forked from potsda.mn/mobilizon
Use Permission module to check if user can have access to resource
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
0995043d04
commit
c394f2cc5a
|
@ -902,7 +902,6 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
|
|||
type
|
||||
)
|
||||
when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do
|
||||
# TODO: The actor that accepts the Join activity may another one that the event organizer ?
|
||||
# Or maybe for groups it's the group that sends the Accept activity
|
||||
with {:ok, %Activity{} = activity, %Member{role: :member} = member} <-
|
||||
ActivityPub.accept(
|
||||
|
|
|
@ -12,6 +12,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
|
|||
alias Mobilizon.GraphQL.API
|
||||
|
||||
alias Mobilizon.Federation.ActivityPub.Activity
|
||||
alias Mobilizon.Federation.ActivityPub.Permission
|
||||
import Mobilizon.Users.Guards, only: [is_moderator: 1]
|
||||
import Mobilizon.Web.Gettext
|
||||
|
||||
|
@ -75,13 +76,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
|
|||
defp find_private_event(
|
||||
_parent,
|
||||
%{uuid: uuid},
|
||||
%{context: %{current_user: %User{id: user_id}}} = _resolution
|
||||
%{context: %{current_user: %User{} = user}} = _resolution
|
||||
) do
|
||||
case {:has_event, Events.get_own_event_by_uuid_with_preload(uuid, user_id)} do
|
||||
{:has_event, %Event{} = event} ->
|
||||
{:ok, event}
|
||||
%Actor{} = profile = Users.get_actor_for_user(user)
|
||||
|
||||
{:has_event, _} ->
|
||||
case Events.get_event_by_uuid_with_preload(uuid) do
|
||||
# Event attributed to group
|
||||
%Event{attributed_to: %Actor{}} = event ->
|
||||
if Permission.can_access_group_object?(profile, event) do
|
||||
{:ok, event}
|
||||
else
|
||||
{:error, :event_not_found}
|
||||
end
|
||||
|
||||
# Own event
|
||||
%Event{organizer_actor: %Actor{id: actor_id}} = event ->
|
||||
if actor_id == profile.id do
|
||||
{:ok, event}
|
||||
else
|
||||
{:error, :event_not_found}
|
||||
end
|
||||
|
||||
_ ->
|
||||
{:error, :event_not_found}
|
||||
end
|
||||
end
|
||||
|
|
|
@ -7,7 +7,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
|
|||
alias Mobilizon.{Actors, Posts, Users}
|
||||
alias Mobilizon.Actors.Actor
|
||||
alias Mobilizon.Federation.ActivityPub
|
||||
alias Mobilizon.Federation.ActivityPub.Utils
|
||||
alias Mobilizon.Federation.ActivityPub.{Permission, Utils}
|
||||
alias Mobilizon.Posts.Post
|
||||
alias Mobilizon.Storage.Page
|
||||
alias Mobilizon.Users.User
|
||||
|
@ -69,11 +69,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
|
|||
}
|
||||
} = _resolution
|
||||
) do
|
||||
with {:current_actor, %Actor{id: actor_id}} <-
|
||||
with {:current_actor, %Actor{} = current_profile} <-
|
||||
{:current_actor, Users.get_actor_for_user(user)},
|
||||
{:post, %Post{attributed_to: %Actor{id: group_id}} = post} <-
|
||||
{:post, %Post{attributed_to: %Actor{}} = post} <-
|
||||
{:post, Posts.get_post_by_slug_with_preloads(slug)},
|
||||
{:member, true} <- {:member, Actors.is_member?(actor_id, group_id)} do
|
||||
{:member, true} <- {:member, Permission.can_access_group_object?(current_profile, post)} do
|
||||
{:ok, post}
|
||||
else
|
||||
{:member, false} -> get_post(parent, %{slug: slug}, nil)
|
||||
|
|
Loading…
Reference in a new issue