Commit bda79012 authored by Elizabeth Myers's avatar Elizabeth Myers 💬
Browse files

Require the emoji permission to upload emoji

parent 4d4c7166
......@@ -2,6 +2,7 @@ required_permission_user = {
'auspex': 'auspex',
'ban': 'auspex',
'banned': 'ban',
'emoji': 'emoji',
'mute': 'auspex',
'muted': 'mute',
}
......@@ -12,6 +13,7 @@ required_permission_group = {
'ban': 'auspex',
'banned': 'ban',
'delete': 'delete',
'emoji': 'emoji',
'mute': 'auspex',
'muted': 'mute',
}
......@@ -20,6 +22,7 @@ default_acl_user = set()
default_acl_group = {
'auspex',
'delete',
'emoji',
'metadata',
'ban',
'mute',
......
......@@ -235,15 +235,25 @@ class EmojiFileUploader(MediaFileUploader):
async with session.begin():
# Find the user
stmt = (select(StorageUser).
where(StorageUser.username == self.user)
where(StorageUser.username == self.user).
options(selectinload(StorageUser.acls))
)
result = await session.execute(stmt)
try:
storage_src = result.one()[0]
except (NoResultFound, IndexError):
# Shouldn't happen
return web.json_response({'reason': 'Server error'},
status=500)
raise web.HTTPInternalServerError(
text='{"reason": "Internal server error"}',
content_type='application/json'
)
acls = set(x.acl for x in storage_src.acls)
if 'emoji' not in acls:
raise web.HTTPUnauthorized(
text='{"reason": "You are not authorized"}',
content_type='application/json'
)
relative_file_path = str(Path(self.relative_storage_path,
self.filename))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment