Fix permissions checks for projects, fix gallery URLs (#321)

modrinth · Mar 16, 2022 · 023663b · 023663b
1 parent 3883c50
commit 023663b
Show file tree

Hide file tree

Showing 4 changed files with 25 additions and 11 deletions.
diff --git a/src/routes/project_creation.rs b/src/routes/project_creation.rs
@@ -494,7 +494,7 @@ pub async fn project_create_inner(
  });
 
  gallery_urls.push(crate::models::projects::GalleryItem {
- url,
+ url: format!("{}/{}", cdn_url, url),
  featured: item.featured,
  title: item.title.clone(),
  description: item.description.clone(),

diff --git a/src/routes/projects.rs b/src/routes/projects.rs
@@ -96,17 +96,24 @@ struct DependencyInfo {
 
 #[get("dependencies")]
 pub async fn dependency_list(
+ req: HttpRequest,
  info: web::Path<(String,)>,
  pool: web::Data<PgPool>,
 ) -> Result<HttpResponse, ApiError> {
  let string = info.into_inner().0;
 
  let result =
- database::models::Project::get_from_slug_or_project_id(string, &**pool)
+ database::models::Project::get_full_from_slug_or_project_id(&string, &**pool)
  .await?;
 
+ let user_option = get_user_from_headers(req.headers(), &**pool).await.ok();
+
  if let Some(project) = result {
- let id = project.id;
+ if !is_authorized(&project, &user_option, &pool).await? {
+ return Ok(HttpResponse::NotFound().body(""));
+ }
+
+ let id = project.inner.id;
 
  use futures::stream::TryStreamExt;
 

diff --git a/src/routes/versions.rs b/src/routes/versions.rs
@@ -4,7 +4,7 @@ use crate::database::models as db_models;
 use crate::models;
 use crate::models::projects::{Dependency, Version};
 use crate::models::teams::Permissions;
-use crate::util::auth::get_user_from_headers;
+use crate::util::auth::{get_user_from_headers, is_authorized};
 use crate::util::guards::admin_key_guard;
 use crate::util::validate::validation_errors_to_string;
 use actix_web::{delete, get, patch, web, HttpRequest, HttpResponse};
@@ -21,18 +21,25 @@ pub struct VersionListFilters {
 
 #[get("version")]
 pub async fn version_list(
+ req: HttpRequest,
  info: web::Path<(String,)>,
  web::Query(filters): web::Query<VersionListFilters>,
  pool: web::Data<PgPool>,
 ) -> Result<HttpResponse, ApiError> {
  let string = info.into_inner().0;
 
  let result =
- database::models::Project::get_from_slug_or_project_id(string, &**pool)
+ database::models::Project::get_full_from_slug_or_project_id(&string, &**pool)
  .await?;
 
+ let user_option = get_user_from_headers(req.headers(), &**pool).await.ok();
+
  if let Some(project) = result {
- let id = project.id;
+ if !is_authorized(&project, &user_option, &pool).await? {
+ return Ok(HttpResponse::NotFound().body(""));
+ }
+
+ let id = project.inner.id;
 
  let version_ids = database::models::Version::get_project_versions(
  id,

diff --git a/src/validate/forge.rs b/src/validate/forge.rs
@@ -83,11 +83,11 @@ impl super::Validator for LegacyForgeValidator {
  &self,
  archive: &mut ZipArchive<Cursor<bytes::Bytes>>,
  ) -> Result<ValidationResult, ValidationError> {
- archive.by_name("mcmod.info").map_err(|_| {
- ValidationError::InvalidInputError(
- "No mcmod.info present for Forge file.".into(),
- )
- })?;
+ if archive.by_name("mcmod.info").is_err() {
+ return Ok(ValidationResult::Warning(
+ "Forge mod file does not contain mcmod.info!",
+ ));
+ };
 
  if !archive.file_names().any(|name| name.ends_with(".class")) {
  return Ok(ValidationResult::Warning(