Tighten validation on group promotion create.

This commit is contained in:
Azareal 2019-09-29 15:25:36 +10:00
parent 6efb7e7f28
commit a9a7501c05
1 changed files with 26 additions and 0 deletions

View File

@ -205,6 +205,32 @@ func GroupsPromotionsCreateSubmit(w http.ResponseWriter, r *http.Request, user c
return c.LocalError("level must be integer", w, r, user) return c.LocalError("level must be integer", w, r, user)
} }
g, err := c.Groups.Get(from)
if err == sql.ErrNoRows {
return c.LocalError("No such group.",w, r, user)
} else if err != nil {
return c.InternalError(err, w, r)
}
if g.IsAdmin && !user.Perms.EditGroupAdmin {
return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_admin"), w, r, user)
}
if g.IsMod && !user.Perms.EditGroupSuperMod {
return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_supermod"), w, r, user)
}
g, err = c.Groups.Get(to)
if err == sql.ErrNoRows {
return c.LocalError("No such group.",w, r, user)
} else if err != nil {
return c.InternalError(err, w, r)
}
if g.IsAdmin && !user.Perms.EditGroupAdmin {
return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_admin"), w, r, user)
}
if g.IsMod && !user.Perms.EditGroupSuperMod {
return c.LocalError(p.GetErrorPhrase("panel_groups_cannot_edit_supermod"), w, r, user)
}
_, err = c.GroupPromotions.Create(from, to, twoWay, level) _, err = c.GroupPromotions.Create(from, to, twoWay, level)
if err != nil { if err != nil {
return c.InternalError(err,w,r) return c.InternalError(err,w,r)