Only let top admin purge. Fixes #2731 (#2732)

This commit is contained in:
Dessalines 2023-02-14 14:31:04 -05:00 committed by GitHub
parent 25e98064b6
commit 9d7009c772
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 25 additions and 12 deletions

View File

@ -3,7 +3,7 @@ use actix_web::web::Data;
use lemmy_api_common::{
context::LemmyContext,
site::{PurgeComment, PurgeItemResponse},
utils::{get_local_user_view_from_jwt, is_admin},
utils::{get_local_user_view_from_jwt, is_top_admin},
};
use lemmy_db_schema::{
source::{
@ -28,8 +28,8 @@ impl Perform for PurgeComment {
let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item
is_admin(&local_user_view)?;
// Only let the top admin purge an item
is_top_admin(context.pool(), local_user_view.person.id).await?;
let comment_id = data.comment_id;

View File

@ -4,7 +4,7 @@ use lemmy_api_common::{
context::LemmyContext,
request::purge_image_from_pictrs,
site::{PurgeCommunity, PurgeItemResponse},
utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_community},
utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_community},
};
use lemmy_db_schema::{
source::{
@ -29,8 +29,8 @@ impl Perform for PurgeCommunity {
let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item
is_admin(&local_user_view)?;
// Only let the top admin purge an item
is_top_admin(context.pool(), local_user_view.person.id).await?;
let community_id = data.community_id;

View File

@ -4,7 +4,7 @@ use lemmy_api_common::{
context::LemmyContext,
request::purge_image_from_pictrs,
site::{PurgeItemResponse, PurgePerson},
utils::{get_local_user_view_from_jwt, is_admin, purge_image_posts_for_person},
utils::{get_local_user_view_from_jwt, is_top_admin, purge_image_posts_for_person},
};
use lemmy_db_schema::{
source::{
@ -29,8 +29,8 @@ impl Perform for PurgePerson {
let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item
is_admin(&local_user_view)?;
// Only let the top admin purge an item
is_top_admin(context.pool(), local_user_view.person.id).await?;
// Read the person to get their images
let person_id = data.person_id;

View File

@ -4,7 +4,7 @@ use lemmy_api_common::{
context::LemmyContext,
request::purge_image_from_pictrs,
site::{PurgeItemResponse, PurgePost},
utils::{get_local_user_view_from_jwt, is_admin},
utils::{get_local_user_view_from_jwt, is_top_admin},
};
use lemmy_db_schema::{
source::{
@ -29,8 +29,8 @@ impl Perform for PurgePost {
let local_user_view =
get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
// Only let admins purge an item
is_admin(&local_user_view)?;
// Only let the top admin purge an item
is_top_admin(context.pool(), local_user_view.person.id).await?;
let post_id = data.post_id;

View File

@ -30,6 +30,7 @@ use lemmy_db_views_actor::structs::{
CommunityModeratorView,
CommunityPersonBanView,
CommunityView,
PersonViewSafe,
};
use lemmy_utils::{
claims::Claims,
@ -60,6 +61,18 @@ pub async fn is_mod_or_admin(
Ok(())
}
pub async fn is_top_admin(pool: &DbPool, person_id: PersonId) -> Result<(), LemmyError> {
let admins = PersonViewSafe::admins(pool).await?;
let top_admin = admins
.get(0)
.ok_or_else(|| LemmyError::from_message("no admins"))?;
if top_admin.person.id != person_id {
return Err(LemmyError::from_message("not_top_admin"));
}
Ok(())
}
pub fn is_admin(local_user_view: &LocalUserView) -> Result<(), LemmyError> {
if !local_user_view.person.admin {
return Err(LemmyError::from_message("not_an_admin"));