aykhans/slash-e
1
0
Fork 0
mirror of https://github.com/aykhans/slash-e.git synced 2025-04-20 22:07:15 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

feat: add validate shortcut link

Browse Source
This commit is contained in:
Steven 2023-06-25 22:14:14 +08:00
parent cffd6b1431
commit 2be3eab35e
1 changed files with 43 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

46
api/v1/shortcut.go
View File

@ -8,13 +8,14 @@ import (
"strconv"
"strings"
"github.com/boojack/shortify/internal/util"
"github.com/boojack/shortify/store"
"github.com/pkg/errors"
"github.com/labstack/echo/v4"
)
// Visibility is the type of a visibility.
// Visibility is the type of a shortcut visibility.
type Visibility string
const (
@ -85,6 +86,9 @@ func (s *APIV1Service) registerShortcutRoutes(g *echo.Group) {
if err := json.NewDecoder(c.Request().Body).Decode(create); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "Malformatted post shortcut request").SetInternal(err)
}
if !validateLink(create.Link) {
return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid link: %s", create.Link))
}
shortcut, err := s.Store.CreateShortcut(ctx, &store.Shortcut{
CreatorID: userID,
@ -119,6 +123,12 @@ func (s *APIV1Service) registerShortcutRoutes(g *echo.Group) {
if !ok {
return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
}
currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
ID: &userID,
})
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
}
shortcut, err := s.Store.GetShortcut(ctx, &store.FindShortcut{
ID: &shortcutID,
@ -129,14 +139,17 @@ func (s *APIV1Service) registerShortcutRoutes(g *echo.Group) {
if shortcut == nil {
return echo.NewHTTPError(http.StatusNotFound, "Shortcut not found")
}
if shortcut.CreatorID != userID {
return echo.NewHTTPError(http.StatusForbidden, "Shortcut does not belong to user")
if shortcut.CreatorID != userID && currentUser.Role != store.RoleAdmin {
return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to update shortcut")
}
patch := &PatchShortcutRequest{}
if err := json.NewDecoder(c.Request().Body).Decode(patch); err != nil {
return echo.NewHTTPError(http.StatusBadRequest, "Malformatted patch shortcut request").SetInternal(err)
}
if patch.Link != nil && !validateLink(*patch.Link) {
return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("Invalid link: %s", *patch.Link))
}
shortcutUpdate := &store.UpdateShortcut{
ID: shortcutID,
@ -239,6 +252,29 @@ func (s *APIV1Service) registerShortcutRoutes(g *echo.Group) {
if err != nil {
return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
}
userID, ok := c.Get(getUserIDContextKey()).(int)
if !ok {
return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
}
currentUser, err := s.Store.GetUser(ctx, &store.FindUser{
ID: &userID,
})
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find user").SetInternal(err)
}
shortcut, err := s.Store.GetShortcut(ctx, &store.FindShortcut{
ID: &shortcutID,
})
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Failed to find shortcut").SetInternal(err)
}
if shortcut == nil {
return echo.NewHTTPError(http.StatusNotFound, "Shortcut not found")
}
if shortcut.CreatorID != userID && currentUser.Role != store.RoleAdmin {
return echo.NewHTTPError(http.StatusForbidden, "Unauthorized to delete shortcut")
}
if err := s.Store.DeleteShortcut(ctx, &store.DeleteShortcut{
ID: shortcutID,
@ -329,3 +365,7 @@ func convertShortcutFromStore(shortcut *store.Shortcut) *Shortcut {
Tags: tags,
}
}
func validateLink(link string) bool {
return util.HasPrefixes(link, "http://", "https://")
}