From d897e05256e919305d5db286939c149303a4d943 Mon Sep 17 00:00:00 2001 From: Azareal Date: Fri, 1 Jun 2018 15:02:29 +1000 Subject: [PATCH] Users can no longer post or edit posts in locked topics. Permissions should cascade properly now in the topic template, should have no actual effects on security given the particular nature of this one. Tiny bit of work on Nox. Began work on trimming down the page structs to only the necessary parts. --- common/pages.go | 35 +++++++++++++---------------------- common/routes_common.go | 3 ++- common/template_init.go | 9 ++++++--- routes/account.go | 10 ++++++---- routes/forum_list.go | 3 ++- routes/moderate.go | 4 +++- routes/profile.go | 5 +++-- routes/reply.go | 6 ++++++ routes/topic.go | 21 +++++++++++---------- templates/topic.html | 9 +++++++++ templates/topic_alt.html | 9 +++++++++ themes/nox/public/main.css | 5 +++-- 12 files changed, 73 insertions(+), 46 deletions(-) diff --git a/common/pages.go b/common/pages.go index f370ee28..63f1f4d8 100644 --- a/common/pages.go +++ b/common/pages.go @@ -21,6 +21,7 @@ type Header struct { Themes map[string]*Theme // TODO: Use a slice containing every theme instead of the main map for speed? Theme *Theme //TemplateName string // TODO: Use this to move template calls to the router rather than duplicating them over and over and over? + // TODO: Use a pointer here CurrentUser User // TODO: Deprecate CurrentUser on the page structs Zone string MetaDesc string @@ -98,42 +99,32 @@ type ForumPage struct { } type ForumsPage struct { - Title string - CurrentUser User - Header *Header - ItemList []Forum + *Header + ItemList []Forum } type ProfilePage struct { - Title string - CurrentUser User - Header *Header + *Header ItemList []ReplyUser ProfileOwner User } type CreateTopicPage struct { - Title string - CurrentUser User - Header *Header - ItemList []Forum - FID int + *Header + ItemList []Forum + FID int } type IPSearchPage struct { - Title string - CurrentUser User - Header *Header - ItemList map[int]*User - IP string + *Header + ItemList map[int]*User + IP string } type EmailListPage struct { - Title string - CurrentUser User - Header *Header - ItemList []Email - Something interface{} + *Header + ItemList []Email + Something interface{} } type PanelStats struct { diff --git a/common/routes_common.go b/common/routes_common.go index e65942bd..eb456e4d 100644 --- a/common/routes_common.go +++ b/common/routes_common.go @@ -68,6 +68,7 @@ func forumUserCheck(w http.ResponseWriter, r *http.Request, user *User, fid int) return header, InternalError(err, w, r) } cascadeForumPerms(fperms, user) + header.CurrentUser = *user // TODO: Use a pointer instead for CurrentUser, so we don't have to do this return header, rerr } @@ -196,7 +197,7 @@ func userCheck(w http.ResponseWriter, r *http.Request, user *User) (header *Head Settings: SettingBox.Load().(SettingMap), Themes: Themes, Theme: theme, - CurrentUser: *user, + CurrentUser: *user, // ! Some things rely on this being a pointer downstream from this function Zone: "frontend", Writer: w, } diff --git a/common/template_init.go b/common/template_init.go index cc55e41c..a233a1a0 100644 --- a/common/template_init.go +++ b/common/template_init.go @@ -187,7 +187,8 @@ func CompileTemplates() error { } varList = make(map[string]tmpl.VarItem) - ppage := ProfilePage{"User 526", user, header, replyList, user} + header.Title = "User 526" + ppage := ProfilePage{header, replyList, user} profileTmpl, err := c.Compile("profile.html", "templates/", "common.ProfilePage", ppage, varList) if err != nil { return err @@ -204,7 +205,8 @@ func CompileTemplates() error { forumList = append(forumList, *forum) } varList = make(map[string]tmpl.VarItem) - forumsPage := ForumsPage{"Forum List", user, header, forumList} + header.Title = "Forum List" + forumsPage := ForumsPage{header, forumList} forumsTmpl, err := c.Compile("forums.html", "templates/", "common.ForumsPage", forumsPage, varList) if err != nil { return err @@ -247,7 +249,8 @@ func CompileTemplates() error { var ipUserList = make(map[int]*User) ipUserList[1] = &user2 - ipSearchPage := IPSearchPage{"IP Search", user2, header, ipUserList, "::1"} + header.Title = "IP Search" + ipSearchPage := IPSearchPage{header2, ipUserList, "::1"} ipSearchTmpl, err := c.Compile("ip_search.html", "templates/", "common.IPSearchPage", ipSearchPage, varList) if err != nil { return err diff --git a/routes/account.go b/routes/account.go index d3dafc01..23b48a29 100644 --- a/routes/account.go +++ b/routes/account.go @@ -417,10 +417,12 @@ func AccountEditUsernameSubmit(w http.ResponseWriter, r *http.Request, user comm } func AccountEditEmail(w http.ResponseWriter, r *http.Request, user common.User) common.RouteError { - headerVars, ferr := common.UserCheck(w, r, &user) + header, ferr := common.UserCheck(w, r, &user) if ferr != nil { return ferr } + // TODO: Add a phrase for this + header.Title = "Email Manager" emails, err := common.Emails.GetEmailsByUser(&user) if err != nil { @@ -438,13 +440,13 @@ func AccountEditEmail(w http.ResponseWriter, r *http.Request, user common.User) } if !common.Site.EnableEmails { - headerVars.NoticeList = append(headerVars.NoticeList, common.GetNoticePhrase("account_mail_disabled")) + header.NoticeList = append(header.NoticeList, common.GetNoticePhrase("account_mail_disabled")) } if r.FormValue("verified") == "1" { - headerVars.NoticeList = append(headerVars.NoticeList, common.GetNoticePhrase("account_mail_verify_success")) + header.NoticeList = append(header.NoticeList, common.GetNoticePhrase("account_mail_verify_success")) } - pi := common.EmailListPage{"Email Manager", user, headerVars, emails, nil} + pi := common.EmailListPage{header, emails, nil} if common.RunPreRenderHook("pre_render_account_own_edit_email", w, r, &user, &pi) { return nil } diff --git a/routes/forum_list.go b/routes/forum_list.go index 8b33f2fe..4970c3d2 100644 --- a/routes/forum_list.go +++ b/routes/forum_list.go @@ -12,6 +12,7 @@ func ForumList(w http.ResponseWriter, r *http.Request, user common.User) common. if ferr != nil { return ferr } + header.Title = common.GetTitlePhrase("forums") header.Zone = "forums" header.MetaDesc = header.Settings["meta_desc"].(string) @@ -50,7 +51,7 @@ func ForumList(w http.ResponseWriter, r *http.Request, user common.User) common. } } - pi := common.ForumsPage{common.GetTitlePhrase("forums"), user, header, forumList} + pi := common.ForumsPage{header, forumList} if common.RunPreRenderHook("pre_render_forum_list", w, r, &user, &pi) { return nil } diff --git a/routes/moderate.go b/routes/moderate.go index 913f6b8a..d13eee78 100644 --- a/routes/moderate.go +++ b/routes/moderate.go @@ -11,6 +11,8 @@ func IPSearch(w http.ResponseWriter, r *http.Request, user common.User) common.R if ferr != nil { return ferr } + header.Title = common.GetTitlePhrase("ip_search") + // TODO: How should we handle the permissions if we extend this into an alt detector of sorts? if !user.Perms.ViewIPs { return common.NoPermissions(w, r, user) @@ -29,7 +31,7 @@ func IPSearch(w http.ResponseWriter, r *http.Request, user common.User) common.R return common.InternalError(err, w, r) } - pi := common.IPSearchPage{common.GetTitlePhrase("ip_search"), user, header, userList, ip} + pi := common.IPSearchPage{header, userList, ip} if common.RunPreRenderHook("pre_render_ip_search", w, r, &user, &pi) { return