Add permission checks for adding/removing grants/punishments
This commit is contained in:
Colin McDonald
parent
bc92c39ce0
commit
2cc28e907d
|
|
@ -9,6 +9,7 @@ import net.frozenorb.apiv3.auditLog.AuditLog;
|
|||
import net.frozenorb.apiv3.auditLog.AuditLogActionType;
|
||||
import net.frozenorb.apiv3.model.Grant;
|
||||
import net.frozenorb.apiv3.model.User;
|
||||
import net.frozenorb.apiv3.unsorted.Permissions;
|
||||
import net.frozenorb.apiv3.util.ErrorUtils;
|
||||
import net.frozenorb.apiv3.util.SyncUtils;
|
||||
|
||||
|
|
@ -35,6 +36,15 @@ public final class DELETEGrantsId implements Handler<RoutingContext> {
|
|||
return;
|
||||
}
|
||||
|
||||
if (removedBy != null) {
|
||||
boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_GRANT + "." + grant.getRank(), v));
|
||||
|
||||
if (!allowed) {
|
||||
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this grant.", "userDoesNotHavePermission", ImmutableMap.of());
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
SyncUtils.<Void>runBlocking(v -> grant.delete(removedBy, reason, v));
|
||||
|
||||
if (removedBy != null) {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import net.frozenorb.apiv3.model.Grant;
|
|||
import net.frozenorb.apiv3.model.Rank;
|
||||
import net.frozenorb.apiv3.model.ServerGroup;
|
||||
import net.frozenorb.apiv3.model.User;
|
||||
import net.frozenorb.apiv3.unsorted.Permissions;
|
||||
import net.frozenorb.apiv3.unsorted.TotpAuthorizationResult;
|
||||
import net.frozenorb.apiv3.util.ErrorUtils;
|
||||
import net.frozenorb.apiv3.util.SyncUtils;
|
||||
|
|
@ -76,14 +77,23 @@ public final class POSTGrants implements Handler<RoutingContext> {
|
|||
// We purposely don't fail on a null check, grants don't have to have a source.
|
||||
User addedBy = SyncUtils.runBlocking(v -> User.findById(requestBody.getString("addedBy"), v));
|
||||
|
||||
if (addedBy != null && rank.isHigherStaffRank()) {
|
||||
int code = requestBody.getInteger("totpCode");
|
||||
TotpAuthorizationResult totpAuthorizationResult = SyncUtils.runBlocking(v -> addedBy.checkTotpAuthorization(code, null, v));
|
||||
if (addedBy != null) {
|
||||
boolean allowed = SyncUtils.runBlocking(v -> addedBy.hasPermissionAnywhere(Permissions.CREATE_GRANT + "." + rank.getId(), v));
|
||||
|
||||
if (!totpAuthorizationResult.isAuthorized()) {
|
||||
ErrorUtils.respondInvalidInput(ctx, "Totp authorization failed: " + totpAuthorizationResult.name());
|
||||
if (!allowed) {
|
||||
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to create this grant.", "userDoesNotHavePermission", ImmutableMap.of());
|
||||
return;
|
||||
}
|
||||
|
||||
if (rank.isHigherStaffRank()) {
|
||||
int code = requestBody.getInteger("totpCode");
|
||||
TotpAuthorizationResult totpAuthorizationResult = SyncUtils.runBlocking(v -> addedBy.checkTotpAuthorization(code, null, v));
|
||||
|
||||
if (!totpAuthorizationResult.isAuthorized()) {
|
||||
ErrorUtils.respondInvalidInput(ctx, "Totp authorization failed: " + totpAuthorizationResult.name());
|
||||
return;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
int storeItemId = requestBody.getInteger("storeItemId", -1);
|
||||
|
|
|
|||
|
|
@ -9,6 +9,7 @@ import net.frozenorb.apiv3.auditLog.AuditLog;
