diff --git a/src/Handler/Add.hs b/src/Handler/Add.hs index 3300390..22ef21c 100644 --- a/src/Handler/Add.hs +++ b/src/Handler/Add.hs @@ -58,7 +58,7 @@ _handleFormSuccess :: BookmarkForm -> Handler (UpsertResult, Key Bookmark) _handleFormSuccess bookmarkForm = do (userId, user) <- requireAuthPair bm <- liftIO $ _toBookmark userId bookmarkForm - (res, kbid) <- runDB (upsertBookmark mkbid bm tags) + (res, kbid) <- runDB (upsertBookmark userId mkbid bm tags) whenM (shouldArchiveBookmark user kbid) $ void $ async (archiveBookmarkUrl kbid (unpack (bookmarkHref bm))) pure (res, kbid) diff --git a/src/Handler/Notes.hs b/src/Handler/Notes.hs index 34e21b1..c5cd40d 100644 --- a/src/Handler/Notes.hs +++ b/src/Handler/Notes.hs @@ -36,6 +36,7 @@ getNotesR unamep@(UserNameP uname) = do toWidgetBody [julius| app.userR = "@{UserR unamep}"; app.dat.notes = #{ toJSON notes } || []; + app.dat.isowner = #{ isowner }; |] toWidget [julius| PS['Main'].renderNotes('##{rawJS renderEl}')(app.dat.notes)(); @@ -59,6 +60,7 @@ getNoteR unamep@(UserNameP uname) slug = do toWidgetBody [julius| app.userR = "@{UserR unamep}"; app.dat.note = #{ toJSON note } || []; + app.dat.isowner = #{ isowner }; |] toWidget [julius| PS['Main'].renderNote('##{rawJS renderEl}')(app.dat.note)(); @@ -107,7 +109,7 @@ _handleFormSuccess :: NoteForm -> Handler (UpsertResult, Key Note) _handleFormSuccess noteForm = do userId <- requireAuthId note <- liftIO $ _toNote userId noteForm - runDB (upsertNote knid note) + runDB (upsertNote userId knid note) where knid = NoteKey <$> (_id noteForm >>= \i -> if i > 0 then Just i else Nothing) diff --git a/src/Model.hs b/src/Model.hs index 5a14318..ba8dc37 100644 --- a/src/Model.hs +++ b/src/Model.hs @@ -535,12 +535,15 @@ fetchBookmarkByUrl userId murl = runMaybeT $ do data UpsertResult = Created | Updated -upsertBookmark:: Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark) -upsertBookmark mbid bm tags = do +upsertBookmark :: Key User -> Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark) +upsertBookmark userId mbid bm tags = do res <- case mbid of Just bid -> do get bid >>= \case - Just prev_bm -> replaceBookmark bid prev_bm + Just prev_bm -> do + when (userId /= bookmarkUserId prev_bm) + (fail "unauthorized") + replaceBookmark bid prev_bm _ -> fail "not found" Nothing -> do getBy (UniqueUserHref (bookmarkUserId bm) (bookmarkHref bm)) >>= \case @@ -559,9 +562,9 @@ upsertBookmark mbid bm tags = do pure (Updated, bid) deleteTags bid = deleteWhere [BookmarkTagBookmarkId ==. bid] - insertTags userId bid' = + insertTags userId' bid' = for_ (zip [1 ..] tags) $ - \(i, tag) -> void $ insert $ BookmarkTag userId tag bid' i + \(i, tag) -> void $ insert $ BookmarkTag userId' tag bid' i updateBookmarkArchiveUrl :: Key User -> Key Bookmark -> Maybe Text -> DB () updateBookmarkArchiveUrl userId bid marchiveUrl = do @@ -569,17 +572,19 @@ updateBookmarkArchiveUrl userId bid marchiveUrl = do [BookmarkUserId ==. userId, BookmarkId ==. bid] [BookmarkArchiveHref CP.=. marchiveUrl] -upsertNote:: Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note) -upsertNote mnid bmark@Note{..} = do +upsertNote :: Key User -> Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note) +upsertNote userId mnid note = do case mnid of Just nid -> do get nid >>= \case - Just _ -> do - replace nid bmark + Just note' -> do + when (userId /= (noteUserId note')) + (fail "unauthorized") + replace nid note pure (Updated, nid) _ -> fail "not found" Nothing -> do - (Created,) <$> insert bmark + (Created,) <$> insert note -- * FileBookmarks