1
0
mirror of https://gitlab.com/comunic/comunicapiv2 synced 2024-12-28 14:38:52 +00:00

Check user authorization to create posts

This commit is contained in:
Pierre HUBERT 2020-01-04 15:07:24 +01:00
parent ddaa3a5a06
commit ac601877bb
3 changed files with 69 additions and 2 deletions

View File

@ -1,7 +1,7 @@
import { RequestHandler } from "../entities/RequestHandler";
import { UserHelper } from "../helpers/UserHelper";
import { PostsHelper } from "../helpers/PostsHelper";
import { Post, PostVisibilityLevel, PostKind, PostAccessLevel } from "../entities/Post";
import { Post, PostVisibilityLevel, PostKind, PostAccessLevel, PostPageKind } from "../entities/Post";
import { MoviesController } from "./MoviesController";
import { MoviesHelper } from "../helpers/MoviesHelper";
import { SurveyHelper } from "../helpers/SurveyHelper";
@ -10,6 +10,7 @@ import { LikesHelper, LikesType } from "../helpers/LikesHelper";
import { CommentsHelper } from "../helpers/CommentsHelper";
import { CommentsController } from "./CommentsController";
import { GroupsAccessLevel } from "../entities/Group";
import { GroupsHelper } from "../helpers/GroupsHelper";
/**
* Posts controller
@ -91,6 +92,47 @@ export class PostsController {
h.send(await this.PostToAPI(h, post));
}
/**
* Create a new post
*
* @param h Request handler
*/
public static async CreatePost(h: RequestHandler) {
// Determine the target for the new post
let kindPage: PostPageKind;
let pageID: number;
switch(h.postString("kind-page")) {
// If the post is targetting a user
case "user":
kindPage = PostPageKind.PAGE_KIND_USER;
pageID = await h.postUserId("kind-id");
if(!await UserHelper.CanCreatePosts(h.getUserId(), pageID))
h.error(401, "You are not allowed to create posts on this page!");
break;
// For groups
case "group":
kindPage = PostPageKind.PAGE_KIND_GROUP;
pageID = await h.postGroupIDWithAccess("kind-id", GroupsAccessLevel.MEMBER_ACCESS);
// Check if the user can create posts on this group
if(!await GroupsHelper.CanUserCreatePosts(pageID, h.getUserId()))
h.error(401, "You are not allowed to create posts on this group!");
break;
default:
h.error(500, "Unsupported kind of page!");
}
h.success("Go on.");
}
/**
* Send multiple posts to the API

View File

@ -192,6 +192,8 @@ export const Routes : Route[] = [
{path: "/posts/get_single", cb: (h) => PostsController.GetSingle(h), needLogin: false},
{path: "/posts/create", cb: (h) => PostsController.CreatePost(h)},
// Notifications controller

View File

@ -1,5 +1,5 @@
import { DatabaseHelper } from "./DatabaseHelper";
import { GroupsAccessLevel, GroupVisibilityLevel, GroupInfo } from "../entities/Group";
import { GroupsAccessLevel, GroupVisibilityLevel, GroupInfo, GroupPostsCreationLevel } from "../entities/Group";
import { GroupMembershipLevels, GroupMember } from "../entities/GroupMember";
import { NewGroup } from "../entities/NewGroup";
import { time } from "../utils/DateUtils";
@ -480,6 +480,29 @@ export class GroupsHelper {
return groupID;
}
/**
* Check out whether a user can create posts on a group or not
*
* @param groupID Target group ID
* @param userID Target user ID
*/
public static async CanUserCreatePosts(groupID: number, userID: number) : Promise<boolean> {
const membershipLevel = await this.GetMembershipLevel(groupID, userID);
// Moderators + administrators => can always create posts
if(membershipLevel == GroupMembershipLevels.MODERATOR ||
membershipLevel == GroupMembershipLevels.ADMINISTRATOR)
return true;
// Simple members => check authorization
if(membershipLevel == GroupMembershipLevels.MEMBER) {
return (await this.GetInfo(groupID)).postsCreationLevel
== GroupPostsCreationLevel.POSTS_LEVEL_ALL_MEMBERS;
}
return false;
}
/**
* Turn a database row into a {GroupInfo} object
*