prevent unauthorized note edits
This commit is contained in:
parent
156dfe4bd2
commit
cd450ee312
|
@ -58,7 +58,7 @@ _handleFormSuccess :: BookmarkForm -> Handler (UpsertResult, Key Bookmark)
|
||||||
_handleFormSuccess bookmarkForm = do
|
_handleFormSuccess bookmarkForm = do
|
||||||
(userId, user) <- requireAuthPair
|
(userId, user) <- requireAuthPair
|
||||||
bm <- liftIO $ _toBookmark userId bookmarkForm
|
bm <- liftIO $ _toBookmark userId bookmarkForm
|
||||||
(res, kbid) <- runDB (upsertBookmark mkbid bm tags)
|
(res, kbid) <- runDB (upsertBookmark userId mkbid bm tags)
|
||||||
whenM (shouldArchiveBookmark user kbid) $
|
whenM (shouldArchiveBookmark user kbid) $
|
||||||
void $ async (archiveBookmarkUrl kbid (unpack (bookmarkHref bm)))
|
void $ async (archiveBookmarkUrl kbid (unpack (bookmarkHref bm)))
|
||||||
pure (res, kbid)
|
pure (res, kbid)
|
||||||
|
|
|
@ -36,6 +36,7 @@ getNotesR unamep@(UserNameP uname) = do
|
||||||
toWidgetBody [julius|
|
toWidgetBody [julius|
|
||||||
app.userR = "@{UserR unamep}";
|
app.userR = "@{UserR unamep}";
|
||||||
app.dat.notes = #{ toJSON notes } || [];
|
app.dat.notes = #{ toJSON notes } || [];
|
||||||
|
app.dat.isowner = #{ isowner };
|
||||||
|]
|
|]
|
||||||
toWidget [julius|
|
toWidget [julius|
|
||||||
PS['Main'].renderNotes('##{rawJS renderEl}')(app.dat.notes)();
|
PS['Main'].renderNotes('##{rawJS renderEl}')(app.dat.notes)();
|
||||||
|
@ -59,6 +60,7 @@ getNoteR unamep@(UserNameP uname) slug = do
|
||||||
toWidgetBody [julius|
|
toWidgetBody [julius|
|
||||||
app.userR = "@{UserR unamep}";
|
app.userR = "@{UserR unamep}";
|
||||||
app.dat.note = #{ toJSON note } || [];
|
app.dat.note = #{ toJSON note } || [];
|
||||||
|
app.dat.isowner = #{ isowner };
|
||||||
|]
|
|]
|
||||||
toWidget [julius|
|
toWidget [julius|
|
||||||
PS['Main'].renderNote('##{rawJS renderEl}')(app.dat.note)();
|
PS['Main'].renderNote('##{rawJS renderEl}')(app.dat.note)();
|
||||||
|
@ -107,7 +109,7 @@ _handleFormSuccess :: NoteForm -> Handler (UpsertResult, Key Note)
|
||||||
_handleFormSuccess noteForm = do
|
_handleFormSuccess noteForm = do
|
||||||
userId <- requireAuthId
|
userId <- requireAuthId
|
||||||
note <- liftIO $ _toNote userId noteForm
|
note <- liftIO $ _toNote userId noteForm
|
||||||
runDB (upsertNote knid note)
|
runDB (upsertNote userId knid note)
|
||||||
where
|
where
|
||||||
knid = NoteKey <$> (_id noteForm >>= \i -> if i > 0 then Just i else Nothing)
|
knid = NoteKey <$> (_id noteForm >>= \i -> if i > 0 then Just i else Nothing)
|
||||||
|
|
||||||
|
|
25
src/Model.hs
25
src/Model.hs
|
@ -535,12 +535,15 @@ fetchBookmarkByUrl userId murl = runMaybeT $ do
|
||||||
|
|
||||||
data UpsertResult = Created | Updated
|
data UpsertResult = Created | Updated
|
||||||
|
|
||||||
