SolarNetwork/Swarm
2
3
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

🛂 Add permission check in post pin / unpin

Browse Source
This commit is contained in:
LittleSheep
2025-08-25 20:04:21 +08:00
parent 4ff89173b2
commit 5f7ab49abb
1 changed files with 24 additions and 4 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
DysonNetwork.Sphere/Post/PostController.cs
View File

@@ -11,6 +11,7 @@ using Microsoft.AspNetCore.Mvc;
using Microsoft.EntityFrameworkCore; using Microsoft.EntityFrameworkCore;
using NodaTime; using NodaTime;
using Swashbuckle.AspNetCore.Annotations; using Swashbuckle.AspNetCore.Annotations;
using PublisherMemberRole = DysonNetwork.Sphere.Publisher.PublisherMemberRole;
using PublisherService = DysonNetwork.Sphere.Publisher.PublisherService; using PublisherService = DysonNetwork.Sphere.Publisher.PublisherService;
namespace DysonNetwork.Sphere.Post; namespace DysonNetwork.Sphere.Post;
@@ -126,7 +127,8 @@ public class PostController(
query = query.Where(e => e.Attachments.Count > 0); query = query.Where(e => e.Attachments.Count > 0);
if (realm == null) if (realm == null)
query = query.Where(p => p.RealmId == null || p.Realm == null || userRealms.Contains(p.RealmId.Value) || p.Realm.IsPublic); query = query.Where(p =>
p.RealmId == null || p.Realm == null || userRealms.Contains(p.RealmId.Value) || p.Realm.IsPublic);
switch (pinned) switch (pinned)
{ {
@@ -595,6 +597,16 @@ public class PostController(
.FirstOrDefaultAsync(); .FirstOrDefaultAsync();
if (post is null) return NotFound(); if (post is null) return NotFound();
var accountId = Guid.Parse(currentUser.Id);
if (!await pub.IsMemberWithRole(post.PublisherId, accountId, PublisherMemberRole.Editor))
return StatusCode(403, "You are not an editor of this publisher");
if (request.Mode == PostPinMode.RealmPage && post.RealmId != null)
{
if (!await rs.IsMemberWithRole(post.RealmId.Value, accountId, RealmMemberRole.Moderator))
return StatusCode(403, "You are not a moderator of this realm");
}
try try
{ {
await ps.PinPostAsync(post, currentUser, request.Mode); await ps.PinPostAsync(post, currentUser, request.Mode);
@@ -604,8 +616,6 @@ public class PostController(
return BadRequest(err.Message); return BadRequest(err.Message);
} }
var accountId = Guid.Parse(currentUser.Id);
_ = als.CreateActionLogAsync(new CreateActionLogRequest _ = als.CreateActionLogAsync(new CreateActionLogRequest
{ {
Action = ActionLogType.PostPin, Action = ActionLogType.PostPin,
@@ -635,6 +645,16 @@ public class PostController(
.FirstOrDefaultAsync(); .FirstOrDefaultAsync();
if (post is null) return NotFound(); if (post is null) return NotFound();
var accountId = Guid.Parse(currentUser.Id);
if (!await pub.IsMemberWithRole(post.PublisherId, accountId, PublisherMemberRole.Editor))
return StatusCode(403, "You are not an editor of this publisher");
if (post is { PinMode: PostPinMode.RealmPage, RealmId: not null })
{
if (!await rs.IsMemberWithRole(post.RealmId.Value, accountId, RealmMemberRole.Moderator))
return StatusCode(403, "You are not a moderator of this realm");
}
try try
{ {
await ps.UnpinPostAsync(post, currentUser); await ps.UnpinPostAsync(post, currentUser);