Users can no longer post or edit posts in locked topics.

Permissions should cascade properly now in the topic template, should have no actual effects on security given the particular nature of this one.
Tiny bit of work on Nox.

Began work on trimming down the page structs to only the necessary parts.
This commit is contained in:
Azareal 2018-06-01 15:02:29 +10:00
parent f85bf51103
commit d897e05256
12 changed files with 73 additions and 46 deletions

View File

@ -21,6 +21,7 @@ type Header struct {
Themes map[string]*Theme // TODO: Use a slice containing every theme instead of the main map for speed?
Theme *Theme
//TemplateName string // TODO: Use this to move template calls to the router rather than duplicating them over and over and over?
// TODO: Use a pointer here
CurrentUser User // TODO: Deprecate CurrentUser on the page structs
Zone string
MetaDesc string
@ -98,40 +99,30 @@ type ForumPage struct {
}
type ForumsPage struct {
Title string
CurrentUser User
Header *Header
*Header
ItemList []Forum
}
type ProfilePage struct {
Title string
CurrentUser User
Header *Header
*Header
ItemList []ReplyUser
ProfileOwner User
}
type CreateTopicPage struct {
Title string
CurrentUser User
Header *Header
*Header
ItemList []Forum
FID int
}
type IPSearchPage struct {
Title string
CurrentUser User
Header *Header
*Header
ItemList map[int]*User
IP string
}
type EmailListPage struct {
Title string
CurrentUser User
Header *Header
*Header
ItemList []Email
Something interface{}
}

View File

@ -68,6 +68,7 @@ func forumUserCheck(w http.ResponseWriter, r *http.Request, user *User, fid int)
return header, InternalError(err, w, r)
}
cascadeForumPerms(fperms, user)
header.CurrentUser = *user // TODO: Use a pointer instead for CurrentUser, so we don't have to do this
return header, rerr
}
@ -196,7 +197,7 @@ func userCheck(w http.ResponseWriter, r *http.Request, user *User) (header *Head
Settings: SettingBox.Load().(SettingMap),
Themes: Themes,
Theme: theme,
CurrentUser: *user,
CurrentUser: *user, // ! Some things rely on this being a pointer downstream from this function
Zone: "frontend",
Writer: w,
}

View File

@ -187,7 +187,8 @@ func CompileTemplates() error {
}
varList = make(map[string]tmpl.VarItem)
ppage := ProfilePage{"User 526", user, header, replyList, user}
header.Title = "User 526"
ppage := ProfilePage{header, replyList, user}
profileTmpl, err := c.Compile("profile.html", "templates/", "common.ProfilePage", ppage, varList)
if err != nil {
return err
@ -204,7 +205,8 @@ func CompileTemplates() error {
forumList = append(forumList, *forum)
}
varList = make(map[string]tmpl.VarItem)
forumsPage := ForumsPage{"Forum List", user, header, forumList}
header.Title = "Forum List"
forumsPage := ForumsPage{header, forumList}
forumsTmpl, err := c.Compile("forums.html", "templates/", "common.ForumsPage", forumsPage, varList)
if err != nil {
return err
@ -247,7 +249,8 @@ func CompileTemplates() error {
var ipUserList = make(map[int]*User)
ipUserList[1] = &user2
ipSearchPage := IPSearchPage{"IP Search", user2, header, ipUserList, "::1"}
header.Title = "IP Search"
ipSearchPage := IPSearchPage{header2, ipUserList, "::1"}
ipSearchTmpl, err := c.Compile("ip_search.html", "templates/", "common.IPSearchPage", ipSearchPage, varList)
if err != nil {
return err

View File

@ -417,10 +417,12 @@ func AccountEditUsernameSubmit(w http.ResponseWriter, r *http.Request, user comm
}
func AccountEditEmail(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError {
headerVars, ferr := common.UserCheck(w, r, &user)
header, ferr := common.UserCheck(w, r, &user)
if ferr != nil {
return ferr
}
// TODO: Add a phrase for this
header.Title = "Email Manager"
emails, err := common.Emails.GetEmailsByUser(&user)
if err != nil {
@ -438,13 +440,13 @@ func AccountEditEmail(w http.ResponseWriter, r *http.Request, user common.User)
}
if !common.Site.EnableEmails {
headerVars.NoticeList = append(headerVars.NoticeList, common.GetNoticePhrase("account_mail_disabled"))
header.NoticeList = append(header.NoticeList, common.GetNoticePhrase("account_mail_disabled"))
}
if r.FormValue("verified") == "1" {
headerVars.NoticeList = append(headerVars.NoticeList, common.GetNoticePhrase("account_mail_verify_success"))
header.NoticeList = append(header.NoticeList, common.GetNoticePhrase("account_mail_verify_success"))
}
pi := common.EmailListPage{"Email Manager", user, headerVars, emails, nil}
pi := common.EmailListPage{header, emails, nil}
if common.RunPreRenderHook("pre_render_account_own_edit_email", w, r, &user, &pi) {
return nil
}

