Categories: Do not let anons add to/remove from categories

2025-01-05 17:40:26 +00:00 · 2022-03-26 18:31:13 +03:00 · 2022-03-26 18:31:13 +03:00 · 59bb34b920
commit 59bb34b920
parent 0a273f55f4
2 changed files with 28 additions and 14 deletions
--- a/user/user.go
+++ b/user/user.go
@ -31,20 +31,22 @@ type User struct {

 // Route — Right (more is more right)
 var minimalRights = map[string]int{
-	"text":                0,
-	"backlinks":           0,
-	"history":             0,
-	"media":               1,
-	"edit":                1,
-	"upload-binary":       1,
-	"upload-text":         1,
-	"rename":              2,
-	"remove-media":        2,
-	"update-header-links": 3,
-	"delete":              3,
-	"reindex":             4,
-	"admin":               4,
-	"admin/shutdown":      4,
+	"text":                 0,
+	"backlinks":            0,
+	"history":              0,
+	"media":                1,
+	"edit":                 1,
+	"upload-binary":        1,
+	"upload-text":          1,
+	"add-to-category":      1,
+	"remove-from-category": 1,
+	"rename":               2,
+	"remove-media":         2,
+	"update-header-links":  3,
+	"delete":               3,
+	"reindex":              4,
+	"admin":                4,
+	"admin/shutdown":       4,
 }

 var groups = []string{
--- a/web/categories.go
+++ b/web/categories.go
@ -2,9 +2,11 @@ package web

 import (
 	"github.com/bouncepaw/mycorrhiza/hyphae/categories"
+	"github.com/bouncepaw/mycorrhiza/user"
 	"github.com/bouncepaw/mycorrhiza/util"
 	"github.com/bouncepaw/mycorrhiza/views"
 	"github.com/gorilla/mux"
+	"io"
 	"net/http"
 )

@ -34,6 +36,11 @@ func handlerRemoveFromCategory(w http.ResponseWriter, rq *http.Request) {
 		catName    = util.CanonicalName(rq.PostFormValue("cat"))
 		redirectTo = rq.PostFormValue("redirect-to")
 	)
+	if !user.FromRequest(rq).CanProceed("remove-from-category") {
+		w.WriteHeader(http.StatusForbidden)
+		_, _ = io.WriteString(w, "403 Forbidden")
+		return
+	}
 	categories.RemoveHyphaFromCategory(hyphaName, catName)
 	http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
 }
@ -45,6 +52,11 @@ func handlerAddToCategory(w http.ResponseWriter, rq *http.Request) {
 		catName    = util.CanonicalName(rq.PostFormValue("cat"))
 		redirectTo = rq.PostFormValue("redirect-to")
 	)
+	if !user.FromRequest(rq).CanProceed("add-to-category") {
+		w.WriteHeader(http.StatusForbidden)
+		_, _ = io.WriteString(w, "403 Forbidden")
+		return
+	}
 	categories.AddHyphaToCategory(hyphaName, catName)
 	http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
 }