_id, post_id, post_content }) { async function editPost({ requester_id, post_id, post_content }) {
let user = await getUser({ user_id: requester_id }); let user = await getUser({ user_id: requester_id });
let post = await getPost({ post_id: post_id }); let post = await getPost({ post_id: post_id });
let publish_date = null;
if (!user.success) return _r(false, post.message || "User not found"); if (!user.success) return _r(false, post.message || "User not found");
user = user.data; user = user.data;
if (!post.success) return _r(false, post.message || "Post not found"); if (!post.success) return _r(false, post.message || "Post not found");
post = post.data; post = post.data;
// Check to see if the requester can update the post // Check if the user can preform the action
// TODO: Permissions const can_act = permissions.patchPost(post, user);
let can_update = post.owner.id === user.id || user.role === "ADMIN"; if (!can_act.success) return _r(false, can_act.message);
// FIXME: Unsure if this actually works // Validate the post content
// Check if we already have a formatted publish date let validated_post = validate.patchPost(post_content);
if (typeof post.publish_date !== "object") { if (!validated_post.success) return _r(false, can_act.message);
const [year, month, day] = post.date.split("-"); validated_post = validated_post.data;
const [hour, minute] = post.time.split(":");
publish_date = new Date(year, month - 1, day, hour, minute);
}
// Handle tags ---- // Handle tags ----
let database_tag_list = []; let database_tag_list = [];
@ -266,12 +263,10 @@ async function editPost({ requester_id, post_id, post_content }) {
// Rebuild the post to save // Rebuild the post to save
let post_formatted = { let post_formatted = {
title: post_content.title, ...validated_post,
description: post_content.description, // Handle tag changes
content: post_content.content,
visibility: post_content.visibility || "PRIVATE",
publish_date: publish_date || post_content.publish_date,
tags: { disconnect: [...existing_tags], connect: [...database_tag_list] }, tags: { disconnect: [...existing_tags], connect: [...database_tag_list] },
// Handle media changes
media: [...post.raw_media, ...post_content.media], media: [...post.raw_media, ...post_content.media],
}; };

13
backend/core/internal_api.js
View File

@ -57,18 +57,7 @@ async function deleteBlog(req, res) {
return res.json(await core.deletePost({ post_id: req.body.id, requester_id: req.session.user.id })); return res.json(await core.deletePost({ post_id: req.body.id, requester_id: req.session.user.id }));
} }
async function patchBlog(req, res) { async function patchBlog(req, res) {
// FIXME: validate does not return post id return res.json(await core.editPost({ requester_id: req.session.user.id, post_id: req.body.id, post_content: req.body }));
// Can user change post?
// User is admin, or user is author
// Validate blog info
let valid = await validate.patchPost(req.body);
if (!valid.success) return { success: false, message: valid.message || "Post failed validation" };
valid = valid.data;
// TODO: Permissions for updating blog
return res.json(await core.editPost({ requester_id: req.session.user.id, post_id: req.body.id, post_content: valid }));
} }
async function patchBiography(request, response) { async function patchBiography(request, response) {
// TODO: Validate // TODO: Validate

5
backend/form_validation.js
View File

@ -41,6 +41,9 @@ function patchPost(post_content) {
if (tag.length !== 0) tags.push(tag); if (tag.length !== 0) tags.push(tag);
}); });
delete post_content.date;
delete post_content.time;
// Format the post content // Format the post content
post_formatted = { post_formatted = {
// Autofill the given data // Autofill the given data
@ -62,7 +65,7 @@ function _isUrlSafe(str) {
return pattern.test(str); return pattern.test(str);
} }
function _r(s, m, d) { function _r(s, m, d) {
return { success: s, m: m ? m || "Unknown error" : undefined, data: d }; return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
} }
module.exports = { newUser, patchPost }; module.exports = { newUser, patchPost };

23
backend/permissions.js
View File

@ -1,3 +1,22 @@
function postBlog(user) {} //
// Permissions
//
// Check if a given user has permissions to preform an action
//
module.exports = { postBlog }; // Updating a blog post
function patchPost(post_content, user) {
// Admins can always update any post
if (user.role === "ADMIN") return _r(true);
// User owns the post
if (post_content.owner.id === user.id) return _r(true);
// User is not permitted
return _r(false, "User is not permitted to preform action.");
}
function _r(s, m, d) {
return { success: s, message: m ? m || "Unknown error" : undefined, data: d };
}
module.exports = { patchPost };