From 2cc28e907d207510d324a0f3a70fb8be3db601bd Mon Sep 17 00:00:00 2001
From: Colin McDonald <cmcdonald.main@gmail.com>
Date: Mon, 18 Jul 2016 19:45:34 -0400
Subject: [PATCH] Add permission checks for adding/removing grants/punishments

---
 .../apiv3/route/grants/DELETEGrantsId.java    | 10 ++++++++++
 .../apiv3/route/grants/POSTGrants.java        | 20 ++++++++++++++-----
 .../punishments/DELETEPunishmentsId.java      | 10 ++++++++++
 .../DELETEUsersIdActivePunishment.java        | 10 ++++++++++
 .../route/punishments/POSTPunishments.java    |  9 +++++++++
 .../frozenorb/apiv3/unsorted/Permissions.java |  4 ++++
 6 files changed, 58 insertions(+), 5 deletions(-)

diff --git a/src/main/java/net/frozenorb/apiv3/route/grants/DELETEGrantsId.java b/src/main/java/net/frozenorb/apiv3/route/grants/DELETEGrantsId.java
index 9214fcf..43c0789 100644
--- a/src/main/java/net/frozenorb/apiv3/route/grants/DELETEGrantsId.java
+++ b/src/main/java/net/frozenorb/apiv3/route/grants/DELETEGrantsId.java
@@ -9,6 +9,7 @@ import net.frozenorb.apiv3.auditLog.AuditLog;
 import net.frozenorb.apiv3.auditLog.AuditLogActionType;
 import net.frozenorb.apiv3.model.Grant;
 import net.frozenorb.apiv3.model.User;
+import net.frozenorb.apiv3.unsorted.Permissions;
 import net.frozenorb.apiv3.util.ErrorUtils;
 import net.frozenorb.apiv3.util.SyncUtils;
 
@@ -35,6 +36,15 @@ public final class DELETEGrantsId implements Handler<RoutingContext> {
 			return;
 		}
 
+		if (removedBy != null) {
+			boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_GRANT + "." + grant.getRank(), v));
+
+			if (!allowed) {
+				ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this grant.", "userDoesNotHavePermission", ImmutableMap.of());
+				return;
+			}
+		}
+
 		SyncUtils.<Void>runBlocking(v -> grant.delete(removedBy, reason, v));
 
 		if (removedBy != null) {
diff --git a/src/main/java/net/frozenorb/apiv3/route/grants/POSTGrants.java b/src/main/java/net/frozenorb/apiv3/route/grants/POSTGrants.java
index 6d510ea..49baccf 100644
--- a/src/main/java/net/frozenorb/apiv3/route/grants/POSTGrants.java
+++ b/src/main/java/net/frozenorb/apiv3/route/grants/POSTGrants.java
@@ -11,6 +11,7 @@ import net.frozenorb.apiv3.model.Grant;
 import net.frozenorb.apiv3.model.Rank;
 import net.frozenorb.apiv3.model.ServerGroup;
 import net.frozenorb.apiv3.model.User;
+import net.frozenorb.apiv3.unsorted.Permissions;
 import net.frozenorb.apiv3.unsorted.TotpAuthorizationResult;
 import net.frozenorb.apiv3.util.ErrorUtils;
 import net.frozenorb.apiv3.util.SyncUtils;
@@ -76,14 +77,23 @@ public final class POSTGrants implements Handler<RoutingContext> {
 		// We purposely don't fail on a null check, grants don't have to have a source.
 		User addedBy = SyncUtils.runBlocking(v -> User.findById(requestBody.getString("addedBy"), v));
 
-		if (addedBy != null && rank.isHigherStaffRank()) {
-			int code = requestBody.getInteger("totpCode");
-			TotpAuthorizationResult totpAuthorizationResult = SyncUtils.runBlocking(v -> addedBy.checkTotpAuthorization(code, null, v));
+		if (addedBy != null) {
+			boolean allowed = SyncUtils.runBlocking(v -> addedBy.hasPermissionAnywhere(Permissions.CREATE_GRANT + "." + rank.getId(), v));
 
-			if (!totpAuthorizationResult.isAuthorized()) {
-				ErrorUtils.respondInvalidInput(ctx, "Totp authorization failed: " + totpAuthorizationResult.name());
+			if (!allowed) {
+				ErrorUtils.respondOther(ctx, 409, "User given does not have permission to create this grant.", "userDoesNotHavePermission", ImmutableMap.of());
 				return;
 			}
+
+			if (rank.isHigherStaffRank()) {
+				int code = requestBody.getInteger("totpCode");
+				TotpAuthorizationResult totpAuthorizationResult = SyncUtils.runBlocking(v -> addedBy.checkTotpAuthorization(code, null, v));
+
+				if (!totpAuthorizationResult.isAuthorized()) {
+					ErrorUtils.respondInvalidInput(ctx, "Totp authorization failed: " + totpAuthorizationResult.name());
+					return;
+				}
+			}
 		}
 
