mirror of
https://github.com/osmarks/mycorrhiza.git
synced 2025-01-07 10:20:26 +00:00
Categories: Do not let anons add to/remove from categories
This commit is contained in:
parent
0a273f55f4
commit
59bb34b920
30
user/user.go
30
user/user.go
@ -31,20 +31,22 @@ type User struct {
|
||||
|
||||
// Route — Right (more is more right)
|
||||
var minimalRights = map[string]int{
|
||||
"text": 0,
|
||||
"backlinks": 0,
|
||||
"history": 0,
|
||||
"media": 1,
|
||||
"edit": 1,
|
||||
"upload-binary": 1,
|
||||
"upload-text": 1,
|
||||
"rename": 2,
|
||||
"remove-media": 2,
|
||||
"update-header-links": 3,
|
||||
"delete": 3,
|
||||
"reindex": 4,
|
||||
"admin": 4,
|
||||
"admin/shutdown": 4,
|
||||
"text": 0,
|
||||
"backlinks": 0,
|
||||
"history": 0,
|
||||
"media": 1,
|
||||
"edit": 1,
|
||||
"upload-binary": 1,
|
||||
"upload-text": 1,
|
||||
"add-to-category": 1,
|
||||
"remove-from-category": 1,
|
||||
"rename": 2,
|
||||
"remove-media": 2,
|
||||
"update-header-links": 3,
|
||||
"delete": 3,
|
||||
"reindex": 4,
|
||||
"admin": 4,
|
||||
"admin/shutdown": 4,
|
||||
}
|
||||
|
||||
var groups = []string{
|
||||
|
@ -2,9 +2,11 @@ package web
|
||||
|
||||
import (
|
||||
"github.com/bouncepaw/mycorrhiza/hyphae/categories"
|
||||
"github.com/bouncepaw/mycorrhiza/user"
|
||||
"github.com/bouncepaw/mycorrhiza/util"
|
||||
"github.com/bouncepaw/mycorrhiza/views"
|
||||
"github.com/gorilla/mux"
|
||||
"io"
|
||||
"net/http"
|
||||
)
|
||||
|
||||
@ -34,6 +36,11 @@ func handlerRemoveFromCategory(w http.ResponseWriter, rq *http.Request) {
|
||||
catName = util.CanonicalName(rq.PostFormValue("cat"))
|
||||
redirectTo = rq.PostFormValue("redirect-to")
|
||||
)
|
||||
if !user.FromRequest(rq).CanProceed("remove-from-category") {
|
||||
w.WriteHeader(http.StatusForbidden)
|
||||
_, _ = io.WriteString(w, "403 Forbidden")
|
||||
return
|
||||
}
|
||||
categories.RemoveHyphaFromCategory(hyphaName, catName)
|
||||
http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
|
||||
}
|
||||
@ -45,6 +52,11 @@ func handlerAddToCategory(w http.ResponseWriter, rq *http.Request) {
|
||||
catName = util.CanonicalName(rq.PostFormValue("cat"))
|
||||
redirectTo = rq.PostFormValue("redirect-to")
|
||||
)
|
||||
if !user.FromRequest(rq).CanProceed("add-to-category") {
|
||||
w.WriteHeader(http.StatusForbidden)
|
||||
_, _ = io.WriteString(w, "403 Forbidden")
|
||||
return
|
||||
}
|
||||
categories.AddHyphaToCategory(hyphaName, catName)
|
||||
http.Redirect(w, rq, redirectTo, http.StatusSeeOther)
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user