prevent unauthorized note edits

src/Handler/Add.hs

@@ -58,7 +58,7 @@ _handleFormSuccess :: BookmarkForm -> Handler (UpsertResult, Key Bookmark)
 _handleFormSuccess bookmarkForm = do
   (userId, user) <- requireAuthPair
   bm <- liftIO $ _toBookmark userId bookmarkForm
-  (res, kbid) <- runDB (upsertBookmark mkbid bm tags)
+  (res, kbid) <- runDB (upsertBookmark userId mkbid bm tags)
   whenM (shouldArchiveBookmark user kbid) $
     void $ async (archiveBookmarkUrl kbid (unpack (bookmarkHref bm)))
   pure (res, kbid)

src/Handler/Notes.hs

@@ -36,6 +36,7 @@ getNotesR unamep@(UserNameP uname) = do
     toWidgetBody [julius|
         app.userR = "@{UserR unamep}";
         app.dat.notes = #{ toJSON notes } || [];
+        app.dat.isowner = #{ isowner };
     |]
     toWidget [julius|
       PS['Main'].renderNotes('##{rawJS renderEl}')(app.dat.notes)();
@@ -59,6 +60,7 @@ getNoteR unamep@(UserNameP uname) slug = do
     toWidgetBody [julius|
         app.userR = "@{UserR unamep}";
         app.dat.note = #{ toJSON note } || [];
+        app.dat.isowner = #{ isowner };
     |]
     toWidget [julius|
       PS['Main'].renderNote('##{rawJS renderEl}')(app.dat.note)();
@@ -107,7 +109,7 @@ _handleFormSuccess :: NoteForm -> Handler (UpsertResult, Key Note)
 _handleFormSuccess noteForm = do
   userId <- requireAuthId
   note <- liftIO $ _toNote userId noteForm
-  runDB (upsertNote knid note)
+  runDB (upsertNote userId knid note)
   where
     knid = NoteKey <$> (_id noteForm >>= \i -> if i > 0 then Just i else Nothing)
 

src/Model.hs

@@ -535,12 +535,15 @@ fetchBookmarkByUrl userId murl = runMaybeT $ do
 
 data UpsertResult = Created | Updated
 
-upsertBookmark:: Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark)
-upsertBookmark mbid bm tags = do
+upsertBookmark :: Key User -> Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark)
+upsertBookmark userId mbid bm tags = do
   res <- case mbid of
     Just bid -> do
       get bid >>= \case
-        Just prev_bm -> replaceBookmark bid prev_bm
+        Just prev_bm -> do
+          when (userId /= bookmarkUserId prev_bm)
+            (fail "unauthorized")
+          replaceBookmark bid prev_bm
         _ -> fail "not found"
     Nothing -> do
       getBy (UniqueUserHref (bookmarkUserId bm) (bookmarkHref bm)) >>= \case
@@ -559,9 +562,9 @@ upsertBookmark mbid bm tags = do
       pure (Updated, bid)
     deleteTags bid =
       deleteWhere [BookmarkTagBookmarkId ==. bid]
-    insertTags userId bid' =
+    insertTags userId' bid' =
       for_ (zip [1 ..] tags) $
-      \(i, tag) -> void $ insert $ BookmarkTag userId tag bid' i
+      \(i, tag) -> void $ insert $ BookmarkTag userId' tag bid' i
 
 updateBookmarkArchiveUrl :: Key User -> Key Bookmark -> Maybe Text -> DB ()
 updateBookmarkArchiveUrl userId bid marchiveUrl = do
@@ -569,17 +572,19 @@ updateBookmarkArchiveUrl userId bid marchiveUrl = do
     [BookmarkUserId ==. userId, BookmarkId ==. bid]
     [BookmarkArchiveHref CP.=. marchiveUrl]
 
-upsertNote:: Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note)
-upsertNote mnid bmark@Note{..} = do
+upsertNote :: Key User -> Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note)
+upsertNote userId mnid note = do
   case mnid of
     Just nid -> do
       get nid >>= \case
-        Just _ -> do
-          replace nid bmark
+        Just note' -> do
+          when (userId /= (noteUserId note'))
+            (fail "unauthorized")
+          replace nid note
           pure (Updated, nid)
         _ -> fail "not found"
     Nothing -> do
-      (Created,) <$> insert bmark
+      (Created,) <$> insert note
 
 -- * FileBookmarks