Require the emoji permission to upload emoji

dcp/acl.py

@@ -2,6 +2,7 @@ required_permission_user = {
     'auspex': 'auspex',
     'ban': 'auspex',
     'banned': 'ban',
+    'emoji': 'emoji',
     'mute': 'auspex',
     'muted': 'mute',
 }
@@ -12,6 +13,7 @@ required_permission_group = {
     'ban': 'auspex',
     'banned': 'ban',
     'delete': 'delete',
+    'emoji': 'emoji',
     'mute': 'auspex',
     'muted': 'mute',
 }
@@ -20,6 +22,7 @@ default_acl_user = set()
 default_acl_group = {
     'auspex',
     'delete',
+    'emoji',
     'metadata',
     'ban',
     'mute',

dcp/webserver/media.py

@@ -235,15 +235,25 @@ class EmojiFileUploader(MediaFileUploader):
             async with session.begin():
                 # Find the user
                 stmt = (select(StorageUser).
-                        where(StorageUser.username == self.user)
+                        where(StorageUser.username == self.user).
+                        options(selectinload(StorageUser.acls))
                         )
                 result = await session.execute(stmt)
                 try:
                     storage_src = result.one()[0]
                 except (NoResultFound, IndexError):
                     # Shouldn't happen
-                    return web.json_response({'reason': 'Server error'},
-                                             status=500)
+                    raise web.HTTPInternalServerError(
+                        text='{"reason": "Internal server error"}',
+                        content_type='application/json'
+                    )
+
+                acls = set(x.acl for x in storage_src.acls)
+                if 'emoji' not in acls:
+                    raise web.HTTPUnauthorized(
+                        text='{"reason": "You are not authorized"}',
+                        content_type='application/json'
+                    )
 
                 relative_file_path = str(Path(self.relative_storage_path,
                                               self.filename))