Use getBy404 in isAuthorized when it's the right thing

This commit is contained in:
fr33domlover 2016-06-06 20:10:28 +00:00
parent 23c06c535a
commit d6967f52d9

View file

@ -192,12 +192,11 @@ instance Yesod App where
else Unauthorized "No access to this operation"
groupRole :: (GroupRole -> Bool) -> ShrIdent -> Handler AuthResult
groupRole role grp = personAnd $ \ (Entity pid _p) -> do
mrole <- runDB $ runMaybeT $ do
Entity sid _s <- MaybeT $ getBy $ UniqueSharer grp
Entity gid _g <- MaybeT $ getBy $ UniqueGroup sid
Entity _mid m <- MaybeT $ getBy $ UniqueGroupMember pid gid
return $ groupMemberRole m
groupRole role grp = personAnd $ \ (Entity pid _p) -> runDB $ do
Entity sid _s <- getBy404 $ UniqueSharer grp
Entity gid _g <- getBy404 $ UniqueGroup sid
mem <- getBy $ UniqueGroupMember pid gid
let mrole = groupMemberRole . entityVal <$> mem
return $ case mrole of
Nothing -> Unauthorized "Not a member of the group"
Just r ->
@ -210,37 +209,29 @@ instance Yesod App where
personOrGroupAdmin :: ShrIdent -> Handler AuthResult
personOrGroupAdmin shr = personAnd $ \ (Entity vpid _vp) -> runDB $ do
mes <- getBy $ UniqueSharer shr
case mes of
Nothing -> return $ Unauthorized "No such sharer"
Just (Entity sid _) -> do
mep <- getBy $ UniquePersonIdent sid
case mep of
Just (Entity pid _p) ->
return $ if pid == vpid
then Authorized
else
Unauthorized
"Cant access other peoples roles"
Entity sid _ <- getBy404 $ UniqueSharer shr
mep <- getBy $ UniquePersonIdent sid
case mep of
Just (Entity pid _p) ->
return $ if pid == vpid
then Authorized
else Unauthorized "Cant access other peoples roles"
Nothing -> do
meg <- getBy $ UniqueGroup sid
case meg of
Nothing -> do
meg <- getBy $ UniqueGroup sid
case meg of
Nothing -> do
$logWarn $
"Found non-person non-group \
\sharer: " <> shr2text shr
return $ Unauthorized "Zombine sharer"
Just (Entity gid _g) -> do
mem <- getBy $ UniqueGroupMember vpid gid
return $ case mem of
Nothing ->
Unauthorized "Not a group member"
Just (Entity _mid m) ->
if groupMemberRole m == GRAdmin
then Authorized
else
Unauthorized
"Not a group admin"
$logWarn $
"Found non-person non-group sharer: " <>
shr2text shr
return $ error "Zombie sharer"
Just (Entity gid _g) -> do
mem <- getBy $ UniqueGroupMember vpid gid
return $ case mem of
Nothing -> Unauthorized "Not a group member"
Just (Entity _mid m) ->
if groupMemberRole m == GRAdmin
then Authorized
else Unauthorized "Not a group admin"
projOp
:: ProjectOperation -> ShrIdent -> PrjIdent -> Handler AuthResult