2025-03-26 19:09:19 +00:00
3 changed files with 42 additions and 29 deletions
--- a/pkg/service/security.go
+++ b/pkg/service/security.go
@ -17,10 +17,11 @@ var (
 // Submissions roles bitflag
 type Roles int32
 var (
-	RolesScriptWrite Roles = 8
-	RolesSubmissionPublish Roles = 4
-	RolesSubmissionReview Roles = 2
-	RolesMapDownload Roles = 1
+	RolesSubmissionRelease Roles = 1<<4
+	RolesScriptWrite Roles = 1<<3
+	RolesSubmissionUpload Roles = 1<<2
+	RolesSubmissionReview Roles = 1<<1
+	RolesMapDownload Roles = 1<<0
 	RolesEmpty Roles = 0
 )

@ -31,10 +32,10 @@ var (
 	RoleQuat GroupRole = 255
 	RoleItzaname GroupRole = 254
 	RoleStagingDeveloper GroupRole = 240
-	RolesAll Roles = RolesScriptWrite|RolesSubmissionPublish|RolesSubmissionReview|RolesMapDownload
-	// has SubmissionPublish
+	RolesAll Roles = RolesScriptWrite|RolesSubmissionRelease|RolesSubmissionUpload|RolesSubmissionReview|RolesMapDownload
+	// has SubmissionUpload
 	RoleMapAdmin GroupRole = 128
-	RolesMapAdmin Roles = RolesSubmissionPublish|RolesSubmissionReview|RolesMapDownload
+	RolesMapAdmin Roles = RolesSubmissionRelease|RolesSubmissionUpload|RolesSubmissionReview|RolesMapDownload
 	// has SubmissionReview
 	RoleMapCouncil GroupRole = 64
 	RolesMapCouncil Roles = RolesSubmissionReview|RolesMapDownload
@ -127,9 +128,11 @@ func (usr UserInfoHandle) GetRoles() (Roles, error) {
 }

 // RoleThumbnail
-// RoleMapDownload
-func (usr UserInfoHandle) HasRoleSubmissionPublish() (bool, error) {
-	return usr.hasRoles(RolesSubmissionPublish)
+func (usr UserInfoHandle) HasRoleSubmissionRelease() (bool, error) {
+	return usr.hasRoles(RolesSubmissionRelease)
+}
+func (usr UserInfoHandle) HasRoleSubmissionUpload() (bool, error) {
+	return usr.hasRoles(RolesSubmissionUpload)
 }
 func (usr UserInfoHandle) HasRoleSubmissionReview() (bool, error) {
 	return usr.hasRoles(RolesSubmissionReview)
--- a/pkg/service/submissions.go
+++ b/pkg/service/submissions.go
@ -4,6 +4,7 @@ import (
 	"context"
 	"encoding/json"
 	"errors"
+	"fmt"
 	"time"

 	"git.itzana.me/strafesnet/go-grpc/maps"
@ -37,6 +38,15 @@ var (
 	ErrActiveSubmissionSameTargetAssetID = errors.New("There is an active submission with the same TargetAssetID")
 	ErrReleaseInvalidStatus = errors.New("Only submissions with Uploaded status can be released")
 	ErrReleaseNoTargetAssetID = errors.New("Only submissions with a TargetAssetID can be released")
+	ErrAcceptOwnSubmission = fmt.Errorf("%w: You cannot accept your own submission as the submitter", ErrPermissionDenied)
+	ErrDelayReset = errors.New("Please give the validator at least 10 seconds to operate before attempting to reset the status")
+	ErrPermissionDeniedNotSubmitter = fmt.Errorf("%w: You must be the submitter to perform this action", ErrPermissionDenied)
+	ErrPermissionDeniedNeedSubmissionRelease = fmt.Errorf("%w: Need Role SubmissionRelease", ErrPermissionDenied)
+	ErrPermissionDeniedNeedSubmissionUpload = fmt.Errorf("%w: Need Role SubmissionUpload", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleSubmissionReview = fmt.Errorf("%w: Need Role SubmissionReview", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMapDownload = fmt.Errorf("%w: Need Role MapDownload", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleScriptWrite = fmt.Errorf("%w: Need Role ScriptWrite", ErrPermissionDenied)
+	ErrPermissionDeniedNeedRoleMaptest = fmt.Errorf("%w: Need Role Maptest", ErrPermissionDenied)
 )

 // POST /submissions
@ -216,7 +226,7 @@ func (svc *Service) SetSubmissionCompleted(ctx context.Context, params api.SetSu
 	}
 	// check if caller has MaptestGame role (request must originate from a maptest roblox game)
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedRoleMaptest
 	}

 	pmap := datastore.Optional()
@ -247,7 +257,7 @@ func (svc *Service) UpdateSubmissionModel(ctx context.Context, params api.Update
 	}
 	// check if caller is the submitter
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNotSubmitter
 	}

 	// check if Status is ChangesRequested|Submitted|UnderConstruction
@ -276,7 +286,7 @@ func (svc *Service) ActionSubmissionReject(ctx context.Context, params api.Actio
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}

 	// transaction
@ -302,7 +312,7 @@ func (svc *Service) ActionSubmissionRequestChanges(ctx context.Context, params a
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}

 	// transaction
@ -334,7 +344,7 @@ func (svc *Service) ActionSubmissionRevoke(ctx context.Context, params api.Actio
 	}
 	// check if caller is the submitter
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNotSubmitter
 	}

 	// transaction
@ -366,7 +376,7 @@ func (svc *Service) ActionSubmissionSubmit(ctx context.Context, params api.Actio
 	}
 	// check if caller is the submitter
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNotSubmitter
 	}

 	// transaction
@ -386,13 +396,13 @@ func (svc *Service) ActionSubmissionTriggerUpload(ctx context.Context, params ap
 		return ErrUserInfo
 	}

-	has_role, err := userInfo.HasRoleSubmissionPublish()
+	has_role, err := userInfo.HasRoleSubmissionUpload()
 	if err != nil {
 		return err
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedSubmissionUpload
 	}

 	// transaction
@ -451,13 +461,13 @@ func (svc *Service) ActionSubmissionValidated(ctx context.Context, params api.Ac
 		return ErrUserInfo
 	}

-	has_role, err := userInfo.HasRoleSubmissionPublish()
+	has_role, err := userInfo.HasRoleSubmissionUpload()
 	if err != nil {
 		return err
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedSubmissionUpload
 	}

 	// check when submission was updated
@ -467,7 +477,7 @@ func (svc *Service) ActionSubmissionValidated(ctx context.Context, params api.Ac
 	}
 	if time.Now().Before(submission.UpdatedAt.Add(time.Second*10)) {
 		// the last time the submission was updated must be longer than 10 seconds ago
-		return ErrPermissionDenied
+		return ErrDelayReset
 	}

 	// transaction
@ -493,7 +503,7 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}

 	// read submission (this could be done with a transaction WHERE clause)
@ -508,7 +518,7 @@ func (svc *Service) ActionSubmissionTriggerValidate(ctx context.Context, params
 	}
 	// check if caller is NOT the submitter
 	if has_role {
-		return ErrPermissionDenied
+		return ErrAcceptOwnSubmission
 	}

 	// transaction
@ -553,7 +563,7 @@ func (svc *Service) ActionSubmissionAccepted(ctx context.Context, params api.Act
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedRoleSubmissionReview
 	}

 	// check when submission was updated
@ -563,7 +573,7 @@ func (svc *Service) ActionSubmissionAccepted(ctx context.Context, params api.Act
 	}
 	if time.Now().Before(submission.UpdatedAt.Add(time.Second*10)) {
 		// the last time the submission was updated must be longer than 10 seconds ago
-		return ErrPermissionDenied
+		return ErrDelayReset
 	}

 	// transaction
@ -584,13 +594,13 @@ func (svc *Service) ReleaseSubmissions(ctx context.Context, request []api.Releas
 		return ErrUserInfo
 	}

-	has_role, err := userInfo.HasRoleSubmissionPublish()
+	has_role, err := userInfo.HasRoleSubmissionRelease()
 	if err != nil {
 		return err
 	}
 	// check if caller has required role
 	if !has_role {
-		return ErrPermissionDenied
+		return ErrPermissionDeniedNeedSubmissionRelease
 	}

 	idList := make([]int64, len(request))
--- a/validation/src/publish_new.rs
+++ b/validation/src/publish_new.rs
@ -7,7 +7,7 @@ pub enum PublishError{
 	Json(serde_json::Error),
 	Create(rbx_asset::cookie::CreateError),
 	SystemTime(std::time::SystemTimeError),
-	ApiActionSubmissionPublish(submissions_api::Error),
+	ApiActionSubmissionUploaded(submissions_api::Error),
 }
 impl std::fmt::Display for PublishError{
 	fn fmt(&self,f:&mut std::fmt::Formatter<'_>)->std::fmt::Result{
@ -53,7 +53,7 @@ impl Publisher{
 		self.api.action_submission_uploaded(submissions_api::types::ActionSubmissionUploadedRequest{
 			SubmissionID:publish_info.SubmissionID,
 			TargetAssetID:Some(upload_response.AssetId),
-		}).await.map_err(PublishError::ApiActionSubmissionPublish)?;
+		}).await.map_err(PublishError::ApiActionSubmissionUploaded)?;

 		Ok(())
 	}