The-pack-family/APIv3
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add permission checks for adding/removing grants/punishments

Browse Source
This commit is contained in:
Colin McDonald 2016-07-18 19:45:34 -04:00
parent bc92c39ce0
commit 2cc28e907d
6 changed files with 58 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/main/java/net/frozenorb/apiv3/route/grants/DELETEGrantsId.java
View File

@ -9,6 +9,7 @@ import net.frozenorb.apiv3.auditLog.AuditLog;
import net.frozenorb.apiv3.auditLog.AuditLogActionType; import net.frozenorb.apiv3.auditLog.AuditLogActionType;
import net.frozenorb.apiv3.model.Grant; import net.frozenorb.apiv3.model.Grant;
import net.frozenorb.apiv3.model.User; import net.frozenorb.apiv3.model.User;
import net.frozenorb.apiv3.unsorted.Permissions;
import net.frozenorb.apiv3.util.ErrorUtils; import net.frozenorb.apiv3.util.ErrorUtils;
import net.frozenorb.apiv3.util.SyncUtils; import net.frozenorb.apiv3.util.SyncUtils;
@ -35,6 +36,15 @@ public final class DELETEGrantsId implements Handler<RoutingContext> {
return; return;
} }
if (removedBy != null) {
boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_GRANT + "." + grant.getRank(), v));
if (!allowed) {
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this grant.", "userDoesNotHavePermission", ImmutableMap.of());
return;
}
}
SyncUtils.<Void>runBlocking(v -> grant.delete(removedBy, reason, v)); SyncUtils.<Void>runBlocking(v -> grant.delete(removedBy, reason, v));
if (removedBy != null) { if (removedBy != null) {

20
src/main/java/net/frozenorb/apiv3/route/grants/POSTGrants.java
View File

@ -11,6 +11,7 @@ import net.frozenorb.apiv3.model.Grant;
import net.frozenorb.apiv3.model.Rank; import net.frozenorb.apiv3.model.Rank;
import net.frozenorb.apiv3.model.ServerGroup; import net.frozenorb.apiv3.model.ServerGroup;
import net.frozenorb.apiv3.model.User; import net.frozenorb.apiv3.model.User;
import net.frozenorb.apiv3.unsorted.Permissions;
import net.frozenorb.apiv3.unsorted.TotpAuthorizationResult; import net.frozenorb.apiv3.unsorted.TotpAuthorizationResult;
import net.frozenorb.apiv3.util.ErrorUtils; import net.frozenorb.apiv3.util.ErrorUtils;
import net.frozenorb.apiv3.util.SyncUtils; import net.frozenorb.apiv3.util.SyncUtils;
@ -76,14 +77,23 @@ public final class POSTGrants implements Handler<RoutingContext> {
// We purposely don't fail on a null check, grants don't have to have a source. // We purposely don't fail on a null check, grants don't have to have a source.
User addedBy = SyncUtils.runBlocking(v -> User.findById(requestBody.getString("addedBy"), v)); User addedBy = SyncUtils.runBlocking(v -> User.findById(requestBody.getString("addedBy"), v));
if (addedBy != null && rank.isHigherStaffRank()) { if (addedBy != null) {
int code = requestBody.getInteger("totpCode"); boolean allowed = SyncUtils.runBlocking(v -> addedBy.hasPermissionAnywhere(Permissions.CREATE_GRANT + "." + rank.getId(), v));
TotpAuthorizationResult totpAuthorizationResult = SyncUtils.runBlocking(v -> addedBy.checkTotpAuthorization(code, null, v));
if (!totpAuthorizationResult.isAuthorized()) { if (!allowed) {
ErrorUtils.respondInvalidInput(ctx, "Totp authorization failed: " + totpAuthorizationResult.name()); ErrorUtils.respondOther(ctx, 409, "User given does not have permission to create this grant.", "userDoesNotHavePermission", ImmutableMap.of());
return; return;
} }
if (rank.isHigherStaffRank()) {
int code = requestBody.getInteger("totpCode");
TotpAuthorizationResult totpAuthorizationResult = SyncUtils.runBlocking(v -> addedBy.checkTotpAuthorization(code, null, v));
if (!totpAuthorizationResult.isAuthorized()) {
ErrorUtils.respondInvalidInput(ctx, "Totp authorization failed: " + totpAuthorizationResult.name());
return;
}
}
} }
int storeItemId = requestBody.getInteger("storeItemId", -1); int storeItemId = requestBody.getInteger("storeItemId", -1);

10
src/main/java/net/frozenorb/apiv3/route/punishments/DELETEPunishmentsId.java
View File