View File

@ -12,6 +12,7 @@ func ForumList(w http.ResponseWriter, r *http.Request, user common.User) common.
if ferr != nil {
return ferr
}
header.Title = common.GetTitlePhrase("forums")
header.Zone = "forums"
header.MetaDesc = header.Settings["meta_desc"].(string)
@ -50,7 +51,7 @@ func ForumList(w http.ResponseWriter, r *http.Request, user common.User) common.
}
}
pi := common.ForumsPage{common.GetTitlePhrase("forums"), user, header, forumList}
pi := common.ForumsPage{header, forumList}
if common.RunPreRenderHook("pre_render_forum_list", w, r, &user, &pi) {
return nil
}

View File

@ -11,6 +11,8 @@ func IPSearch(w http.ResponseWriter, r *http.Request, user common.User) common.R
if ferr != nil {
return ferr
}
header.Title = common.GetTitlePhrase("ip_search")
// TODO: How should we handle the permissions if we extend this into an alt detector of sorts?
if !user.Perms.ViewIPs {
return common.NoPermissions(w, r, user)
@ -29,7 +31,7 @@ func IPSearch(w http.ResponseWriter, r *http.Request, user common.User) common.R
return common.InternalError(err, w, r)
}
pi := common.IPSearchPage{common.GetTitlePhrase("ip_search"), user, header, userList, ip}
pi := common.IPSearchPage{header, userList, ip}
if common.RunPreRenderHook("pre_render_ip_search", w, r, &user, &pi) {
return nil
}

View File

@ -66,6 +66,8 @@ func ViewProfile(w http.ResponseWriter, r *http.Request, user common.User) commo
return common.InternalError(err, w, r)
}
}
// TODO: Add a phrase for this title
header.Title = puser.Name + "'s Profile"
// Get the replies..
rows, err := profileStmts.getReplies.Query(puser.ID)
@ -114,8 +116,7 @@ func ViewProfile(w http.ResponseWriter, r *http.Request, user common.User) commo
return common.InternalError(err, w, r)
}
// TODO: Add a phrase for this title
ppage := common.ProfilePage{puser.Name + "'s Profile", user, header, replyList, *puser}
ppage := common.ProfilePage{header, replyList, *puser}
if common.RunPreRenderHook("pre_render_profile", w, r, &user, &ppage) {
return nil
}

View File

@ -38,6 +38,9 @@ func CreateReplySubmit(w http.ResponseWriter, r *http.Request, user common.User)
if !user.Perms.ViewTopic || !user.Perms.CreateReply {
return common.NoPermissions(w, r, user)
}
if topic.IsClosed && !user.Perms.CloseTopic {
return common.NoPermissions(w, r, user)
}
// Handle the file attachments
// TODO: Stop duplicating this code
@ -218,6 +221,9 @@ func ReplyEditSubmit(w http.ResponseWriter, r *http.Request, user common.User, s
if !user.Perms.ViewTopic || !user.Perms.EditReply {
return common.NoPermissionsJSQ(w, r, user, isJs)
}
if topic.IsClosed && !user.Perms.CloseTopic {
return common.NoPermissionsJSQ(w, r, user, isJs)
}
err = reply.SetPost(r.PostFormValue("edit_item"))
if err == sql.ErrNoRows {

