From d6967f52d98b08db44b1e4b3fb7714d786cc4cef Mon Sep 17 00:00:00 2001
From: fr33domlover <fr33domlover@rel4tion.org>
Date: Mon, 6 Jun 2016 20:10:28 +0000
Subject: [PATCH] Use getBy404 in isAuthorized when it's the right thing
---
src/Vervis/Foundation.hs | 63 +++++++++++++++++-----------------------
1 file changed, 27 insertions(+), 36 deletions(-)
diff --git a/src/Vervis/Foundation.hs b/src/Vervis/Foundation.hs
index 1a36078..24d1c66 100644
--- a/src/Vervis/Foundation.hs
+++ b/src/Vervis/Foundation.hs
@@ -192,12 +192,11 @@ instance Yesod App where
else Unauthorized "No access to this operation"
groupRole :: (GroupRole -> Bool) -> ShrIdent -> Handler AuthResult
- groupRole role grp = personAnd $ \ (Entity pid _p) -> do
- mrole <- runDB $ runMaybeT $ do
- Entity sid _s <- MaybeT $ getBy $ UniqueSharer grp
- Entity gid _g <- MaybeT $ getBy $ UniqueGroup sid
- Entity _mid m <- MaybeT $ getBy $ UniqueGroupMember pid gid
- return $ groupMemberRole m
+ groupRole role grp = personAnd $ \ (Entity pid _p) -> runDB $ do
+ Entity sid _s <- getBy404 $ UniqueSharer grp
+ Entity gid _g <- getBy404 $ UniqueGroup sid
+ mem <- getBy $ UniqueGroupMember pid gid
+ let mrole = groupMemberRole . entityVal <$> mem
return $ case mrole of
Nothing -> Unauthorized "Not a member of the group"
Just r ->
@@ -210,37 +209,29 @@ instance Yesod App where
personOrGroupAdmin :: ShrIdent -> Handler AuthResult
personOrGroupAdmin shr = personAnd $ \ (Entity vpid _vp) -> runDB $ do
- mes <- getBy $ UniqueSharer shr
- case mes of
- Nothing -> return $ Unauthorized "No such sharer"
- Just (Entity sid _) -> do
- mep <- getBy $ UniquePersonIdent sid
- case mep of
- Just (Entity pid _p) ->
- return $ if pid == vpid
- then Authorized
- else
- Unauthorized
- "Can’t access other people’s roles"
+ Entity sid _ <- getBy404 $ UniqueSharer shr
+ mep <- getBy $ UniquePersonIdent sid
+ case mep of
+ Just (Entity pid _p) ->
+ return $ if pid == vpid
+ then Authorized
+ else Unauthorized "Can’t access other people’s roles"
+ Nothing -> do
+ meg <- getBy $ UniqueGroup sid
+ case meg of
Nothing -> do
- meg <- getBy $ UniqueGroup sid
- case meg of
- Nothing -> do
- $logWarn $
- "Found non-person non-group \
- \sharer: " <> shr2text shr
- return $ Unauthorized "Zombine sharer"
- Just (Entity gid _g) -> do
- mem <- getBy $ UniqueGroupMember vpid gid
- return $ case mem of
- Nothing ->
- Unauthorized "Not a group member"
- Just (Entity _mid m) ->
- if groupMemberRole m == GRAdmin
- then Authorized
- else
- Unauthorized
- "Not a group admin"
+ $logWarn $
+ "Found non-person non-group sharer: " <>
+ shr2text shr
+ return $ error "Zombie sharer"
+ Just (Entity gid _g) -> do
+ mem <- getBy $ UniqueGroupMember vpid gid
+ return $ case mem of
+ Nothing -> Unauthorized "Not a group member"
+ Just (Entity _mid m) ->
+ if groupMemberRole m == GRAdmin
+ then Authorized
+ else Unauthorized "Not a group admin"
projOp
:: ProjectOperation -> ShrIdent -> PrjIdent -> Handler AuthResult