forked from potsda.mn/mobilizon
Use Permission module to check if user can have access to resource
Signed-off-by: Thomas Citharel <tcit@tcit.fr>
This commit is contained in:
parent
0995043d04
commit
c394f2cc5a
|
@ -902,7 +902,6 @@ defmodule Mobilizon.Federation.ActivityPub.Transmogrifier do
|
||||||
type
|
type
|
||||||
)
|
)
|
||||||
when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do
|
when role in [:not_approved, :rejected, :invited] and type in [:join, :invite] do
|
||||||
# TODO: The actor that accepts the Join activity may another one that the event organizer ?
|
|
||||||
# Or maybe for groups it's the group that sends the Accept activity
|
# Or maybe for groups it's the group that sends the Accept activity
|
||||||
with {:ok, %Activity{} = activity, %Member{role: :member} = member} <-
|
with {:ok, %Activity{} = activity, %Member{role: :member} = member} <-
|
||||||
ActivityPub.accept(
|
ActivityPub.accept(
|
||||||
|
|
|
@ -12,6 +12,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
|
||||||
alias Mobilizon.GraphQL.API
|
alias Mobilizon.GraphQL.API
|
||||||
|
|
||||||
alias Mobilizon.Federation.ActivityPub.Activity
|
alias Mobilizon.Federation.ActivityPub.Activity
|
||||||
|
alias Mobilizon.Federation.ActivityPub.Permission
|
||||||
import Mobilizon.Users.Guards, only: [is_moderator: 1]
|
import Mobilizon.Users.Guards, only: [is_moderator: 1]
|
||||||
import Mobilizon.Web.Gettext
|
import Mobilizon.Web.Gettext
|
||||||
|
|
||||||
|
@ -75,13 +76,28 @@ defmodule Mobilizon.GraphQL.Resolvers.Event do
|
||||||
defp find_private_event(
|
defp find_private_event(
|
||||||
_parent,
|
_parent,
|
||||||
%{uuid: uuid},
|
%{uuid: uuid},
|
||||||
%{context: %{current_user: %User{id: user_id}}} = _resolution
|
%{context: %{current_user: %User{} = user}} = _resolution
|
||||||
) do
|
) do
|
||||||
case {:has_event, Events.get_own_event_by_uuid_with_preload(uuid, user_id)} do
|
%Actor{} = profile = Users.get_actor_for_user(user)
|
||||||
{:has_event, %Event{} = event} ->
|
|
||||||
{:ok, event}
|
|
||||||
|
|
||||||
{:has_event, _} ->
|
case Events.get_event_by_uuid_with_preload(uuid) do
|
||||||
|
# Event attributed to group
|
||||||
|
%Event{attributed_to: %Actor{}} = event ->
|
||||||
|
if Permission.can_access_group_object?(profile, event) do
|
||||||
|
{:ok, event}
|
||||||
|
else
|
||||||
|
{:error, :event_not_found}
|
||||||
|
end
|
||||||
|
|
||||||
|
# Own event
|
||||||
|
%Event{organizer_actor: %Actor{id: actor_id}} = event ->
|
||||||
|
if actor_id == profile.id do
|
||||||
|
{:ok, event}
|
||||||
|
else
|
||||||
|
{:error, :event_not_found}
|
||||||
|
end
|
||||||
|
|
||||||
|
_ ->
|
||||||
{:error, :event_not_found}
|
{:error, :event_not_found}
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
@ -7,7 +7,7 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
|
||||||
alias Mobilizon.{Actors, Posts, Users}
|
alias Mobilizon.{Actors, Posts, Users}
|
||||||
alias Mobilizon.Actors.Actor
|
alias Mobilizon.Actors.Actor
|
||||||
alias Mobilizon.Federation.ActivityPub
|
alias Mobilizon.Federation.ActivityPub
|
||||||
alias Mobilizon.Federation.ActivityPub.Utils
|
alias Mobilizon.Federation.ActivityPub.{Permission, Utils}
|
||||||
alias Mobilizon.Posts.Post
|
alias Mobilizon.Posts.Post
|
||||||
alias Mobilizon.Storage.Page
|
alias Mobilizon.Storage.Page
|
||||||
alias Mobilizon.Users.User
|
alias Mobilizon.Users.User
|
||||||
|
@ -69,11 +69,11 @@ defmodule Mobilizon.GraphQL.Resolvers.Post do
|
||||||
}
|
}
|
||||||
} = _resolution
|
} = _resolution
|
||||||
) do
|
) do
|
||||||
with {:current_actor, %Actor{id: actor_id}} <-
|
with {:current_actor, %Actor{} = current_profile} <-
|
||||||
{:current_actor, Users.get_actor_for_user(user)},
|
{:current_actor, Users.get_actor_for_user(user)},
|
||||||
{:post, %Post{attributed_to: %Actor{id: group_id}} = post} <-
|
{:post, %Post{attributed_to: %Actor{}} = post} <-
|
||||||
{:post, Posts.get_post_by_slug_with_preloads(slug)},
|
{:post, Posts.get_post_by_slug_with_preloads(slug)},
|
||||||
{:member, true} <- {:member, Actors.is_member?(actor_id, group_id)} do
|
{:member, true} <- {:member, Permission.can_access_group_object?(current_profile, post)} do
|
||||||
{:ok, post}
|
{:ok, post}
|
||||||
else
|
else
|
||||||
{:member, false} -> get_post(parent, %{slug: slug}, nil)
|
{:member, false} -> get_post(parent, %{slug: slug}, nil)
|
||||||
|
|
Loading…
Reference in a new issue