From 023663b268bf279157444103a84a49b089997869 Mon Sep 17 00:00:00 2001 From: Geometrically <18202329+Geometrically@users.noreply.github.com> Date: Wed, 16 Mar 2022 07:49:09 -0700 Subject: [PATCH] Fix permissions checks for projects, fix gallery URLs (#321) --- src/routes/project_creation.rs | 2 +- src/routes/projects.rs | 11 +++++++++-- src/routes/versions.rs | 13 ++++++++++--- src/validate/forge.rs | 10 +++++----- 4 files changed, 25 insertions(+), 11 deletions(-) diff --git a/src/routes/project_creation.rs b/src/routes/project_creation.rs index 9029d07d..39cfd0bc 100644 --- a/src/routes/project_creation.rs +++ b/src/routes/project_creation.rs @@ -494,7 +494,7 @@ pub async fn project_create_inner( }); gallery_urls.push(crate::models::projects::GalleryItem { - url, + url: format!("{}/{}", cdn_url, url), featured: item.featured, title: item.title.clone(), description: item.description.clone(), diff --git a/src/routes/projects.rs b/src/routes/projects.rs index 6ca9f9c4..84a6d5a7 100644 --- a/src/routes/projects.rs +++ b/src/routes/projects.rs @@ -96,17 +96,24 @@ struct DependencyInfo { #[get("dependencies")] pub async fn dependency_list( + req: HttpRequest, info: web::Path<(String,)>, pool: web::Data, ) -> Result { let string = info.into_inner().0; let result = - database::models::Project::get_from_slug_or_project_id(string, &**pool) + database::models::Project::get_full_from_slug_or_project_id(&string, &**pool) .await?; + let user_option = get_user_from_headers(req.headers(), &**pool).await.ok(); + if let Some(project) = result { - let id = project.id; + if !is_authorized(&project, &user_option, &pool).await? { + return Ok(HttpResponse::NotFound().body("")); + } + + let id = project.inner.id; use futures::stream::TryStreamExt; diff --git a/src/routes/versions.rs b/src/routes/versions.rs index c3d8c837..959a146e 100644 --- a/src/routes/versions.rs +++ b/src/routes/versions.rs @@ -4,7 +4,7 @@ use crate::database::models as db_models; use crate::models; use crate::models::projects::{Dependency, Version}; use crate::models::teams::Permissions; -use crate::util::auth::get_user_from_headers; +use crate::util::auth::{get_user_from_headers, is_authorized}; use crate::util::guards::admin_key_guard; use crate::util::validate::validation_errors_to_string; use actix_web::{delete, get, patch, web, HttpRequest, HttpResponse}; @@ -21,6 +21,7 @@ pub struct VersionListFilters { #[get("version")] pub async fn version_list( + req: HttpRequest, info: web::Path<(String,)>, web::Query(filters): web::Query, pool: web::Data, @@ -28,11 +29,17 @@ pub async fn version_list( let string = info.into_inner().0; let result = - database::models::Project::get_from_slug_or_project_id(string, &**pool) + database::models::Project::get_full_from_slug_or_project_id(&string, &**pool) .await?; + let user_option = get_user_from_headers(req.headers(), &**pool).await.ok(); + if let Some(project) = result { - let id = project.id; + if !is_authorized(&project, &user_option, &pool).await? { + return Ok(HttpResponse::NotFound().body("")); + } + + let id = project.inner.id; let version_ids = database::models::Version::get_project_versions( id, diff --git a/src/validate/forge.rs b/src/validate/forge.rs index 038edbe0..b98a55e4 100644 --- a/src/validate/forge.rs +++ b/src/validate/forge.rs @@ -83,11 +83,11 @@ impl super::Validator for LegacyForgeValidator { &self, archive: &mut ZipArchive>, ) -> Result { - archive.by_name("mcmod.info").map_err(|_| { - ValidationError::InvalidInputError( - "No mcmod.info present for Forge file.".into(), - ) - })?; + if archive.by_name("mcmod.info").is_err() { + return Ok(ValidationResult::Warning( + "Forge mod file does not contain mcmod.info!", + )); + }; if !archive.file_names().any(|name| name.ends_with(".class")) { return Ok(ValidationResult::Warning(