From cfdc7b82aef29d13e642c50a73eb8788e4ed6822 Mon Sep 17 00:00:00 2001
From: bouncepaw <bouncepaw2@ya.ru>
Date: Sun, 15 Nov 2020 17:58:13 +0500
Subject: [PATCH] Do not let mutate pages without rights for doing so

---
 http_mutators.go | 36 ++++++++++++++++++++++++++++++++++++
 main.go          |  6 ++++++
 user/group.go    |  9 +++++++++
 3 files changed, 51 insertions(+)

diff --git a/http_mutators.go b/http_mutators.go
index beb43e6..8deaaac 100644
--- a/http_mutators.go
+++ b/http_mutators.go
@@ -6,6 +6,7 @@ import (
 	"net/http"
 
 	"github.com/bouncepaw/mycorrhiza/templates"
+	"github.com/bouncepaw/mycorrhiza/user"
 	"github.com/bouncepaw/mycorrhiza/util"
 )
 
@@ -25,6 +26,11 @@ func handlerRenameAsk(w http.ResponseWriter, rq *http.Request) {
 		hyphaName = HyphaNameFromRq(rq, "rename-ask")
 		_, isOld  = HyphaStorage[hyphaName]
 	)
+	if ok := user.CanProceed(rq, "rename-confirm"); !ok {
+		HttpErr(w, http.StatusForbidden, hyphaName, "Not enough rights", "You must be a trusted editor to rename pages.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	util.HTTP200Page(w, base("Rename "+hyphaName+"?", templates.RenameAskHTML(hyphaName, isOld)))
 }
 
@@ -37,6 +43,11 @@ func handlerRenameConfirm(w http.ResponseWriter, rq *http.Request) {
 		_, newNameIsUsed = HyphaStorage[newName]
 		recursive        bool
 	)
+	if ok := user.CanProceed(rq, "rename-confirm"); !ok {
+		HttpErr(w, http.StatusForbidden, hyphaName, "Not enough rights", "You must be a trusted editor to rename pages.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	if rq.PostFormValue("recursive") == "true" {
 		recursive = true
 	}
@@ -71,6 +82,11 @@ func handlerDeleteAsk(w http.ResponseWriter, rq *http.Request) {
 		hyphaName = HyphaNameFromRq(rq, "delete-ask")
 		_, isOld  = HyphaStorage[hyphaName]
 	)
+	if ok := user.CanProceed(rq, "delete-ask"); !ok {
+		HttpErr(w, http.StatusForbidden, hyphaName, "Not enough rights", "You must be a moderator to delete pages.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	util.HTTP200Page(w, base("Delete "+hyphaName+"?", templates.DeleteAskHTML(hyphaName, isOld)))
 }
 
@@ -81,6 +97,11 @@ func handlerDeleteConfirm(w http.ResponseWriter, rq *http.Request) {
 		hyphaName        = HyphaNameFromRq(rq, "delete-confirm")
 		hyphaData, isOld = HyphaStorage[hyphaName]
 	)
+	if ok := user.CanProceed(rq, "delete-confirm"); !ok {
+		HttpErr(w, http.StatusForbidden, hyphaName, "Not enough rights", "You must be a moderator to delete pages.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	if isOld {
 		// If deleted successfully
 		if hop := hyphaData.DeleteHypha(hyphaName); len(hop.Errs) == 0 {
@@ -108,6 +129,11 @@ func handlerEdit(w http.ResponseWriter, rq *http.Request) {
 		textAreaFill     string
 		err              error
 	)
+	if ok := user.CanProceed(rq, "edit"); !ok {
+		HttpErr(w, http.StatusForbidden, hyphaName, "Not enough rights", "You must be an editor to edit pages.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	if isOld {
 		textAreaFill, err = FetchTextPart(hyphaData)
 		if err != nil {
@@ -129,6 +155,11 @@ func handlerUploadText(w http.ResponseWriter, rq *http.Request) {
 		hyphaData, isOld = HyphaStorage[hyphaName]
 		textData         = rq.PostFormValue("text")
 	)
+	if ok := user.CanProceed(rq, "upload-text"); !ok {
+		HttpErr(w, http.StatusForbidden, hyphaName, "Not enough rights", "You must be an editor to edit pages.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	if !isOld {
 		hyphaData = &HyphaData{}
 	}
@@ -147,6 +178,11 @@ func handlerUploadText(w http.ResponseWriter, rq *http.Request) {
 func handlerUploadBinary(w http.ResponseWriter, rq *http.Request) {
 	log.Println(rq.URL)
 	hyphaName := HyphaNameFromRq(rq, "upload-binary")
+	if ok := user.CanProceed(rq, "upload-binary"); !ok {
+		HttpErr(w, http.StatusForbidden, hyphaName, "Not enough rights", "You must be an editor to upload attachments.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	rq.ParseMultipartForm(10 << 20)
 
 	file, handler, err := rq.FormFile("binary")
diff --git a/main.go b/main.go
index 4002cf1..aa29c7f 100644
--- a/main.go
+++ b/main.go
@@ -15,6 +15,7 @@ import (
 
 	"github.com/bouncepaw/mycorrhiza/history"
 	"github.com/bouncepaw/mycorrhiza/templates"
+	"github.com/bouncepaw/mycorrhiza/user"
 	"github.com/bouncepaw/mycorrhiza/util"
 )
 
@@ -63,6 +64,11 @@ var base = templates.BaseHTML
 // Reindex all hyphae by checking the wiki storage directory anew.
 func handlerReindex(w http.ResponseWriter, rq *http.Request) {
 	log.Println(rq.URL)
+	if ok := user.CanProceed(rq, "reindex"); !ok {
+		HttpErr(w, http.StatusForbidden, util.HomePage, "Not enough rights", "You must be an admin to reindex hyphae.")
+		log.Println("Rejected", rq.URL)
+		return
+	}
 	HyphaStorage = make(map[string]*HyphaData)
 	log.Println("Wiki storage directory is", WikiDir)
 	log.Println("Start indexing hyphae...")
diff --git a/user/group.go b/user/group.go
index 8ff7f1f..d06fb29 100644
--- a/user/group.go
+++ b/user/group.go
@@ -2,6 +2,7 @@ package user
 
 import (
 	"log"
+	"net/http"
 )
 
 func groupFromString(s string) UserGroup {
@@ -59,3 +60,11 @@ func (ug UserGroup) CanAccessRoute(route string) bool {
 	}
 	return true
 }
+
+func CanProceed(rq *http.Request, route string) bool {
+	ug := UserAnon
+	if u := FromRequest(rq); u != nil {
+		ug = u.Group
+	}
+	return ug.CanAccessRoute(route)
+}