 		int storeItemId = requestBody.getInteger("storeItemId", -1);
diff --git a/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEPunishmentsId.java b/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEPunishmentsId.java
index 598362c..6ae11db 100644
--- a/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEPunishmentsId.java
+++ b/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEPunishmentsId.java
@@ -9,6 +9,7 @@ import net.frozenorb.apiv3.auditLog.AuditLog;
 import net.frozenorb.apiv3.auditLog.AuditLogActionType;
 import net.frozenorb.apiv3.model.Punishment;
 import net.frozenorb.apiv3.model.User;
+import net.frozenorb.apiv3.unsorted.Permissions;
 import net.frozenorb.apiv3.util.ErrorUtils;
 import net.frozenorb.apiv3.util.SyncUtils;
 
@@ -35,6 +36,15 @@ public final class DELETEPunishmentsId implements Handler<RoutingContext> {
 			return;
 		}
 
+		if (removedBy != null) {
+			boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_PUNISHMENT + "." + punishment.getType().name().toLowerCase(), v));
+
+			if (!allowed) {
+				ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
+				return;
+			}
+		}
+
 		SyncUtils.<Void>runBlocking(v -> punishment.delete(removedBy, reason, v));
 
 		if (removedBy != null) {
diff --git a/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEUsersIdActivePunishment.java b/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEUsersIdActivePunishment.java
index 274d461..1d9b6ad 100644
--- a/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEUsersIdActivePunishment.java
+++ b/src/main/java/net/frozenorb/apiv3/route/punishments/DELETEUsersIdActivePunishment.java
@@ -11,6 +11,7 @@ import net.frozenorb.apiv3.auditLog.AuditLogActionType;
 import net.frozenorb.apiv3.model.AuditLogEntry;
 import net.frozenorb.apiv3.model.Punishment;
 import net.frozenorb.apiv3.model.User;
+import net.frozenorb.apiv3.unsorted.Permissions;
 import net.frozenorb.apiv3.util.ErrorUtils;
 import net.frozenorb.apiv3.util.SyncUtils;
 
@@ -38,6 +39,15 @@ public final class DELETEUsersIdActivePunishment implements Handler<RoutingConte
 			return;
 		}
 
+		if (removedBy != null) {
+			boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_PUNISHMENT + "." + type.name().toLowerCase(), v));
+
+			if (!allowed) {
+				ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
+				return;
+			}
+		}
+
 		List<Punishment> punishments = SyncUtils.runBlocking(v -> Punishment.findByUserAndType(target, ImmutableSet.of(type), v));
 		List<Punishment> removedPunishments = new LinkedList<>();
 
diff --git a/src/main/java/net/frozenorb/apiv3/route/punishments/POSTPunishments.java b/src/main/java/net/frozenorb/apiv3/route/punishments/POSTPunishments.java
index 9de2081..2ef8277 100644
--- a/src/main/java/net/frozenorb/apiv3/route/punishments/POSTPunishments.java
+++ b/src/main/java/net/frozenorb/apiv3/route/punishments/POSTPunishments.java
@@ -98,6 +98,15 @@ public final class POSTPunishments implements Handler<RoutingContext> {
 			}
 		}
 
+		if (addedBy != null) {
+			boolean allowed = SyncUtils.runBlocking(v -> addedBy.hasPermissionAnywhere(Permissions.CREATE_PUNISHMENT + "." + type.name().toLowerCase(), v));
+
+			if (!allowed) {
+				ErrorUtils.respondOther(ctx, 409, "User given does not have permission to create this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
+				return;
+			}
+		}
+
 		if ((type == Punishment.PunishmentType.BAN || type == Punishment.PunishmentType.BLACKLIST) && userIp != null) {
 			IpBan ipBan = new IpBan(userIp, punishment);
 			SyncUtils.<Void>runBlocking(v -> ipBan.insert(v));
diff --git a/src/main/java/net/frozenorb/apiv3/unsorted/Permissions.java b/src/main/java/net/frozenorb/apiv3/unsorted/Permissions.java
index 71ad3eb..af69b5d 100644
--- a/src/main/java/net/frozenorb/apiv3/unsorted/Permissions.java
+++ b/src/main/java/net/frozenorb/apiv3/unsorted/Permissions.java
@@ -8,5 +8,9 @@ public class Permissions {
 	public static final String PROTECTED_PUNISHMENT = "minehq.punishment.protected";
 	public static final String BYPASS_VPN_CHECK = "minehq.vpn.bypass";
 	public static final String REQUIRE_TOTP_CODE = "minehq.totp.require";
+	public static final String CREATE_PUNISHMENT = "minehq.punishment.create";
+	public static final String REMOVE_PUNISHMENT = "minehq.punishment.remove";
+	public static final String CREATE_GRANT = "minehq.grant.create";
+	public static final String REMOVE_GRANT = "minehq.grant.remove";
 
 }
\ No newline at end of file