From ac601877bb19ce310d0d5a9aea33b89c58b5f023 Mon Sep 17 00:00:00 2001 From: Pierre HUBERT Date: Sat, 4 Jan 2020 15:07:24 +0100 Subject: [PATCH] Check user authorization to create posts --- src/controllers/PostsController.ts | 44 +++++++++++++++++++++++++++++- src/controllers/Routes.ts | 2 ++ src/helpers/GroupsHelper.ts | 25 ++++++++++++++++- 3 files changed, 69 insertions(+), 2 deletions(-) diff --git a/src/controllers/PostsController.ts b/src/controllers/PostsController.ts index 8d967ed..4d3dad0 100644 --- a/src/controllers/PostsController.ts +++ b/src/controllers/PostsController.ts @@ -1,7 +1,7 @@ import { RequestHandler } from "../entities/RequestHandler"; import { UserHelper } from "../helpers/UserHelper"; import { PostsHelper } from "../helpers/PostsHelper"; -import { Post, PostVisibilityLevel, PostKind, PostAccessLevel } from "../entities/Post"; +import { Post, PostVisibilityLevel, PostKind, PostAccessLevel, PostPageKind } from "../entities/Post"; import { MoviesController } from "./MoviesController"; import { MoviesHelper } from "../helpers/MoviesHelper"; import { SurveyHelper } from "../helpers/SurveyHelper"; @@ -10,6 +10,7 @@ import { LikesHelper, LikesType } from "../helpers/LikesHelper"; import { CommentsHelper } from "../helpers/CommentsHelper"; import { CommentsController } from "./CommentsController"; import { GroupsAccessLevel } from "../entities/Group"; +import { GroupsHelper } from "../helpers/GroupsHelper"; /** * Posts controller @@ -91,6 +92,47 @@ export class PostsController { h.send(await this.PostToAPI(h, post)); } + /** + * Create a new post + * + * @param h Request handler + */ + public static async CreatePost(h: RequestHandler) { + + // Determine the target for the new post + let kindPage: PostPageKind; + let pageID: number; + switch(h.postString("kind-page")) { + + // If the post is targetting a user + case "user": + kindPage = PostPageKind.PAGE_KIND_USER; + pageID = await h.postUserId("kind-id"); + + if(!await UserHelper.CanCreatePosts(h.getUserId(), pageID)) + h.error(401, "You are not allowed to create posts on this page!"); + + break; + + // For groups + case "group": + kindPage = PostPageKind.PAGE_KIND_GROUP; + pageID = await h.postGroupIDWithAccess("kind-id", GroupsAccessLevel.MEMBER_ACCESS); + + // Check if the user can create posts on this group + if(!await GroupsHelper.CanUserCreatePosts(pageID, h.getUserId())) + h.error(401, "You are not allowed to create posts on this group!"); + + break; + + default: + h.error(500, "Unsupported kind of page!"); + + } + + h.success("Go on."); + } + /** * Send multiple posts to the API diff --git a/src/controllers/Routes.ts b/src/controllers/Routes.ts index 0b41584..469e88d 100644 --- a/src/controllers/Routes.ts +++ b/src/controllers/Routes.ts @@ -192,6 +192,8 @@ export const Routes : Route[] = [ {path: "/posts/get_single", cb: (h) => PostsController.GetSingle(h), needLogin: false}, + {path: "/posts/create", cb: (h) => PostsController.CreatePost(h)}, + // Notifications controller diff --git a/src/helpers/GroupsHelper.ts b/src/helpers/GroupsHelper.ts index 82f9b82..0658aaa 100644 --- a/src/helpers/GroupsHelper.ts +++ b/src/helpers/GroupsHelper.ts @@ -1,5 +1,5 @@ import { DatabaseHelper } from "./DatabaseHelper"; -import { GroupsAccessLevel, GroupVisibilityLevel, GroupInfo } from "../entities/Group"; +import { GroupsAccessLevel, GroupVisibilityLevel, GroupInfo, GroupPostsCreationLevel } from "../entities/Group"; import { GroupMembershipLevels, GroupMember } from "../entities/GroupMember"; import { NewGroup } from "../entities/NewGroup"; import { time } from "../utils/DateUtils"; @@ -480,6 +480,29 @@ export class GroupsHelper { return groupID; } + /** + * Check out whether a user can create posts on a group or not + * + * @param groupID Target group ID + * @param userID Target user ID + */ + public static async CanUserCreatePosts(groupID: number, userID: number) : Promise { + const membershipLevel = await this.GetMembershipLevel(groupID, userID); + + // Moderators + administrators => can always create posts + if(membershipLevel == GroupMembershipLevels.MODERATOR || + membershipLevel == GroupMembershipLevels.ADMINISTRATOR) + return true; + + // Simple members => check authorization + if(membershipLevel == GroupMembershipLevels.MEMBER) { + return (await this.GetInfo(groupID)).postsCreationLevel + == GroupPostsCreationLevel.POSTS_LEVEL_ALL_MEMBERS; + } + + return false; + } + /** * Turn a database row into a {GroupInfo} object *