View File

@ -78,11 +78,6 @@ func ViewTopic(w http.ResponseWriter, r *http.Request, user common.User, urlBit
topic.ContentHTML = common.ParseMessage(topic.Content, topic.ParentID, "forums")
topic.ContentLines = strings.Count(topic.Content, "\n")
// We don't want users posting in locked topics...
if topic.IsClosed && !user.IsMod {
user.Perms.CreateReply = false
}
postGroup, err := common.Groups.Get(topic.Group)
if err != nil {
return common.InternalError(err, w, r)
@ -238,6 +233,7 @@ func ViewTopic(w http.ResponseWriter, r *http.Request, user common.User, urlBit
// ? - Should we allow banned users to make reports? How should we handle report abuse?
// TODO: Add a permission to stop certain users from using custom avatars
// ? - Log username changes and put restrictions on this?
// TODO: Test this
func CreateTopic(w http.ResponseWriter, r *http.Request, user common.User, sfid string) common.RouteError {
var fid int
var err error
@ -251,19 +247,21 @@ func CreateTopic(w http.ResponseWriter, r *http.Request, user common.User, sfid
fid = common.Config.DefaultForum
}
headerVars, ferr := common.ForumUserCheck(w, r, &user, fid)
header, ferr := common.ForumUserCheck(w, r, &user, fid)
if ferr != nil {
return ferr
}
if !user.Perms.ViewTopic || !user.Perms.CreateTopic {
return common.NoPermissions(w, r, user)
}
headerVars.Zone = "create_topic"
// TODO: Add a phrase for this
header.Title = "Create Topic"
header.Zone = "create_topic"
// Lock this to the forum being linked?
// Should we always put it in strictmode when it's linked from another forum? Well, the user might end up changing their mind on what forum they want to post in and it would be a hassle, if they had to switch pages, even if it is a single click for many (exc. mobile)
var strictmode bool
common.RunVhook("topic_create_pre_loop", w, r, fid, &headerVars, &user, &strictmode)
common.RunVhook("topic_create_pre_loop", w, r, fid, &header, &user, &strictmode)
// TODO: Re-add support for plugin_guilds
var forumList []common.Forum
@ -306,12 +304,12 @@ func CreateTopic(w http.ResponseWriter, r *http.Request, user common.User, sfid
}
}
ctpage := common.CreateTopicPage{"Create Topic", user, headerVars, forumList, fid}
ctpage := common.CreateTopicPage{header, forumList, fid}
if common.RunPreRenderHook("pre_render_create_topic", w, r, &user, &ctpage) {
return nil
}
err = common.RunThemeTemplate(headerVars.Theme.Name, "create_topic", ctpage, w)
err = common.RunThemeTemplate(header.Theme.Name, "create_topic", ctpage, w)
if err != nil {
return common.InternalError(err, w, r)
}
@ -511,6 +509,9 @@ func EditTopicSubmit(w http.ResponseWriter, r *http.Request, user common.User, s
if !user.Perms.ViewTopic || !user.Perms.EditTopic {
return common.NoPermissionsJSQ(w, r, user, isJs)
}
if topic.IsClosed && !user.Perms.CloseTopic {
return common.NoPermissionsJSQ(w, r, user, isJs)
}
err = topic.Update(r.PostFormValue("topic_name"), r.PostFormValue("topic_content"))
// TODO: Avoid duplicating this across this route and the topic creation route

View File

@ -15,10 +15,13 @@
<div class="rowitem topic_item{{if .Topic.Sticky}} topic_sticky_head{{else if .Topic.IsClosed}} topic_closed_head{{end}}">
<h1 class='topic_name hide_on_edit' title='{{.Topic.Title}}'>{{.Topic.Title}}</h1>
{{if .Topic.IsClosed}}<span class='username hide_on_micro topic_status_e topic_status_closed hide_on_edit' title='{{lang "status_closed_tooltip"}}' aria-label='{{lang "topic_status_closed_aria"}}'>&#x1F512;&#xFE0E</span>{{end}}
{{/** TODO: Does this need to be guarded by a permission? It's only visible in edit mode anyway, which can't be triggered, if they don't have the permission **/}}
{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
{{if .CurrentUser.Perms.EditTopic}}
<input form='edit_topic_form' class='show_on_edit topic_name_input' name="topic_name" value='{{.Topic.Title}}' type="text" aria-label="{{lang "topic_title_input_aria"}}" />
<button form='edit_topic_form' name="topic-button" class="formbutton show_on_edit submit_edit">{{lang "topic_update_button"}}</button>
{{end}}
{{end}}
</div>
</div>
{{if .Poll.ID}}
@ -58,7 +61,9 @@
{{if .CurrentUser.Perms.LikeItem}}<a href="/topic/like/submit/{{.Topic.ID}}?session={{.CurrentUser.Session}}" class="mod_button"{{if .Topic.Liked}} title="{{lang "topic_unlike_tooltip"}}" aria-label="{{lang "topic_unlike_aria"}}"{{else}} title="{{lang "topic_like_tooltip"}}" aria-label="{{lang "topic_like_aria"}}"{{end}} style="color:#202020;">
<button class="username like_label {{if .Topic.Liked}}remove_like{{else}}add_like{{end}}"></button></a>{{end}}
{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
{{if .CurrentUser.Perms.EditTopic}}<a href='/topic/edit/{{.Topic.ID}}' class="mod_button open_edit" style="font-weight:normal;" title="{{lang "topic_edit_tooltip"}}" aria-label="{{lang "topic_edit_aria"}}"><button class="username edit_label"></button></a>{{end}}
{{end}}
{{if .CurrentUser.Perms.DeleteTopic}}<a href='/topic/delete/submit/{{.Topic.ID}}?session={{.CurrentUser.Session}}' class="mod_button" style="font-weight:normal;" title="{{lang "topic_delete_tooltip"}}" aria-label="{{lang "topic_delete_aria"}}"><button class="username trash_label"></button></a>{{end}}
@ -91,7 +96,9 @@
<a href="{{.UserLink}}" class="username real_username" rel="author">{{.CreatedByName}}</a>&nbsp;&nbsp;
{{if $.CurrentUser.Perms.LikeItem}}{{if .Liked}}<a href="/reply/like/submit/{{.ID}}?session={{$.CurrentUser.Session}}" class="mod_button" title="{{lang "topic_post_like_tooltip"}}" aria-label="{{lang "topic_post_like_aria"}}" style="color:#202020;"><button class="username like_label remove_like"></button></a>{{else}}<a href="/reply/like/submit/{{.ID}}?session={{$.CurrentUser.Session}}" class="mod_button" title="{{lang "topic_post_unlike_tooltip"}}" aria-label="{{lang "topic_post_unlike_aria"}}" style="color:#202020;"><button class="username like_label add_like"></button></a>{{end}}{{end}}
{{if not $.Topic.IsClosed or $.CurrentUser.Perms.CloseTopic}}
{{if $.CurrentUser.Perms.EditReply}}<a href="/reply/edit/submit/{{.ID}}?session={{$.CurrentUser.Session}}" class="mod_button" title="{{lang "topic_post_edit_tooltip"}}" aria-label="{{lang "topic_post_edit_aria"}}"><button class="username edit_item edit_label"></button></a>{{end}}
{{end}}
{{if $.CurrentUser.Perms.DeleteReply}}<a href="/reply/delete/submit/{{.ID}}?session={{$.CurrentUser.Session}}" class="mod_button" title="{{lang "topic_post_delete_tooltip"}}" aria-label="{{lang "topic_post_delete_aria"}}"><button class="username delete_item trash_label"></button></a>{{end}}
{{if $.CurrentUser.Perms.ViewIPs}}<a class="mod_button" href='/users/ips/?ip={{.IPAddress}}' style="font-weight:normal;" title="{{lang "topic_post_ip_tooltip"}}" aria-label="The poster's IP is {{.IPAddress}}"><button class="username ip_label"></button></a>{{end}}
@ -106,6 +113,7 @@
{{end}}{{end}}</div>
{{if .CurrentUser.Perms.CreateReply}}
{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
<div class="rowblock topic_reply_form quick_create_form" aria-label="{{lang "topic_reply_aria"}}">
<form id="quick_post_form" enctype="multipart/form-data" action="/reply/create/?session={{.CurrentUser.Session}}" method="post"></form>
<input form="quick_post_form" name="tid" value='{{.Topic.ID}}' type="hidden" />
@ -136,6 +144,7 @@
</div>
</div>
{{end}}
{{end}}
</main>

