35ddc89009
Refactor database adapters. Experimental last ip cutoff. More parser test cases.
132 lines
3.9 KiB
Go
132 lines
3.9 KiB
Go
package routes
|
|
|
|
import (
|
|
"database/sql"
|
|
"net/http"
|
|
"strconv"
|
|
|
|
c "github.com/Azareal/Gosora/common"
|
|
"github.com/Azareal/Gosora/common/counters"
|
|
)
|
|
|
|
func ProfileReplyCreateSubmit(w http.ResponseWriter, r *http.Request, user c.User) c.RouteError {
|
|
if !user.Perms.ViewTopic || !user.Perms.CreateReply {
|
|
return c.NoPermissions(w, r, user)
|
|
}
|
|
uid, err := strconv.Atoi(r.PostFormValue("uid"))
|
|
if err != nil {
|
|
return c.LocalError("Invalid UID", w, r, user)
|
|
}
|
|
|
|
profileOwner, err := c.Users.Get(uid)
|
|
if err == sql.ErrNoRows {
|
|
return c.LocalError("The profile you're trying to post on doesn't exist.", w, r, user)
|
|
} else if err != nil {
|
|
return c.InternalError(err, w, r)
|
|
}
|
|
|
|
blocked, err := c.UserBlocks.IsBlockedBy(profileOwner.ID, user.ID)
|
|
if err != nil {
|
|
return c.InternalError(err, w, r)
|
|
}
|
|
// Supermods can bypass blocks so they can tell people off when they do something stupid or have to convey important information
|
|
if blocked && !user.IsSuperMod {
|
|
return c.LocalError("You don't have permission to send messages to one of these users.", w, r, user)
|
|
}
|
|
|
|
content := c.PreparseMessage(r.PostFormValue("content"))
|
|
if len(content) == 0 {
|
|
return c.LocalError("You can't make a blank post", w, r, user)
|
|
}
|
|
// TODO: Fully parse the post and store it in the parsed column
|
|
_, err = c.Prstore.Create(profileOwner.ID, content, user.ID, user.GetIP())
|
|
if err != nil {
|
|
return c.InternalError(err, w, r)
|
|
}
|
|
|
|
// ! Be careful about leaking per-route permission state with &user
|
|
alert := c.Alert{ActorID: user.ID, TargetUserID: profileOwner.ID, Event: "reply", ElementType: "user", ElementID: profileOwner.ID, Actor: &user}
|
|
err = c.AddActivityAndNotifyTarget(alert)
|
|
if err != nil {
|
|
return c.InternalError(err, w, r)
|
|
}
|
|
|
|
counters.PostCounter.Bump()
|
|
http.Redirect(w, r, "/user/"+strconv.Itoa(uid), http.StatusSeeOther)
|
|
return nil
|
|
}
|
|
|
|
func ProfileReplyEditSubmit(w http.ResponseWriter, r *http.Request, user c.User, srid string) c.RouteError {
|
|
js := r.PostFormValue("js") == "1"
|
|
rid, err := strconv.Atoi(srid)
|
|
if err != nil {
|
|
return c.LocalErrorJSQ("The provided Reply ID is not a valid number.", w, r, user, js)
|
|
}
|
|
|
|
reply, err := c.Prstore.Get(rid)
|
|
if err == sql.ErrNoRows {
|
|
return c.PreErrorJSQ("The target reply doesn't exist.", w, r, js)
|
|
} else if err != nil {
|
|
return c.InternalErrorJSQ(err, w, r, js)
|
|
}
|
|
|
|
creator, err := c.Users.Get(reply.CreatedBy)
|
|
if err != nil {
|
|
return c.InternalErrorJSQ(err, w, r, js)
|
|
}
|
|
// ? Does the admin understand that this group perm affects this?
|
|
if user.ID != creator.ID && !user.Perms.EditReply {
|
|
return c.NoPermissionsJSQ(w, r, user, js)
|
|
}
|
|
|
|
// TODO: Stop blocked users from modifying profile replies?
|
|
|
|
err = reply.SetBody(r.PostFormValue("edit_item"))
|
|
if err != nil {
|
|
return c.InternalErrorJSQ(err, w, r, js)
|
|
}
|
|
|
|
if !js {
|
|
http.Redirect(w, r, "/user/"+strconv.Itoa(creator.ID)+"#reply-"+strconv.Itoa(rid), http.StatusSeeOther)
|
|
} else {
|
|
w.Write(successJSONBytes)
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func ProfileReplyDeleteSubmit(w http.ResponseWriter, r *http.Request, user c.User, srid string) c.RouteError {
|
|
js := r.PostFormValue("js") == "1"
|
|
rid, err := strconv.Atoi(srid)
|
|
if err != nil {
|
|
return c.LocalErrorJSQ("The provided Reply ID is not a valid number.", w, r, user, js)
|
|
}
|
|
|
|
reply, err := c.Prstore.Get(rid)
|
|
if err == sql.ErrNoRows {
|
|
return c.PreErrorJSQ("The target reply doesn't exist.", w, r, js)
|
|
} else if err != nil {
|
|
return c.InternalErrorJSQ(err, w, r, js)
|
|
}
|
|
|
|
creator, err := c.Users.Get(reply.CreatedBy)
|
|
if err != nil {
|
|
return c.InternalErrorJSQ(err, w, r, js)
|
|
}
|
|
if user.ID != creator.ID && !user.Perms.DeleteReply {
|
|
return c.NoPermissionsJSQ(w, r, user, js)
|
|
}
|
|
|
|
err = reply.Delete()
|
|
if err != nil {
|
|
return c.InternalErrorJSQ(err, w, r, js)
|
|
}
|
|
//log.Printf("The profile post '%d' was deleted by c.User #%d", reply.ID, user.ID)
|
|
|
|
if !js {
|
|
//http.Redirect(w,r, "/user/" + strconv.Itoa(creator.ID), http.StatusSeeOther)
|
|
} else {
|
|
w.Write(successJSONBytes)
|
|
}
|
|
return nil
|
|
}
|