ulysia/szurubooru
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Resolved the logout issue for when users:create:any is executed.

Browse source 
* Resolved an issue where user_tokens:*:any permissions didn't operate on the correct user.
* Updated user_token -> user_tokens permissions to mirror other permissions.
This commit is contained in:
ReAnzu 2018-02-27 18:34:37 -06:00
parent 05d2785ec6
commit 70a42c9df2
4 changed files with 36 additions and 26 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
client/js/controllers/user_controller.js
View file

@ -73,10 +73,10 @@ class UserController {
canEditRank: api.hasPrivilege(`users:edit:${infix}:rank`), canEditRank: api.hasPrivilege(`users:edit:${infix}:rank`),
canEditAvatar: api.hasPrivilege(`users:edit:${infix}:avatar`), canEditAvatar: api.hasPrivilege(`users:edit:${infix}:avatar`),
canEditAnything: api.hasPrivilege(`users:edit:${infix}`), canEditAnything: api.hasPrivilege(`users:edit:${infix}`),
canListTokens: api.hasPrivilege(`userToken:list:${infix}`), canListTokens: api.hasPrivilege(`userTokens:list:${infix}`),
canCreateToken: api.hasPrivilege(`userToken:create:${infix}`), canCreateToken: api.hasPrivilege(`userTokens:create:${infix}`),
canEditToken: api.hasPrivilege(`userToken:edit:${infix}`), canEditToken: api.hasPrivilege(`userTokens:edit:${infix}`),
canDeleteToken: api.hasPrivilege(`userToken:delete:${infix}`), canDeleteToken: api.hasPrivilege(`userTokens:delete:${infix}`),
canDelete: api.hasPrivilege(`users:delete:${infix}`), canDelete: api.hasPrivilege(`users:delete:${infix}`),
ranks: ranks, ranks: ranks,
tokens: userTokens, tokens: userTokens,

11
client/js/controllers/user_registration_controller.js
View file

@ -29,13 +29,22 @@ class UserRegistrationController {
user.name = e.detail.name; user.name = e.detail.name;
user.email = e.detail.email; user.email = e.detail.email;
user.password = e.detail.password; user.password = e.detail.password;
const isLoggedIn = api.isLoggedIn();
user.save().then(() => { user.save().then(() => {
// TODO: Support the flow where an admin creates a user. Don't log them out... if (isLoggedIn) {
return Promise.resolve();
} else {
api.forget(); api.forget();
return api.login(e.detail.name, e.detail.password, false); return api.login(e.detail.name, e.detail.password, false);
}
}).then(() => { }).then(() => {
if (isLoggedIn) {
const ctx = router.show(uri.formatClientLink('users'));
ctx.controller.showSuccess('User added!');
} else {
const ctx = router.show(uri.formatClientLink()); const ctx = router.show(uri.formatClientLink());
ctx.controller.showSuccess('Welcome aboard!'); ctx.controller.showSuccess('Welcome aboard!');
}
}, error => { }, error => {
this._view.showError(error.message); this._view.showError(error.message);
this._view.enableForm(); this._view.enableForm();

19
config.yaml.dist
View file

@ -70,7 +70,8 @@ default_rank: regular
privileges: privileges:
'users:create': anonymous 'users:create:self': anonymous # Registration permission
'users:create:any': administrator
'users:list': regular 'users:list': regular
'users:view': regular 'users:view': regular
'users:edit:any:name': moderator 'users:edit:any:name': moderator
@ -86,14 +87,14 @@ privileges:
'users:delete:any': administrator 'users:delete:any': administrator
'users:delete:self': regular 'users:delete:self': regular
'user_token:list:any': administrator 'user_tokens:list:any': administrator
'user_token:list:self': regular 'user_tokens:list:self': regular
'user_token:create:any': administrator 'user_tokens:create:any': administrator
'user_token:create:self': regular 'user_tokens:create:self': regular
'user_token:edit:any': administrator 'user_tokens:edit:any': administrator
'user_token:edit:self': regular 'user_tokens:edit:self': regular
'user_token:delete:any': administrator 'user_tokens:delete:any': administrator
'user_token:delete:self': regular 'user_tokens:delete:self': regular
'posts:create:anonymous': regular 'posts:create:anonymous': regular
'posts:create:identified': regular 'posts:create:identified': regular

