Skip to content

Commit

Permalink
feat(controllers/post): implement auth check which returns if you can…
Browse files Browse the repository at this point in the history
… view deleted posts or not
  • Loading branch information
akinsey committed Jul 25, 2023
1 parent f50a83f commit 4032a0f
Showing 1 changed file with 27 additions and 0 deletions.
27 changes: 27 additions & 0 deletions lib/epochtalk_server_web/controllers/post.ex
Original file line number Diff line number Diff line change
Expand Up @@ -60,6 +60,7 @@ defmodule EpochtalkServerWeb.Controllers.Post do
:ok <- ACL.allow!(conn, "posts.byThread"),
{:can_read, {:ok, true}} <-
{:can_read, Board.get_read_access_by_thread_id(thread_id, user_priority)},
_view_deleted_posts <- can_authed_user_view_deleted_posts(user, thread_id),
{:ok, write_access} <- Board.get_write_access_by_thread_id(thread_id, user_priority),
{:ok, board_banned} <- BoardBan.is_banned_from_board(user, thread_id: thread_id),
board_mapping <- BoardMapping.all(),
Expand Down Expand Up @@ -106,4 +107,30 @@ defmodule EpochtalkServerWeb.Controllers.Post do
ErrorHelpers.render_json_error(conn, 400, "Error, cannot get posts by thread")
end
end

## === Private Helper Functions ===

defp can_authed_user_view_deleted_posts(user, thread_id) do
view_all = ACL.has_permission(user, "posts.byThread.bypass.viewDeletedPosts.admin")
view_some = ACL.has_permission(user, "posts.byThread.bypass.viewDeletedPosts.mod")
view_self_mod = ACL.has_permission(user, "posts.byThread.bypass.viewDeletedPosts.selfMod")
view_priority = ACL.has_permission(user, "posts.byThread.bypass.viewDeletedPosts.priority")

user_id = Map.get(user, :id)
moderated_boards = BoardModerator.get_user_moderated_boards(user_id)

cond do
view_all or view_priority ->
true

view_some and moderated_boards != [] ->
moderated_boards

view_self_mod and moderated_boards == [] ->
Thread.is_self_moderated_by_user(thread_id, user_id)

true ->
false
end
end
end

0 comments on commit 4032a0f

Please sign in to comment.