Use getBy404 in isAuthorized when it's the right thing

This commit is contained in:
fr33domlover 2016-06-06 20:10:28 +00:00
parent 23c06c535a
commit d6967f52d9

View file

@ -192,12 +192,11 @@ instance Yesod App where
else Unauthorized "No access to this operation" else Unauthorized "No access to this operation"
groupRole :: (GroupRole -> Bool) -> ShrIdent -> Handler AuthResult groupRole :: (GroupRole -> Bool) -> ShrIdent -> Handler AuthResult
groupRole role grp = personAnd $ \ (Entity pid _p) -> do groupRole role grp = personAnd $ \ (Entity pid _p) -> runDB $ do
mrole <- runDB $ runMaybeT $ do Entity sid _s <- getBy404 $ UniqueSharer grp
Entity sid _s <- MaybeT $ getBy $ UniqueSharer grp Entity gid _g <- getBy404 $ UniqueGroup sid
Entity gid _g <- MaybeT $ getBy $ UniqueGroup sid mem <- getBy $ UniqueGroupMember pid gid
Entity _mid m <- MaybeT $ getBy $ UniqueGroupMember pid gid let mrole = groupMemberRole . entityVal <$> mem
return $ groupMemberRole m
return $ case mrole of return $ case mrole of
Nothing -> Unauthorized "Not a member of the group" Nothing -> Unauthorized "Not a member of the group"
Just r -> Just r ->
@ -210,37 +209,29 @@ instance Yesod App where
personOrGroupAdmin :: ShrIdent -> Handler AuthResult personOrGroupAdmin :: ShrIdent -> Handler AuthResult
personOrGroupAdmin shr = personAnd $ \ (Entity vpid _vp) -> runDB $ do personOrGroupAdmin shr = personAnd $ \ (Entity vpid _vp) -> runDB $ do
mes <- getBy $ UniqueSharer shr Entity sid _ <- getBy404 $ UniqueSharer shr
case mes of
Nothing -> return $ Unauthorized "No such sharer"
Just (Entity sid _) -> do
mep <- getBy $ UniquePersonIdent sid mep <- getBy $ UniquePersonIdent sid
case mep of case mep of
Just (Entity pid _p) -> Just (Entity pid _p) ->
return $ if pid == vpid return $ if pid == vpid
then Authorized then Authorized
else else Unauthorized "Cant access other peoples roles"
Unauthorized
"Cant access other peoples roles"
Nothing -> do Nothing -> do
meg <- getBy $ UniqueGroup sid meg <- getBy $ UniqueGroup sid
case meg of case meg of
Nothing -> do Nothing -> do
$logWarn $ $logWarn $
"Found non-person non-group \ "Found non-person non-group sharer: " <>
\sharer: " <> shr2text shr shr2text shr
return $ Unauthorized "Zombine sharer" return $ error "Zombie sharer"
Just (Entity gid _g) -> do Just (Entity gid _g) -> do
mem <- getBy $ UniqueGroupMember vpid gid mem <- getBy $ UniqueGroupMember vpid gid
return $ case mem of return $ case mem of
Nothing -> Nothing -> Unauthorized "Not a group member"
Unauthorized "Not a group member"
Just (Entity _mid m) -> Just (Entity _mid m) ->
if groupMemberRole m == GRAdmin if groupMemberRole m == GRAdmin
then Authorized then Authorized
else else Unauthorized "Not a group admin"
Unauthorized
"Not a group admin"
projOp projOp
:: ProjectOperation -> ShrIdent -> PrjIdent -> Handler AuthResult :: ProjectOperation -> ShrIdent -> PrjIdent -> Handler AuthResult