diff --git a/pkg/service/script_policy.go b/pkg/service/script_policy.go index d936a80..fcd7b5f 100644 --- a/pkg/service/script_policy.go +++ b/pkg/service/script_policy.go @@ -19,11 +19,7 @@ func (svc *Service) CreateScriptPolicy(ctx context.Context, req *api.ScriptPolic return nil, ErrUserInfo } - has_role, err := userInfo.HasRoleScriptWrite() - if err != nil { - return nil, err - } - if !has_role { + if !userInfo.Roles.ScriptWrite { return nil, ErrPermissionDenied } @@ -104,11 +100,7 @@ func (svc *Service) DeleteScriptPolicy(ctx context.Context, params api.DeleteScr return ErrUserInfo } - has_role, err := userInfo.HasRoleScriptWrite() - if err != nil { - return err - } - if !has_role { + if !userInfo.Roles.ScriptWrite { return ErrPermissionDenied } @@ -152,11 +144,7 @@ func (svc *Service) UpdateScriptPolicy(ctx context.Context, req *api.ScriptPolic return ErrUserInfo } - has_role, err := userInfo.HasRoleScriptWrite() - if err != nil { - return err - } - if !has_role { + if !userInfo.Roles.ScriptWrite { return ErrPermissionDenied } diff --git a/pkg/service/scripts.go b/pkg/service/scripts.go index ea7f9ca..6be5ed9 100644 --- a/pkg/service/scripts.go +++ b/pkg/service/scripts.go @@ -19,11 +19,7 @@ func (svc *Service) CreateScript(ctx context.Context, req *api.ScriptCreate) (*a return nil, ErrUserInfo } - has_role, err := userInfo.HasRoleScriptWrite() - if err != nil { - return nil, err - } - if !has_role { + if !userInfo.Roles.ScriptWrite { return nil, ErrPermissionDenied } @@ -100,11 +96,7 @@ func (svc *Service) DeleteScript(ctx context.Context, params api.DeleteScriptPar return ErrUserInfo } - has_role, err := userInfo.HasRoleScriptWrite() - if err != nil { - return err - } - if !has_role { + if !userInfo.Roles.ScriptWrite { return ErrPermissionDenied } @@ -149,11 +141,7 @@ func (svc *Service) UpdateScript(ctx context.Context, req *api.ScriptUpdate, par return ErrUserInfo } - has_role, err := userInfo.HasRoleScriptWrite() - if err != nil { - return err - } - if !has_role { + if !userInfo.Roles.ScriptWrite { return ErrPermissionDenied } diff --git a/pkg/service/security.go b/pkg/service/security.go index dbff2c2..addc5a9 100644 --- a/pkg/service/security.go +++ b/pkg/service/security.go @@ -14,71 +14,34 @@ var ( ErrInvalidSession = errors.New("Session invalid") ) -type Role int32 var ( // has ScriptWrite - RoleQuat Role = 255 + RoleQuat int32 = 255 // has SubmissionPublish - RoleMapAdmin Role = 128 + RoleMapAdmin int32 = 128 // has SubmissionReview - RoleMapCouncil Role = 64 + RoleMapCouncil int32 = 64 ) +type Roles struct { + // human roles + SubmissionRelease bool + SubmissionReview bool + ScriptWrite bool + // Thumbnail bool + // MapDownload + + // automated roles + Maptest bool +} + type UserInfo struct { - // Would love to know a better way to do this - svc *SecurityHandler - ctx *context.Context - sessionId string + Roles Roles + UserID uint64 } -func (usr UserInfo) GetUserID() (uint64, error) { - session, err := usr.svc.Client.GetSessionUser(*usr.ctx, &auth.IdMessage{ - SessionID: usr.sessionId, - }) - if err != nil { - return 0, err - } - return session.UserID, nil -} -func (usr UserInfo) IsSubmitter(submitter uint64) (bool, error) { - userId, err := usr.GetUserID() - if err != nil { - return false, err - } - return userId == submitter, nil -} -func (usr UserInfo) hasRole(role Role) (bool, error) { - roles, err := usr.svc.Client.GetGroupRole(*usr.ctx, &auth.IdMessage{ - SessionID: usr.sessionId, - }) - if err != nil { - return false, err - } - - for _, r := range roles.Roles { - if int32(role) <= r.Rank { - return true, nil - } - } - return false, nil -} - - -// RoleThumbnail -// RoleMapDownload -func (usr UserInfo) HasRoleSubmissionRelease() (bool, error) { - return usr.hasRole(RoleMapAdmin) -} -func (usr UserInfo) HasRoleSubmissionReview() (bool, error) { - return usr.hasRole(RoleMapCouncil) -} -func (usr UserInfo) HasRoleScriptWrite() (bool, error) { - return usr.hasRole(RoleQuat) -} -/// Not implemented -func (usr UserInfo) HasRoleMaptest() (bool, error) { - println("HasRoleMaptest is not implemented!") - return false, nil +func (usr UserInfo) IsSubmitter(submitter uint64) bool { + return usr.UserID == submitter } type SecurityHandler struct { @@ -91,6 +54,20 @@ func (svc SecurityHandler) HandleCookieAuth(ctx context.Context, operationName a return nil, ErrMissingSessionID } + session, err := svc.Client.GetSessionUser(ctx, &auth.IdMessage{ + SessionID: sessionId, + }) + if err != nil { + return nil, err + } + + role, err := svc.Client.GetGroupRole(ctx, &auth.IdMessage{ + SessionID: sessionId, + }) + if err != nil { + return nil, err + } + validate, err := svc.Client.ValidateSession(ctx, &auth.IdMessage{ SessionID: sessionId, }) @@ -101,10 +78,24 @@ func (svc SecurityHandler) HandleCookieAuth(ctx context.Context, operationName a return nil, ErrInvalidSession } + roles := Roles{} + + // fix this when roblox udpates group roles + for _, r := range role.Roles { + if RoleQuat <= r.Rank { + roles.ScriptWrite = true + } + if RoleMapAdmin <= r.Rank { + roles.SubmissionRelease = true + } + if RoleMapCouncil <= r.Rank { + roles.SubmissionReview = true + } + } + newCtx := context.WithValue(ctx, "UserInfo", UserInfo{ - svc: &svc, - ctx: &ctx, - sessionId: sessionId, + Roles: roles, + UserID: session.UserID, }) return newCtx, nil diff --git a/pkg/service/submissions.go b/pkg/service/submissions.go index b027576..fb13bec 100644 --- a/pkg/service/submissions.go +++ b/pkg/service/submissions.go @@ -42,10 +42,7 @@ func (svc *Service) CreateSubmission(ctx context.Context, request *api.Submissio return nil, ErrUserInfo } - userId, err := userInfo.GetUserID() - if err != nil { - return nil, err - } + userId := userInfo.UserID // Check if user's submissions in the creation phase exceeds the limit { @@ -204,18 +201,15 @@ func (svc *Service) SetSubmissionCompleted(ctx context.Context, params api.SetSu return ErrUserInfo } - has_role, err := userInfo.HasRoleMaptest() - if err != nil { - return err - } // check if caller has MaptestGame role (request must originate from a maptest roblox game) - if !has_role { + if !userInfo.Roles.Maptest { return ErrPermissionDenied } pmap := datastore.Optional() pmap.Add("completed", true) - return svc.DB.Submissions().Update(ctx, params.SubmissionID, pmap) + err := svc.DB.Submissions().Update(ctx, params.SubmissionID, pmap) + return err } // UpdateSubmissionModel implements patchSubmissionModel operation. @@ -235,12 +229,8 @@ func (svc *Service) UpdateSubmissionModel(ctx context.Context, params api.Update return err } - has_role, err := userInfo.IsSubmitter(uint64(submission.Submitter)) - if err != nil { - return err - } // check if caller is the submitter - if !has_role { + if !userInfo.IsSubmitter(uint64(submission.Submitter)) { return ErrPermissionDenied } @@ -264,12 +254,8 @@ func (svc *Service) ActionSubmissionReject(ctx context.Context, params api.Actio return ErrUserInfo } - has_role, err := userInfo.HasRoleSubmissionReview() - if err != nil { - return err - } // check if caller has required role - if !has_role { + if !userInfo.Roles.SubmissionReview { return ErrPermissionDenied } @@ -290,12 +276,8 @@ func (svc *Service) ActionSubmissionRequestChanges(ctx context.Context, params a return ErrUserInfo } - has_role, err := userInfo.HasRoleSubmissionReview() - if err != nil { - return err - } // check if caller has required role - if !has_role { + if !userInfo.Roles.SubmissionReview { return ErrPermissionDenied } @@ -322,12 +304,8 @@ func (svc *Service) ActionSubmissionRevoke(ctx context.Context, params api.Actio return err } - has_role, err := userInfo.IsSubmitter(uint64(submission.Submitter)) - if err != nil { - return err - } // check if caller is the submitter - if !has_role { + if !userInfo.IsSubmitter(uint64(submission.Submitter)) { return ErrPermissionDenied } @@ -354,12 +332,8 @@ func (svc *Service) ActionSubmissionSubmit(ctx context.Context, params api.Actio return err } - has_role, err := userInfo.IsSubmitter(uint64(submission.Submitter)) - if err != nil { - return err - } // check if caller is the submitter - if !has_role { + if !userInfo.IsSubmitter(uint64(submission.Submitter)) { return ErrPermissionDenied } @@ -380,12 +354,8 @@ func (svc *Service) ActionSubmissionTriggerUpload(ctx context.Context, params ap return ErrUserInfo } - has_role, err := userInfo.HasRoleSubmissionRelease() - if err != nil { - return err - } // check if caller has required role - if !has_role { + if !userInfo.Roles.SubmissionRelease { return ErrPermissionDenied } @@ -445,12 +415,8 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params return ErrUserInfo } - has_role, err := userInfo.HasRoleSubmissionReview() - if err != nil { - return err - } // check if caller has required role - if !has_role { + if !userInfo.Roles.SubmissionReview { return ErrPermissionDenied }