From 9d7009c7726dc8d9a3734959d0f823cc1b41b963 Mon Sep 17 00:00:00 2001 From: Dessalines Date: Tue, 14 Feb 2023 14:31:04 -0500 Subject: [PATCH] Only let top admin purge. Fixes #2731 (#2732) --- crates/api/src/site/purge/comment.rs | 6 +++--- crates/api/src/site/purge/community.rs | 6 +++--- crates/api/src/site/purge/person.rs | 6 +++--- crates/api/src/site/purge/post.rs | 6 +++--- crates/api_common/src/utils.rs | 13 +++++++++++++ 5 files changed, 25 insertions(+), 12 deletions(-) diff --git a/crates/api/src/site/purge/comment.rs b/crates/api/src/site/purge/comment.rs index 71d2c7889..9664a6288 100644 --- a/crates/api/src/site/purge/comment.rs +++ b/crates/api/src/site/purge/comment.rs @@ -3,7 +3,7 @@ use actix_web::web::Data; use lemmy_api_common::{ context::LemmyContext, site::{PurgeComment, PurgeItemResponse}, - utils::{get_local_user_view_from_jwt, is_admin}, + utils::{get_local_user_view_from_jwt, is_top_admin}, }; use lemmy_db_schema::{ source::{ @@ -28,8 +28,8 @@ impl Perform for PurgeComment { let local_user_view = get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; - // Only let admins purge an item - is_admin(&local_user_view)?; + // Only let the top admin purge an item + is_top_admin(context.pool(), local_user_view.person.id).await?; let comment_id = data.comment_id; diff --git a/crates/api/src/site/purge/community.rs b/crates/api/src/site/purge/community.rs index e3a673b74..abc4ff328 100644 --- a/crates/api/src/site/purge/community.rs +++ b/crates/api/src/site/purge/community.rs @@ -4,7 +4,7 @@ use lemmy_api_common::{ context::LemmyContext, request::purge_image_from_pictrs, site::{PurgeCommunity, PurgeItemResponse}, - utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_community}, + utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_community}, }; use lemmy_db_schema::{ source::{ @@ -29,8 +29,8 @@ impl Perform for PurgeCommunity { let local_user_view = get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; - // Only let admins purge an item - is_admin(&local_user_view)?; + // Only let the top admin purge an item + is_top_admin(context.pool(), local_user_view.person.id).await?; let community_id = data.community_id; diff --git a/crates/api/src/site/purge/person.rs b/crates/api/src/site/purge/person.rs index 658e50b6d..94c80a928 100644 --- a/crates/api/src/site/purge/person.rs +++ b/crates/api/src/site/purge/person.rs @@ -4,7 +4,7 @@ use lemmy_api_common::{ context::LemmyContext, request::purge_image_from_pictrs, site::{PurgeItemResponse, PurgePerson}, - utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_person}, + utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_person}, }; use lemmy_db_schema::{ source::{ @@ -29,8 +29,8 @@ impl Perform for PurgePerson { let local_user_view = get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; - // Only let admins purge an item - is_admin(&local_user_view)?; + // Only let the top admin purge an item + is_top_admin(context.pool(), local_user_view.person.id).await?; // Read the person to get their images let person_id = data.person_id; diff --git a/crates/api/src/site/purge/post.rs b/crates/api/src/site/purge/post.rs index aa2e74839..27f908188 100644 --- a/crates/api/src/site/purge/post.rs +++ b/crates/api/src/site/purge/post.rs @@ -4,7 +4,7 @@ use lemmy_api_common::{ context::LemmyContext, request::purge_image_from_pictrs, site::{PurgeItemResponse, PurgePost}, - utils::{get_local_user_view_from_jwt, is_admin}, + utils::{get_local_user_view_from_jwt, is_top_admin}, }; use lemmy_db_schema::{ source::{ @@ -29,8 +29,8 @@ impl Perform for PurgePost { let local_user_view = get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?; - // Only let admins purge an item - is_admin(&local_user_view)?; + // Only let the top admin purge an item + is_top_admin(context.pool(), local_user_view.person.id).await?; let post_id = data.post_id; diff --git a/crates/api_common/src/utils.rs b/crates/api_common/src/utils.rs index 88908bccd..3bdd94546 100644 --- a/crates/api_common/src/utils.rs +++ b/crates/api_common/src/utils.rs @@ -30,6 +30,7 @@ use lemmy_db_views_actor::structs::{ CommunityModeratorView, CommunityPersonBanView, CommunityView, + PersonViewSafe, }; use lemmy_utils::{ claims::Claims, @@ -60,6 +61,18 @@ pub async fn is_mod_or_admin( Ok(()) } +pub async fn is_top_admin(pool: &DbPool, person_id: PersonId) -> Result<(), LemmyError> { + let admins = PersonViewSafe::admins(pool).await?; + let top_admin = admins + .get(0) + .ok_or_else(|| LemmyError::from_message("no admins"))?; + + if top_admin.person.id != person_id { + return Err(LemmyError::from_message("not_top_admin")); + } + Ok(()) +} + pub fn is_admin(local_user_view: &LocalUserView) -> Result<(), LemmyError> { if !local_user_view.person.admin { return Err(LemmyError::from_message("not_an_admin"));