16
server/szurubooru/api/user_token_api.py
View file

@ -16,8 +16,8 @@ def _serialize(
def get_user_tokens(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response: def get_user_tokens(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
user = users.get_user_by_name(params['user_name']) user = users.get_user_by_name(params['user_name'])
infix = 'self' if ctx.user.user_id == user.user_id else 'any' infix = 'self' if ctx.user.user_id == user.user_id else 'any'
auth.verify_privilege(ctx.user, 'user_token:list:%s' % infix) auth.verify_privilege(ctx.user, 'user_tokens:list:%s' % infix)
user_token_list = user_tokens.get_user_tokens(ctx.user) user_token_list = user_tokens.get_user_tokens(user)
return { return {
"results": [_serialize(ctx, token) for token in user_token_list] "results": [_serialize(ctx, token) for token in user_token_list]
} }
@ -27,8 +27,8 @@ def get_user_tokens(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Resp
def create_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response: def create_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
user = users.get_user_by_name(params['user_name']) user = users.get_user_by_name(params['user_name'])
infix = 'self' if ctx.user.user_id == user.user_id else 'any' infix = 'self' if ctx.user.user_id == user.user_id else 'any'
auth.verify_privilege(ctx.user, 'user_token:create:%s' % infix) auth.verify_privilege(ctx.user, 'user_tokens:create:%s' % infix)
user_token = user_tokens.create_user_token(ctx.user) user_token = user_tokens.create_user_token(user)
return _serialize(ctx, user_token) return _serialize(ctx, user_token)
@ -36,8 +36,8 @@ def create_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Re
def edit_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response: def edit_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Response:
user = users.get_user_by_name(params['user_name']) user = users.get_user_by_name(params['user_name'])
infix = 'self' if ctx.user.user_id == user.user_id else 'any' infix = 'self' if ctx.user.user_id == user.user_id else 'any'
auth.verify_privilege(ctx.user, 'user_token:edit:%s' % infix) auth.verify_privilege(ctx.user, 'user_tokens:edit:%s' % infix)
user_token = user_tokens.get_user_token_by_user_and_token(ctx.user, params['user_token']) user_token = user_tokens.get_user_token_by_user_and_token(user, params['user_token'])
versions.verify_version(user_token, ctx) versions.verify_version(user_token, ctx)
versions.bump_version(user_token) versions.bump_version(user_token)
return _serialize(ctx, user_token) return _serialize(ctx, user_token)
@ -47,8 +47,8 @@ def edit_user_token(ctx: rest.Context, params: Dict[str, str] = {}) -> rest.Resp
def delete_user_token(ctx: rest.Context, params: Dict[str, str]) -> rest.Response: def delete_user_token(ctx: rest.Context, params: Dict[str, str]) -> rest.Response:
user = users.get_user_by_name(params['user_name']) user = users.get_user_by_name(params['user_name'])
infix = 'self' if ctx.user.user_id == user.user_id else 'any' infix = 'self' if ctx.user.user_id == user.user_id else 'any'
auth.verify_privilege(ctx.user, 'user_token:delete:%s' % infix) auth.verify_privilege(ctx.user, 'user_tokens:delete:%s' % infix)
user_token = user_tokens.get_user_token_by_user_and_token(ctx.user, params['user_token']) user_token = user_tokens.get_user_token_by_user_and_token(user, params['user_token'])
if user_token is not None: if user_token is not None:
ctx.session.delete(user_token) ctx.session.delete(user_token)
ctx.session.commit() ctx.session.commit()