upsertBookmark:: Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark)
|
upsertBookmark :: Key User -> Maybe (Key Bookmark) -> Bookmark -> [Text] -> DB (UpsertResult, Key Bookmark)
|
||||||
upsertBookmark mbid bm tags = do
|
upsertBookmark userId mbid bm tags = do
|
||||||
res <- case mbid of
|
res <- case mbid of
|
||||||
Just bid -> do
|
Just bid -> do
|
||||||
get bid >>= \case
|
get bid >>= \case
|
||||||
Just prev_bm -> replaceBookmark bid prev_bm
|
Just prev_bm -> do
|
||||||
|
when (userId /= bookmarkUserId prev_bm)
|
||||||
|
(fail "unauthorized")
|
||||||
|
replaceBookmark bid prev_bm
|
||||||
_ -> fail "not found"
|
_ -> fail "not found"
|
||||||
Nothing -> do
|
Nothing -> do
|
||||||
getBy (UniqueUserHref (bookmarkUserId bm) (bookmarkHref bm)) >>= \case
|
getBy (UniqueUserHref (bookmarkUserId bm) (bookmarkHref bm)) >>= \case
|
||||||
|
@ -559,9 +562,9 @@ upsertBookmark mbid bm tags = do
|
||||||
pure (Updated, bid)
|
pure (Updated, bid)
|
||||||
deleteTags bid =
|
deleteTags bid =
|
||||||
deleteWhere [BookmarkTagBookmarkId ==. bid]
|
deleteWhere [BookmarkTagBookmarkId ==. bid]
|
||||||
insertTags userId bid' =
|
insertTags userId' bid' =
|
||||||
for_ (zip [1 ..] tags) $
|
for_ (zip [1 ..] tags) $
|
||||||
\(i, tag) -> void $ insert $ BookmarkTag userId tag bid' i
|
\(i, tag) -> void $ insert $ BookmarkTag userId' tag bid' i
|
||||||
|
|
||||||
updateBookmarkArchiveUrl :: Key User -> Key Bookmark -> Maybe Text -> DB ()
|
updateBookmarkArchiveUrl :: Key User -> Key Bookmark -> Maybe Text -> DB ()
|
||||||
updateBookmarkArchiveUrl userId bid marchiveUrl = do
|
updateBookmarkArchiveUrl userId bid marchiveUrl = do
|
||||||
|
@ -569,17 +572,19 @@ updateBookmarkArchiveUrl userId bid marchiveUrl = do
|
||||||
[BookmarkUserId ==. userId, BookmarkId ==. bid]
|
[BookmarkUserId ==. userId, BookmarkId ==. bid]
|
||||||
[BookmarkArchiveHref CP.=. marchiveUrl]
|
[BookmarkArchiveHref CP.=. marchiveUrl]
|
||||||
|
|
||||||
upsertNote:: Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note)
|
upsertNote :: Key User -> Maybe (Key Note) -> Note -> DB (UpsertResult, Key Note)
|
||||||
upsertNote mnid bmark@Note{..} = do
|
upsertNote userId mnid note = do
|
||||||
case mnid of
|
case mnid of
|
||||||
Just nid -> do
|
Just nid -> do
|
||||||
get nid >>= \case
|
get nid >>= \case
|
||||||
Just _ -> do
|
Just note' -> do
|
||||||
replace nid bmark
|
when (userId /= (noteUserId note'))
|
||||||
|
(fail "unauthorized")
|
||||||
|
replace nid note
|
||||||
pure (Updated, nid)
|
pure (Updated, nid)
|
||||||
_ -> fail "not found"
|
_ -> fail "not found"
|
||||||
Nothing -> do
|
Nothing -> do
|
||||||
(Created,) <$> insert bmark
|
(Created,) <$> insert note
|
||||||
|
|
||||||
-- * FileBookmarks
|
-- * FileBookmarks
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue