mirror of
https://github.com/osmarks/mycorrhiza.git
synced 2025-01-07 10:20:26 +00:00
Categories: Do not let anons add to/remove from categories
This commit is contained in:
Timur Ismagilov
parent
0a273f55f4
commit
59bb34b920
30
user/user.go
30
user/user.go
@ -31,20 +31,22 @@ type User struct {
|
|||||||
|
|
||||||
// Route — Right (more is more right)
|
// Route — Right (more is more right)
|
||||||
var minimalRights = map[string]int{
|
var minimalRights = map[string]int{
|
||||||
"text": 0,
|
"text": 0,
|
||||||
"backlinks": 0,
|
"backlinks": 0,
|
||||||
"history": 0,
|
"history": 0,
|
||||||
"media": 1,
|
"media": 1,
|
||||||
"edit": 1,
|
"edit": 1,
|
||||||
"upload-binary": 1,
|
"upload-binary": 1,
|
||||||
"upload-text": 1,
|
"upload-text": 1,
|
||||||
"rename": 2,
|
"add-to-category": 1,
|
||||||
"remove-media": 2,
|
"remove-from-category": 1,
|
||||||
"update-header-links": 3,
|
"rename": 2,
|
||||||
"delete": 3,
|
"remove-media": 2,
|
||||||
"reindex": 4,
|
"update-header-links": 3,
|
||||||
"admin": 4,
|
"delete": 3,
|
||||||
"admin/shutdown": 4,
|
"reindex": 4,
|
||||||
|
"admin": 4,
|
||||||
|
"admin/shutdown": 4,
|
||||||
}
|
}
|
||||||
|
|
||||||
var groups = []string{
|
var groups = []string{
|
||||||
|
|||||||
@ -2,9 +2,11 @@ package web
|
|||||||
|
|
||||||
import (
|
import (
|
||||||
"github.com/bouncepaw/mycorrhiza/hyphae/categories"
|
"github.com/bouncepaw/mycorrhiza/hyphae/categories"
|
||||||
|
"github.com/bouncepaw/mycorrhiza/user"
|
||||||
"github.com/bouncepaw/mycorrhiza/util"
|
"github.com/bouncepaw/mycorrhiza/util"
|
||||||
"github.com/bouncepaw/mycorrhiza/views"
|
"github.com/bouncepaw/mycorrhiza/views"
|
||||||
"github.com/gorilla/mux"
|
"github.com/gorilla/mux"
|
||||||
|
"io"
|
||||||
"net/http"
|
"net/http"
|
||||||
)
|
)
|
||||||
|
|
||||||
@ -34,6 +36,11 @@ func handlerRemoveFromCategory(w http.ResponseWriter, rq *http.Request) {
|
|||||||
catName = util.CanonicalName(rq.PostFormValue("cat"))
|
catName = util.CanonicalName(rq.PostFormValue("cat"))
|
||||||
redirectTo = rq.PostFormValue("redirect-to")
|
redirectTo = rq.PostFormValue("redirect-to")
|
||||||
)
|
)
|
||||||
|
if !user.FromRequest(rq).CanProceed("remove-from-category") {
|
||||||
|
w.WriteHeader(http.StatusForbidden)
|
||||||
|
_, _ = io.WriteString(w, "403 Forbidden")
|
||||||
|
return
|
||||||
|
}
|
||||||
categories.RemoveHyphaFromCategory(hyphaName, catName)
|
categories.RemoveHyphaFromCategory(hyphaName, catName)
|
||||||
http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
|
http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
|
||||||
}
|
}
|
||||||
@ -45,6 +52,11 @@ func handlerAddToCategory(w http.ResponseWriter, rq *http.Request) {
|
|||||||
catName = util.CanonicalName(rq.PostFormValue("cat"))
|
catName = util.CanonicalName(rq.PostFormValue("cat"))
|
||||||
redirectTo = rq.PostFormValue("redirect-to")
|
redirectTo = rq.PostFormValue("redirect-to")
|
||||||
)
|
)
|
||||||
|
if !user.FromRequest(rq).CanProceed("add-to-category") {
|
||||||
|
w.WriteHeader(http.StatusForbidden)
|
||||||
|
_, _ = io.WriteString(w, "403 Forbidden")
|
||||||
|
return
|
||||||
|
}
|
||||||
categories.AddHyphaToCategory(hyphaName, catName)
|
categories.AddHyphaToCategory(hyphaName, catName)
|
||||||
http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
|
http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
|
||||||
}
|
}
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user