hamlab/mobilizon-frontend
2
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Disallow accessing identity page when logged in

Browse Source 
And disallow calls to fetchPerson when not our own profile or unlogged

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
Thomas Citharel
2020-10-02 09:52:47 +02:00
parent beba4a16ea
commit d41aa3b2fd
23 changed files with 1097 additions and 1026 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
lib/graphql/error.ex
View File

@@ -71,17 +71,23 @@ defmodule Mobilizon.GraphQL.Error do
# Build Error Metadata
# --------------------
defp metadata(:unknown_resource), do: {400, "Unknown Resource"}
defp metadata(:invalid_argument), do: {400, "Invalid arguments passed"}
defp metadata(:unauthenticated), do: {401, "You need to be logged in"}
defp metadata(:password_hash_missing), do: {401, "Reset your password to login"}
defp metadata(:incorrect_password), do: {401, "Invalid credentials"}
defp metadata(:unauthorized), do: {403, "You don't have permission to do this"}
defp metadata(:not_found), do: {404, "Resource not found"}
defp metadata(:user_not_found), do: {404, "User not found"}
defp metadata(:unknown_resource), do: {400, dgettext("errors", "Unknown Resource")}
defp metadata(:invalid_argument), do: {400, dgettext("errors", "Invalid arguments passed")}
defp metadata(:unauthenticated), do: {401, dgettext("errors", "You need to be logged in")}
defp metadata(:password_hash_missing),
do: {401, dgettext("errors", "Reset your password to login")}
defp metadata(:incorrect_password), do: {401, dgettext("errors", "Invalid credentials")}
defp metadata(:unauthorized),
do: {403, dgettext("errors", "You don't have permission to do this")}
defp metadata(:not_found), do: {404, dgettext("errors", "Resource not found")}
defp metadata(:user_not_found), do: {404, dgettext("errors", "User not found")}
defp metadata(:post_not_found), do: {404, dgettext("errors", "Post not found")}
defp metadata(:event_not_found), do: {404, dgettext("errors", "Event not found")}
defp metadata(:unknown), do: {500, "Something went wrong"}
defp metadata(:unknown), do: {500, dgettext("errors", "Something went wrong")}
defp metadata(code) do
Logger.warn("Unhandled error code: #{inspect(code)}")

31
lib/graphql/resolvers/person.ex
View File

@@ -35,12 +35,18 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
@doc """
Find a person
"""
def fetch_person(_parent, %{preferred_username: preferred_username}, _resolution) do
with {:ok, %Actor{} = actor} <-
def fetch_person(_parent, %{preferred_username: preferred_username}, %{
context: %{current_user: %User{} = user}
}) do
with {:ok, %Actor{id: actor_id} = actor} <-
ActivityPub.find_or_make_actor_from_nickname(preferred_username),
{:own, {:is_owned, _}} <- {:own, User.owns_actor(user, actor_id)},
actor <- proxify_pictures(actor) do
{:ok, actor}
else
{:own, nil} ->
{:error, :unauthorized}
_ ->
{:error,
dgettext("errors", "Person with username %{username} not found",
@@ -49,6 +55,8 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
end
end
def fetch_person(_parent, _args, _resolution), do: {:error, :unauthenticated}
def list_persons(
_parent,
%{
@@ -69,8 +77,15 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
Actors.list_actors(:Person, preferred_username, name, domain, local, suspended, page, limit)}
end
def list_persons(_parent, _args, %{
context: %{current_user: %User{role: role}}
})
when not is_moderator(role) do
{:error, :unauthorized}
end
def list_persons(_parent, _args, _resolution) do
{:error, dgettext("errors", "You need to be logged-in and a moderator to list persons")}
{:error, :unauthenticated}
end
@doc """
@@ -81,7 +96,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
end
def get_current_person(_parent, _args, _resolution) do
{:error, dgettext("errors", "You need to be logged-in to view current person")}
{:error, :unauthenticated}
end
@doc """
@@ -92,7 +107,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
end
def identities(_parent, _args, _resolution) do
{:error, dgettext("errors", "You need to be logged-in to view your list of identities")}
{:error, :unauthenticated}
end
@doc """
@@ -115,7 +130,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
This function is used to create more identities from an existing user
"""
def create_person(_parent, _args, _resolution) do
{:error, dgettext("errors", "You need to be logged-in to create a new identity")}
{:error, :unauthenticated}
end
@doc """
@@ -144,7 +159,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
end
def update_person(_parent, _args, _resolution) do
{:error, dgettext("errors", "You need to be logged-in to update an identity")}
{:error, :unauthenticated}
end
@doc """
@@ -178,7 +193,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Person do
end
def delete_person(_parent, _args, _resolution) do
{:error, dgettext("errors", "You need to be logged-in to delete an identity")}
{:error, :unauthenticated}
end
defp last_identity?(user) do