|
|||
import net.frozenorb.apiv3.auditLog.AuditLogActionType;
|
||||
import net.frozenorb.apiv3.model.Punishment;
|
||||
import net.frozenorb.apiv3.model.User;
|
||||
import net.frozenorb.apiv3.unsorted.Permissions;
|
||||
import net.frozenorb.apiv3.util.ErrorUtils;
|
||||
import net.frozenorb.apiv3.util.SyncUtils;
|
||||
|
||||
|
|
@ -35,6 +36,15 @@ public final class DELETEPunishmentsId implements Handler<RoutingContext> {
|
|||
return;
|
||||
}
|
||||
|
||||
if (removedBy != null) {
|
||||
boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_PUNISHMENT + "." + punishment.getType().name().toLowerCase(), v));
|
||||
|
||||
if (!allowed) {
|
||||
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
SyncUtils.<Void>runBlocking(v -> punishment.delete(removedBy, reason, v));
|
||||
|
||||
if (removedBy != null) {
|
||||
|
|
|
|||
|
|
@ -11,6 +11,7 @@ import net.frozenorb.apiv3.auditLog.AuditLogActionType;
|
|||
import net.frozenorb.apiv3.model.AuditLogEntry;
|
||||
import net.frozenorb.apiv3.model.Punishment;
|
||||
import net.frozenorb.apiv3.model.User;
|
||||
import net.frozenorb.apiv3.unsorted.Permissions;
|
||||
import net.frozenorb.apiv3.util.ErrorUtils;
|
||||
import net.frozenorb.apiv3.util.SyncUtils;
|
||||
|
||||
|
|
@ -38,6 +39,15 @@ public final class DELETEUsersIdActivePunishment implements Handler<RoutingConte
|
|||
return;
|
||||
}
|
||||
|
||||
if (removedBy != null) {
|
||||
boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_PUNISHMENT + "." + type.name().toLowerCase(), v));
|
||||
|
||||
if (!allowed) {
|
||||
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
List<Punishment> punishments = SyncUtils.runBlocking(v -> Punishment.findByUserAndType(target, ImmutableSet.of(type), v));
|
||||
List<Punishment> removedPunishments = new LinkedList<>();
|
||||
|
||||
|
|
|
|||
|
|
@ -98,6 +98,15 @@ public final class POSTPunishments implements Handler<RoutingContext> {
|
|||
}
|
||||
}
|
||||
|
||||
if (addedBy != null) {
|
||||
boolean allowed = SyncUtils.runBlocking(v -> addedBy.hasPermissionAnywhere(Permissions.CREATE_PUNISHMENT + "." + type.name().toLowerCase(), v));
|
||||
|
||||
if (!allowed) {
|
||||
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to create this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
|
||||
return;
|
||||
}
|
||||
}
|
||||
|
||||
if ((type == Punishment.PunishmentType.BAN || type == Punishment.PunishmentType.BLACKLIST) && userIp != null) {
|
||||
IpBan ipBan = new IpBan(userIp, punishment);
|
||||
SyncUtils.<Void>runBlocking(v -> ipBan.insert(v));
|
||||
|
|
|
|||
|
|
@ -8,5 +8,9 @@ public class Permissions {
|
|||
public static final String PROTECTED_PUNISHMENT = "minehq.punishment.protected";
|
||||
public static final String BYPASS_VPN_CHECK = "minehq.vpn.bypass";
|
||||
public static final String REQUIRE_TOTP_CODE = "minehq.totp.require";
|
||||
public static final String CREATE_PUNISHMENT = "minehq.punishment.create";
|
||||
public static final String REMOVE_PUNISHMENT = "minehq.punishment.remove";
|
||||
public static final String CREATE_GRANT = "minehq.grant.create";
|
||||
public static final String REMOVE_GRANT = "minehq.grant.remove";
|
||||
|
||||
}
|
||||
Loading…
Reference in New Issue