From cb535cffea96e2656d57aaf565f4609c07cd3d6d Mon Sep 17 00:00:00 2001 From: Untone Date: Wed, 6 Mar 2024 10:44:08 +0300 Subject: [PATCH] forbidden-fix --- resolvers/editor.py | 96 +++++++++++++++++++++------------------------ 1 file changed, 44 insertions(+), 52 deletions(-) diff --git a/resolvers/editor.py b/resolvers/editor.py index 2e3b3cf0..770ef8fc 100644 --- a/resolvers/editor.py +++ b/resolvers/editor.py @@ -33,13 +33,12 @@ async def get_my_shout(_, info, shout_id: int): user_id = info.context.get('user_id', '') roles = info.context.get('roles', []) if not user_id: - error = 'user is not logged in' - elif shout.created_by != author.id: - error = 'author cannot edit this post' - elif 'editor' not in roles: - error = 'user has no editor role' - elif not any([x.id == author.id for x in shout.authors]): - error = 'author have no permissions to read this not published shout' + error = 'unauthorized' + else: + if 'editor' in roles or filter(lambda x: x.id == author.id, [x for x in shout.authors]): + return {"error": error, "shout": shout} + else: + error = 'forbidden' return {"error": error, "shout": shout} @@ -232,40 +231,37 @@ async def update_shout(_, info, shout_id: int, shout_input=None, publish=False): ) shout_input['slug'] = slug - if ( - shout_by_id.created_by != author.id - and not filter(lambda x: x == author.id, shout_by_id.authors) - and 'editor' not in roles - ): - return {'error': 'access denied'} + if filter(lambda x: x.id == author.id, [x for x in shout_by_id.authors]) or 'editor' in roles: + # topics patch + topics_input = shout_input.get('topics') + if topics_input: + patch_topics(session, shout_by_id, topics_input) + del shout_input['topics'] - # topics patch - topics_input = shout_input.get('topics') - if topics_input: - patch_topics(session, shout_by_id, topics_input) - del shout_input['topics'] + # main topic + main_topic = shout_input.get('main_topic') + if main_topic: + patch_main_topic(session, main_topic, shout_by_id) - # main topic - main_topic = shout_input.get('main_topic') - if main_topic: - patch_main_topic(session, main_topic, shout_by_id) + shout_input['updated_at'] = current_time + shout_input['published_at'] = current_time if publish else None + Shout.update(shout_by_id, shout_input) + session.add(shout_by_id) + session.commit() - shout_input['updated_at'] = current_time - shout_input['published_at'] = current_time if publish else None - Shout.update(shout_by_id, shout_input) - session.add(shout_by_id) - session.commit() + shout_dict = shout_by_id.dict() - shout_dict = shout_by_id.dict() + if not publish: + await notify_shout(shout_dict, 'update') + else: + await notify_shout(shout_dict, 'published') + # search service indexing + search_service.index(shout_by_id) - if not publish: - await notify_shout(shout_dict, 'update') + return {'shout': shout_dict, 'error': None} else: - await notify_shout(shout_dict, 'published') - # search service indexing - search_service.index(shout_by_id) + return {'error': 'access denied', 'shout': None} - return {'shout': shout_dict} except Exception as exc: logger.error(exc) logger.error(f' cannot update with data: {shout_input}') @@ -275,7 +271,7 @@ async def update_shout(_, info, shout_id: int, shout_input=None, publish=False): @mutation.field('delete_shout') @login_required -async def delete_shout(_, info, shout_id): +async def delete_shout(_, info, shout_id: int): user_id = info.context.get('user_id') roles = info.context.get('roles') if user_id: @@ -285,25 +281,21 @@ async def delete_shout(_, info, shout_id): if not shout: return {'error': 'invalid shout id'} if author and shout: - if ( - shout.created_by is not author.id - and author.id not in shout.authors - and 'editor' not in roles - ): + # NOTE: only owner and editor can mark the shout as deleted + if shout.created_by == author.id or 'editor' in roles: + for author_id in shout.authors: + reactions_unfollow(author_id, shout_id) + + shout_dict = shout.dict() + shout_dict['deleted_at'] = int(time.time()) + Shout.update(shout, shout_dict) + session.add(shout) + session.commit() + await notify_shout(shout_dict, 'delete') + return {'error': None} + else: return {'error': 'access denied'} - for author_id in shout.authors: - reactions_unfollow(author_id, shout_id) - - shout_dict = shout.dict() - shout_dict['deleted_at'] = int(time.time()) - Shout.update(shout, shout_dict) - session.add(shout) - session.commit() - await notify_shout(shout_dict, 'delete') - - return {} - def handle_proposing(session, r, shout): if is_positive(r.kind):