velvox
/
litecord
mirror of https://gitlab.com/litecord/litecord.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

invites: add permission checks

This commit is contained in:
Luna Mendes 2018-11-21 20:38:16 -03:00
parent 3c9515b867
commit 5c4c6edc89
1 changed files with 16 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
litecord/blueprints/invites.py
View File

@ -8,10 +8,13 @@ from ..auth import token_check
from ..schemas import validate, INVITE from ..schemas import validate, INVITE
from ..enums import ChannelType from ..enums import ChannelType
from ..errors import BadRequest, Forbidden from ..errors import BadRequest, Forbidden
from .channels import channel_check from .guilds import create_guild_settings
from .guilds import guild_check, create_guild_settings
from ..utils import async_map from ..utils import async_map
from litecord.blueprints.checks import (
channel_check, channel_perm_check, guild_check, guild_perm_check
)
log = Logger(__name__) log = Logger(__name__)
bp = Blueprint('invites', __name__) bp = Blueprint('invites', __name__)
@ -23,7 +26,7 @@ async def create_invite(channel_id):
j = validate(await request.get_json(), INVITE) j = validate(await request.get_json(), INVITE)
_ctype, guild_id = await channel_check(user_id, channel_id) _ctype, guild_id = await channel_check(user_id, channel_id)
# TODO: check CREATE_INSTANT_INVITE permission await channel_perm_check(user_id, channel_id, 'create_invites')
chantype = await app.storage.get_chan_type(channel_id) chantype = await app.storage.get_chan_type(channel_id)
if chantype not in (ChannelType.GUILD_TEXT.value, if chantype not in (ChannelType.GUILD_TEXT.value,
@ -70,26 +73,16 @@ async def get_invite_2(invite_code: str):
async def delete_invite(invite_code: str): async def delete_invite(invite_code: str):
user_id = await token_check() user_id = await token_check()
gid = await app.db.fetchval(""" guild_id = await app.db.fetchval("""
SELECT guild_id SELECT guild_id
FROM invites FROM invites
WHERE code = $1 WHERE code = $1
""", invite_code) """, invite_code)
if gid is None: if guild_id is None:
raise BadRequest('Unknown invite') raise BadRequest('Unknown invite')
# TODO: check MANAGE_CHANNELS permission await guild_perm_check(user_id, guild_id, 'manage_channels')
# for now we'll go with checking owner
owner_id = await app.db.fetchval("""
SELECT owner_id
FROM guilds
WHERE id = $1
""". gid)
if owner_id != user_id:
raise Forbidden('Not guild owner')
inv = await app.storage.get_invite(invite_code) inv = await app.storage.get_invite(invite_code)
@ -109,8 +102,11 @@ async def _get_inv(code):
@bp.route('/guilds/<int:guild_id>/invites', methods=['GET']) @bp.route('/guilds/<int:guild_id>/invites', methods=['GET'])
async def get_guild_invites(guild_id: int): async def get_guild_invites(guild_id: int):
"""Get all invites for a guild."""
user_id = await token_check() user_id = await token_check()
await guild_check(user_id, guild_id) await guild_check(user_id, guild_id)
await guild_perm_check(user_id, guild_id, 'manage_guild')
inv_codes = await app.db.fetch(""" inv_codes = await app.db.fetch("""
SELECT code SELECT code
@ -118,8 +114,6 @@ async def get_guild_invites(guild_id: int):
WHERE guild_id = $1 WHERE guild_id = $1
""", guild_id) """, guild_id)
# TODO: MANAGE_GUILD permission
inv_codes = [r['code'] for r in inv_codes] inv_codes = [r['code'] for r in inv_codes]
invs = await async_map(_get_inv, inv_codes) invs = await async_map(_get_inv, inv_codes)
return jsonify(invs) return jsonify(invs)
@ -127,8 +121,11 @@ async def get_guild_invites(guild_id: int):
@bp.route('/channels/<int:channel_id>/invites', methods=['GET']) @bp.route('/channels/<int:channel_id>/invites', methods=['GET'])
async def get_channel_invites(channel_id: int): async def get_channel_invites(channel_id: int):
"""Get all invites for a channel."""
user_id = await token_check() user_id = await token_check()
_ctype, guild_id = await channel_check(user_id, channel_id) _ctype, guild_id = await channel_check(user_id, channel_id)
await guild_perm_check(user_id, guild_id, 'manage_channels')
inv_codes = await app.db.fetch(""" inv_codes = await app.db.fetch("""
SELECT code SELECT code
@ -136,8 +133,6 @@ async def get_channel_invites(channel_id: int):
WHERE guild_id = $1 AND channel_id = $2 WHERE guild_id = $1 AND channel_id = $2
""", guild_id, channel_id) """, guild_id, channel_id)
# TODO: check MANAGE_CHANNELS permission
inv_codes = [r['code'] for r in inv_codes] inv_codes = [r['code'] for r in inv_codes]
invs = await async_map(_get_inv, inv_codes) invs = await async_map(_get_inv, inv_codes)
return jsonify(invs) return jsonify(invs)
@ -145,6 +140,7 @@ async def get_channel_invites(channel_id: int):
@bp.route('/invite/<invite_code>', methods=['POST']) @bp.route('/invite/<invite_code>', methods=['POST'])
async def use_invite(invite_code): async def use_invite(invite_code):
"""Use an invite."""
user_id = await token_check() user_id = await token_check()
guild_id = await app.db.fetchval(""" guild_id = await app.db.fetchval("""