prevent unauthorized note edits
This commit is contained in:
parent
156dfe4bd2
commit
cd450ee312
|
@ -58,7 +58,7 @@ _handleFormSuccess :: BookmarkForm -> Handler (UpsertResult, Key Bookmark)
|
|||
_handleFormSuccess bookmarkForm = do
|
||||
(userId, user) <- requireAuthPair
|
||||
bm <- liftIO $ _toBookmark userId bookmarkForm
|
||||
(res, kbid) <- runDB (upsertBookmark mkbid bm tags)
|
||||
(res, kbid) <- runDB (upsertBookmark userId mkbid bm tags)
|
||||
whenM (shouldArchiveBookmark user kbid) $
|
||||
void $ async (archiveBookmarkUrl kbid (unpack (bookmarkHref bm)))
|
||||
pure (res, kbid)
|
||||
|
|
|
@ -36,6 +36,7 @@ getNotesR unamep@(UserNameP uname) = do
|
|||
toWidgetBody [julius|
|
||||
app.userR = "@{UserR unamep}";
|
||||
app.dat.notes = #{ toJSON notes } || [];
|
||||
app.dat.isowner = #{ isowner };
|
||||
|]
|
||||
toWidget [julius|
|
||||
PS['Main'].renderNotes('##{rawJS renderEl}')(app.dat.notes)();
|
||||
|
@ -59,6 +60,7 @@ getNoteR unamep@(UserNameP uname) slug = do
|
|||
toWidgetBody [julius|
|
||||
app.userR = "@{UserR unamep}";
|
||||
app.dat.note = #{ toJSON note } || [];
|
||||
app.dat.isowner = #{ isowner };
|
||||
|]
|
||||
toWidget [julius|
|
||||
PS['Main'].renderNote('##{rawJS renderEl}')(app.dat.note)();
|
||||
|
@ -107,7 +109,7 @@ _handleFormSuccess :: NoteForm -> Handler (UpsertResult, Key Note)
|
|||
_handleFormSuccess noteForm = do
|
||||
userId <- requireAuthId
|
||||
note <- liftIO $ _toNote userId noteForm
|
||||
runDB (upsertNote knid note)
|
||||
runDB (upsertNote userId knid note)
|
||||
where
|
||||
knid = NoteKey <$> (_id noteForm >>= \i -> if i > 0 then Just i else Nothing)
|
||||
|
||||
|
|
25
src/Model.hs
25
src/Model.hs
|
@ -535,12 +535,15 @@ fetchBookmarkByUrl userId murl = runMaybeT $ do
|
|||
|
||||
data UpsertResult = Created | Updated
|
||||
|
||||
upsertBookmark:: Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark)
|
||||
upsertBookmark mbid bm tags = do
|
||||
upsertBookmark :: Key User -> Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark)
|
||||
upsertBookmark userId mbid bm tags = do
|
||||
res <- case mbid of
|
||||
Just bid -> do
|
||||
get bid >>= \case
|
||||
Just prev_bm -> replaceBookmark bid prev_bm
|
||||
Just prev_bm -> do
|
||||
when (userId /= bookmarkUserId prev_bm)
|
||||
(fail "unauthorized")
|
||||
replaceBookmark bid prev_bm
|
||||
_ -> fail "not found"
|
||||
Nothing -> do
|
||||
getBy (UniqueUserHref (bookmarkUserId bm) (bookmarkHref bm)) >>= \case
|
||||
|
@ -559,9 +562,9 @@ upsertBookmark mbid bm tags = do
|
|||
pure (Updated, bid)
|
||||
deleteTags bid =
|
||||
deleteWhere [BookmarkTagBookmarkId ==. bid]
|
||||
insertTags userId bid' =
|
||||
insertTags userId' bid' =
|
||||
for_ (zip [1 ..] tags) $
|
||||
\(i, tag) -> void $ insert $ BookmarkTag userId tag bid' i
|
||||
\(i, tag) -> void $ insert $ BookmarkTag userId' tag bid' i
|
||||
|
||||
updateBookmarkArchiveUrl :: Key User -> Key Bookmark -> Maybe Text -> DB ()
|
||||
updateBookmarkArchiveUrl userId bid marchiveUrl = do
|
||||
|
@ -569,17 +572,19 @@ updateBookmarkArchiveUrl userId bid marchiveUrl = do
|
|||
[BookmarkUserId ==. userId, BookmarkId ==. bid]
|
||||
[BookmarkArchiveHref CP.=. marchiveUrl]
|
||||
|
||||
upsertNote:: Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note)
|
||||
upsertNote mnid bmark@Note{..} = do
|
||||
upsertNote :: Key User -> Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note)
|
||||
upsertNote userId mnid note = do
|
||||
case mnid of
|
||||
Just nid -> do
|
||||
get nid >>= \case
|
||||
Just _ -> do
|
||||
replace nid bmark
|
||||
Just note' -> do
|
||||
when (userId /= (noteUserId note'))
|
||||
(fail "unauthorized")
|
||||
replace nid note
|
||||
pure (Updated, nid)
|
||||
_ -> fail "not found"
|
||||
Nothing -> do
|
||||
(Created,) <$> insert bmark
|
||||
(Created,) <$> insert note
|
||||
|
||||
-- * FileBookmarks
|
||||
|
||||
|
|
Loading…
Reference in a new issue