Use getBy404 in isAuthorized when it's the right thing

This commit is contained in:
fr33domlover 2016-06-06 20:10:28 +00:00
parent 23c06c535a
commit d6967f52d9

View file

@ -192,12 +192,11 @@ instance Yesod App where
else Unauthorized "No access to this operation" else Unauthorized "No access to this operation"
groupRole :: (GroupRole -> Bool) -> ShrIdent -> Handler AuthResult groupRole :: (GroupRole -> Bool) -> ShrIdent -> Handler AuthResult
groupRole role grp = personAnd $ \ (Entity pid _p) -> do groupRole role grp = personAnd $ \ (Entity pid _p) -> runDB $ do
mrole <- runDB $ runMaybeT $ do Entity sid _s <- getBy404 $ UniqueSharer grp
Entity sid _s <- MaybeT $ getBy $ UniqueSharer grp Entity gid _g <- getBy404 $ UniqueGroup sid
Entity gid _g <- MaybeT $ getBy $ UniqueGroup sid mem <- getBy $ UniqueGroupMember pid gid
Entity _mid m <- MaybeT $ getBy $ UniqueGroupMember pid gid let mrole = groupMemberRole . entityVal <$> mem
return $ groupMemberRole m
return $ case mrole of return $ case mrole of
Nothing -> Unauthorized "Not a member of the group" Nothing -> Unauthorized "Not a member of the group"
Just r -> Just r ->
@ -210,37 +209,29 @@ instance Yesod App where
personOrGroupAdmin :: ShrIdent -> Handler AuthResult personOrGroupAdmin :: ShrIdent -> Handler AuthResult
personOrGroupAdmin shr = personAnd $ \ (Entity vpid _vp) -> runDB $ do personOrGroupAdmin shr = personAnd $ \ (Entity vpid _vp) -> runDB $ do
mes <- getBy $ UniqueSharer shr Entity sid _ <- getBy404 $ UniqueSharer shr
case mes of mep <- getBy $ UniquePersonIdent sid
Nothing -> return $ Unauthorized "No such sharer" case mep of
Just (Entity sid _) -> do Just (Entity pid _p) ->
mep <- getBy $ UniquePersonIdent sid return $ if pid == vpid
case mep of then Authorized
Just (Entity pid _p) -> else Unauthorized "Cant access other peoples roles"
return $ if pid == vpid Nothing -> do
then Authorized meg <- getBy $ UniqueGroup sid
else case meg of
Unauthorized
"Cant access other peoples roles"
Nothing -> do Nothing -> do
meg <- getBy $ UniqueGroup sid $logWarn $
case meg of "Found non-person non-group sharer: " <>
Nothing -> do shr2text shr
$logWarn $ return $ error "Zombie sharer"
"Found non-person non-group \ Just (Entity gid _g) -> do
\sharer: " <> shr2text shr mem <- getBy $ UniqueGroupMember vpid gid
return $ Unauthorized "Zombine sharer" return $ case mem of
Just (Entity gid _g) -> do Nothing -> Unauthorized "Not a group member"
mem <- getBy $ UniqueGroupMember vpid gid Just (Entity _mid m) ->
return $ case mem of if groupMemberRole m == GRAdmin
Nothing -> then Authorized
Unauthorized "Not a group member" else Unauthorized "Not a group admin"
Just (Entity _mid m) ->
if groupMemberRole m == GRAdmin
then Authorized
else
Unauthorized
"Not a group admin"
projOp projOp
:: ProjectOperation -> ShrIdent -> PrjIdent -> Handler AuthResult :: ProjectOperation -> ShrIdent -> PrjIdent -> Handler AuthResult