Check user authorization to create posts

src/controllers/PostsController.ts

@@ -1,7 +1,7 @@
 import { RequestHandler } from "../entities/RequestHandler";
 import { UserHelper } from "../helpers/UserHelper";
 import { PostsHelper } from "../helpers/PostsHelper";
-import { Post, PostVisibilityLevel, PostKind, PostAccessLevel } from "../entities/Post";
+import { Post, PostVisibilityLevel, PostKind, PostAccessLevel, PostPageKind } from "../entities/Post";
 import { MoviesController } from "./MoviesController";
 import { MoviesHelper } from "../helpers/MoviesHelper";
 import { SurveyHelper } from "../helpers/SurveyHelper";
@@ -10,6 +10,7 @@ import { LikesHelper, LikesType } from "../helpers/LikesHelper";
 import { CommentsHelper } from "../helpers/CommentsHelper";
 import { CommentsController } from "./CommentsController";
 import { GroupsAccessLevel } from "../entities/Group";
+import { GroupsHelper } from "../helpers/GroupsHelper";
 
 /**
  * Posts controller
@@ -91,6 +92,47 @@ export class PostsController {
 		h.send(await this.PostToAPI(h, post));
 	}
 
+	/**
+	 * Create a new post
+	 * 
+	 * @param h Request handler
+	 */
+	public static async CreatePost(h: RequestHandler) {
+
+		// Determine the target for the new post
+		let kindPage: PostPageKind;
+		let pageID: number;
+		switch(h.postString("kind-page")) {
+
+			// If the post is targetting a user
+			case "user":
+				kindPage = PostPageKind.PAGE_KIND_USER;
+				pageID = await h.postUserId("kind-id");
+
+				if(!await UserHelper.CanCreatePosts(h.getUserId(), pageID))
+					h.error(401, "You are not allowed to create posts on this page!");
+				
+				break;
+			
+			// For groups
+			case "group":
+				kindPage = PostPageKind.PAGE_KIND_GROUP;
+				pageID = await h.postGroupIDWithAccess("kind-id", GroupsAccessLevel.MEMBER_ACCESS);
+
+				// Check if the user can create posts on this group
+				if(!await GroupsHelper.CanUserCreatePosts(pageID, h.getUserId()))
+					h.error(401, "You are not allowed to create posts on this group!");
+				
+				break;
+			
+			default:
+				h.error(500, "Unsupported kind of page!");
+
+		}
+
+		h.success("Go on.");
+	}
+
 
 	/**
 	 * Send multiple posts to the API

src/controllers/Routes.ts

@@ -192,6 +192,8 @@ export const Routes : Route[] = [
 
 	{path: "/posts/get_single", cb: (h) => PostsController.GetSingle(h), needLogin: false},
 
+	{path: "/posts/create", cb: (h) => PostsController.CreatePost(h)},
+
 
 
 	// Notifications controller

src/helpers/GroupsHelper.ts

@@ -1,5 +1,5 @@
 import { DatabaseHelper } from "./DatabaseHelper";
-import { GroupsAccessLevel, GroupVisibilityLevel, GroupInfo } from "../entities/Group";
+import { GroupsAccessLevel, GroupVisibilityLevel, GroupInfo, GroupPostsCreationLevel } from "../entities/Group";
 import { GroupMembershipLevels, GroupMember } from "../entities/GroupMember";
 import { NewGroup } from "../entities/NewGroup";
 import { time } from "../utils/DateUtils";
@@ -480,6 +480,29 @@ export class GroupsHelper {
 		return groupID;
 	}
 
+	/**
+	 * Check out whether a user can create posts on a group or not
+	 * 
+	 * @param groupID Target group ID
+	 * @param userID Target user ID
+	 */
+	public static async CanUserCreatePosts(groupID: number, userID: number) : Promise<boolean> {
+		const membershipLevel = await this.GetMembershipLevel(groupID, userID);
+
+		// Moderators + administrators => can always create posts
+		if(membershipLevel == GroupMembershipLevels.MODERATOR ||
+			membershipLevel == GroupMembershipLevels.ADMINISTRATOR)
+			return true;
+		
+		// Simple members => check authorization
+		if(membershipLevel == GroupMembershipLevels.MEMBER) {
+			return (await this.GetInfo(groupID)).postsCreationLevel
+				== GroupPostsCreationLevel.POSTS_LEVEL_ALL_MEMBERS;
+		}
+
+		return false;
+	}
+
 	/**
 	 * Turn a database row into a {GroupInfo} object
 	 *