View File

@ -14,10 +14,13 @@
<h1 class='topic_name hide_on_edit' title='{{.Topic.Title}}'>{{.Topic.Title}}</h1>
{{/** TODO: Inline this CSS **/}}
{{if .Topic.IsClosed}}<span class='username hide_on_micro topic_status_e topic_status_closed hide_on_edit' title='{{lang "status_closed_tooltip"}}' aria-label='{{lang "topic_status_closed_aria"}}' style="font-weight:normal;float: right;position:relative;top:-5px;">&#x1F512;&#xFE0E</span>{{end}}
{{/** TODO: Does this need to be guarded by a permission? It's only visible in edit mode anyway, which can't be triggered, if they don't have the permission **/}}
{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
{{if .CurrentUser.Perms.EditTopic}}
<input class='show_on_edit topic_name_input' name="topic_name" value='{{.Topic.Title}}' type="text" aria-label="{{lang "topic_title_input_aria"}}" />
<button name="topic-button" class="formbutton show_on_edit submit_edit">{{lang "topic_update_button"}}</button>
{{end}}
{{end}}
</div>
</form>
</div>
@ -66,7 +69,9 @@
<div class="controls button_container{{if .Topic.LikeCount}} has_likes{{end}}">
{{if .CurrentUser.Loggedin}}
{{if .CurrentUser.Perms.LikeItem}}<a href="/topic/like/submit/{{.Topic.ID}}?session={{.CurrentUser.Session}}" class="action_button like_item {{if .Topic.Liked}}remove_like{{else}}add_like{{end}}" aria-label="{{lang "topic_like_aria"}}" data-action="like"></a>{{end}}
{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
{{if .CurrentUser.Perms.EditTopic}}<a href="/topic/edit/{{.Topic.ID}}" class="action_button open_edit" aria-label="{{lang "topic_edit_aria"}}" data-action="edit"></a>{{end}}
{{end}}
{{if .CurrentUser.Perms.DeleteTopic}}<a href="/topic/delete/submit/{{.Topic.ID}}?session={{.CurrentUser.Session}}" class="action_button delete_item" aria-label="{{lang "topic_delete_aria"}}" data-action="delete"></a>{{end}}
{{if .CurrentUser.Perms.CloseTopic}}
{{if .Topic.IsClosed}}<a href='/topic/unlock/submit/{{.Topic.ID}}?session={{.CurrentUser.Session}}' class="action_button unlock_item" data-action="unlock" aria-label="{{lang "topic_unlock_aria"}}"></a>{{else}}<a href='/topic/lock/submit/{{.Topic.ID}}?session={{.CurrentUser.Session}}' class="action_button lock_item" data-action="lock" aria-label="{{lang "topic_lock_aria"}}"></a>{{end}}{{end}}
@ -102,7 +107,9 @@
<div class="controls button_container{{if .LikeCount}} has_likes{{end}}">
{{if $.CurrentUser.Loggedin}}
{{if $.CurrentUser.Perms.LikeItem}}<a href="/reply/like/submit/{{.ID}}?session={{$.CurrentUser.Session}}" class="action_button like_item {{if .Liked}}remove_like{{else}}add_like{{end}}" aria-label="{{lang "topic_post_like_aria"}}" data-action="like"></a>{{end}}
{{if not $.Topic.IsClosed or $.CurrentUser.Perms.CloseTopic}}
{{if $.CurrentUser.Perms.EditReply}}<a href="/reply/edit/submit/{{.ID}}?session={{$.CurrentUser.Session}}" class="action_button edit_item" aria-label="{{lang "topic_post_edit_aria"}}" data-action="edit"></a>{{end}}
{{end}}
{{if $.CurrentUser.Perms.DeleteReply}}<a href="/reply/delete/submit/{{.ID}}?session={{$.CurrentUser.Session}}" class="action_button delete_item" aria-label="{{lang "topic_post_delete_aria"}}" data-action="delete"></a>{{end}}
{{if $.CurrentUser.Perms.ViewIPs}}<a href="/users/ips/?ip={{.IPAddress}}" title="{{lang "topic_ip_full_tooltip"}}" class="action_button ip_item_button hide_on_big" aria-label="{{lang "topic_ip_full_aria"}}" data-action="ip"></a>{{end}}
<a href="/report/submit/{{.ID}}?session={{$.CurrentUser.Session}}&type=reply" class="action_button report_item" aria-label="{{lang "topic_report_aria"}}" data-action="report"></a>
@ -121,6 +128,7 @@
{{end}}</div>
{{if .CurrentUser.Perms.CreateReply}}
{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
<div class="rowblock topic_reply_container">
<div class="userinfo" aria-label="{{lang "topic_your_information"}}">
<div class="avatar_item" style="background-image: url({{.CurrentUser.Avatar}}), url(/static/white-dot.jpg);background-position: 0px -10px;">&nbsp;</div>
@ -158,6 +166,7 @@
</div>
</div>
{{end}}
{{end}}
</main>

View File

@ -222,8 +222,9 @@ h1, h3 {
}
.pageitem {
font-size: 17px;
background-color: #444444;
padding: 6px;
padding: 7px;
margin-right: 6px;
}