@ -9,6 +9,7 @@ import net.frozenorb.apiv3.auditLog.AuditLog;
import net.frozenorb.apiv3.auditLog.AuditLogActionType; import net.frozenorb.apiv3.auditLog.AuditLogActionType;
import net.frozenorb.apiv3.model.Punishment; import net.frozenorb.apiv3.model.Punishment;
import net.frozenorb.apiv3.model.User; import net.frozenorb.apiv3.model.User;
import net.frozenorb.apiv3.unsorted.Permissions;
import net.frozenorb.apiv3.util.ErrorUtils; import net.frozenorb.apiv3.util.ErrorUtils;
import net.frozenorb.apiv3.util.SyncUtils; import net.frozenorb.apiv3.util.SyncUtils;
@ -35,6 +36,15 @@ public final class DELETEPunishmentsId implements Handler<RoutingContext> {
return; return;
} }
if (removedBy != null) {
boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_PUNISHMENT + "." + punishment.getType().name().toLowerCase(), v));
if (!allowed) {
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
return;
}
}
SyncUtils.<Void>runBlocking(v -> punishment.delete(removedBy, reason, v)); SyncUtils.<Void>runBlocking(v -> punishment.delete(removedBy, reason, v));
if (removedBy != null) { if (removedBy != null) {

10
src/main/java/net/frozenorb/apiv3/route/punishments/DELETEUsersIdActivePunishment.java
View File

@ -11,6 +11,7 @@ import net.frozenorb.apiv3.auditLog.AuditLogActionType;
import net.frozenorb.apiv3.model.AuditLogEntry; import net.frozenorb.apiv3.model.AuditLogEntry;
import net.frozenorb.apiv3.model.Punishment; import net.frozenorb.apiv3.model.Punishment;
import net.frozenorb.apiv3.model.User; import net.frozenorb.apiv3.model.User;
import net.frozenorb.apiv3.unsorted.Permissions;
import net.frozenorb.apiv3.util.ErrorUtils; import net.frozenorb.apiv3.util.ErrorUtils;
import net.frozenorb.apiv3.util.SyncUtils; import net.frozenorb.apiv3.util.SyncUtils;
@ -38,6 +39,15 @@ public final class DELETEUsersIdActivePunishment implements Handler<RoutingConte
return; return;
} }
if (removedBy != null) {
boolean allowed = SyncUtils.runBlocking(v -> removedBy.hasPermissionAnywhere(Permissions.REMOVE_PUNISHMENT + "." + type.name().toLowerCase(), v));
if (!allowed) {
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to remove this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
return;
}
}
List<Punishment> punishments = SyncUtils.runBlocking(v -> Punishment.findByUserAndType(target, ImmutableSet.of(type), v)); List<Punishment> punishments = SyncUtils.runBlocking(v -> Punishment.findByUserAndType(target, ImmutableSet.of(type), v));
List<Punishment> removedPunishments = new LinkedList<>(); List<Punishment> removedPunishments = new LinkedList<>();

9
src/main/java/net/frozenorb/apiv3/route/punishments/POSTPunishments.java
View File

@ -98,6 +98,15 @@ public final class POSTPunishments implements Handler<RoutingContext> {
} }
} }
if (addedBy != null) {
boolean allowed = SyncUtils.runBlocking(v -> addedBy.hasPermissionAnywhere(Permissions.CREATE_PUNISHMENT + "." + type.name().toLowerCase(), v));
if (!allowed) {
ErrorUtils.respondOther(ctx, 409, "User given does not have permission to create this punishment.", "userDoesNotHavePermission", ImmutableMap.of());
return;
}
}
if ((type == Punishment.PunishmentType.BAN || type == Punishment.PunishmentType.BLACKLIST) && userIp != null) { if ((type == Punishment.PunishmentType.BAN || type == Punishment.PunishmentType.BLACKLIST) && userIp != null) {
IpBan ipBan = new IpBan(userIp, punishment); IpBan ipBan = new IpBan(userIp, punishment);
SyncUtils.<Void>runBlocking(v -> ipBan.insert(v)); SyncUtils.<Void>runBlocking(v -> ipBan.insert(v));

4
src/main/java/net/frozenorb/apiv3/unsorted/Permissions.java
View File

@ -8,5 +8,9 @@ public class Permissions {
public static final String PROTECTED_PUNISHMENT = "minehq.punishment.protected"; public static final String PROTECTED_PUNISHMENT = "minehq.punishment.protected";
public static final String BYPASS_VPN_CHECK = "minehq.vpn.bypass"; public static final String BYPASS_VPN_CHECK = "minehq.vpn.bypass";
public static final String REQUIRE_TOTP_CODE = "minehq.totp.require"; public static final String REQUIRE_TOTP_CODE = "minehq.totp.require";
public static final String CREATE_PUNISHMENT = "minehq.punishment.create";
public static final String REMOVE_PUNISHMENT = "minehq.punishment.remove";
public static final String CREATE_GRANT = "minehq.grant.create";
public static final String REMOVE_GRANT = "minehq.grant.remove";
} }