Categories: Do not let anons add to/remove from categories

2025-01-07 10:20:26 +00:00 · 2022-03-26 18:31:13 +03:00 · 2022-03-26 18:31:13 +03:00 · 59bb34b920
commit 59bb34b920
parent 0a273f55f4
2 changed files with 28 additions and 14 deletions
--- a/user/user.go
+++ b/user/user.go
@ -38,6 +38,8 @@ var minimalRights = map[string]int{
 	"edit":                 1,
 	"upload-binary":        1,
 	"upload-text":          1,
+	"add-to-category":      1,
+	"remove-from-category": 1,
 	"rename":               2,
 	"remove-media":         2,
 	"update-header-links":  3,
--- a/web/categories.go
+++ b/web/categories.go
@ -2,9 +2,11 @@ package web

 import (
 	"github.com/bouncepaw/mycorrhiza/hyphae/categories"
+	"github.com/bouncepaw/mycorrhiza/user"
 	"github.com/bouncepaw/mycorrhiza/util"
 	"github.com/bouncepaw/mycorrhiza/views"
 	"github.com/gorilla/mux"
+	"io"
 	"net/http"
 )

@ -34,6 +36,11 @@ func handlerRemoveFromCategory(w http.ResponseWriter, rq *http.Request) {
 		catName    = util.CanonicalName(rq.PostFormValue("cat"))
 		redirectTo = rq.PostFormValue("redirect-to")
 	)
+	if !user.FromRequest(rq).CanProceed("remove-from-category") {
+		w.WriteHeader(http.StatusForbidden)
+		_, _ = io.WriteString(w, "403 Forbidden")
+		return
+	}
 	categories.RemoveHyphaFromCategory(hyphaName, catName)
 	http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
 }
@ -45,6 +52,11 @@ func handlerAddToCategory(w http.ResponseWriter, rq *http.Request) {
 		catName    = util.CanonicalName(rq.PostFormValue("cat"))
 		redirectTo = rq.PostFormValue("redirect-to")
 	)
+	if !user.FromRequest(rq).CanProceed("add-to-category") {
+		w.WriteHeader(http.StatusForbidden)
+		_, _ = io.WriteString(w, "403 Forbidden")
+		return
+	}
 	categories.AddHyphaToCategory(hyphaName, catName)
 	http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
 }