nil } diff --git a/routes/profile.go b/routes/profile.go index 04d9f80f..a26d70a7 100644 --- a/routes/profile.go +++ b/routes/profile.go @@ -66,6 +66,8 @@ func ViewProfile(w http.ResponseWriter, r *http.Request, user common.User) commo return common.InternalError(err, w, r) } } + // TODO: Add a phrase for this title + header.Title = puser.Name + "'s Profile" // Get the replies.. rows, err := profileStmts.getReplies.Query(puser.ID) @@ -114,8 +116,7 @@ func ViewProfile(w http.ResponseWriter, r *http.Request, user common.User) commo return common.InternalError(err, w, r) } - // TODO: Add a phrase for this title - ppage := common.ProfilePage{puser.Name + "'s Profile", user, header, replyList, *puser} + ppage := common.ProfilePage{header, replyList, *puser} if common.RunPreRenderHook("pre_render_profile", w, r, &user, &ppage) { return nil } diff --git a/routes/reply.go b/routes/reply.go index e3c41343..14d277d0 100644 --- a/routes/reply.go +++ b/routes/reply.go @@ -38,6 +38,9 @@ func CreateReplySubmit(w http.ResponseWriter, r *http.Request, user common.User) if !user.Perms.ViewTopic || !user.Perms.CreateReply { return common.NoPermissions(w, r, user) } + if topic.IsClosed && !user.Perms.CloseTopic { + return common.NoPermissions(w, r, user) + } // Handle the file attachments // TODO: Stop duplicating this code @@ -218,6 +221,9 @@ func ReplyEditSubmit(w http.ResponseWriter, r *http.Request, user common.User, s if !user.Perms.ViewTopic || !user.Perms.EditReply { return common.NoPermissionsJSQ(w, r, user, isJs) } + if topic.IsClosed && !user.Perms.CloseTopic { + return common.NoPermissionsJSQ(w, r, user, isJs) + } err = reply.SetPost(r.PostFormValue("edit_item")) if err == sql.ErrNoRows { diff --git a/routes/topic.go b/routes/topic.go index f77a27a7..4b8a9c6c 100644 --- a/routes/topic.go +++ b/routes/topic.go @@ -78,11 +78,6 @@ func ViewTopic(w http.ResponseWriter, r *http.Request, user common.User, urlBit topic.ContentHTML = common.ParseMessage(topic.Content, topic.ParentID, "forums") topic.ContentLines = strings.Count(topic.Content, "\n") - // We don't want users posting in locked topics... - if topic.IsClosed && !user.IsMod { - user.Perms.CreateReply = false - } - postGroup, err := common.Groups.Get(topic.Group) if err != nil { return common.InternalError(err, w, r) @@ -238,6 +233,7 @@ func ViewTopic(w http.ResponseWriter, r *http.Request, user common.User, urlBit // ? - Should we allow banned users to make reports? How should we handle report abuse? // TODO: Add a permission to stop certain users from using custom avatars // ? - Log username changes and put restrictions on this? +// TODO: Test this func CreateTopic(w http.ResponseWriter, r *http.Request, user common.User, sfid string) common.RouteError { var fid int var err error @@ -251,19 +247,21 @@ func CreateTopic(w http.ResponseWriter, r *http.Request, user common.User, sfid fid = common.Config.DefaultForum } - headerVars, ferr := common.ForumUserCheck(w, r, &user, fid) + header, ferr := common.ForumUserCheck(w, r, &user, fid) if ferr != nil { return ferr } if !user.Perms.ViewTopic || !user.Perms.CreateTopic { return common.NoPermissions(w, r, user) } - headerVars.Zone = "create_topic" + // TODO: Add a phrase for this + header.Title = "Create Topic" + header.Zone = "create_topic" // Lock this to the forum being linked? // Should we always put it in strictmode when it's linked from another forum? Well, the user might end up changing their mind on what forum they want to post in and it would be a hassle, if they had to switch pages, even if it is a single click for many (exc. mobile) var strictmode bool - common.RunVhook("topic_create_pre_loop", w, r, fid, &headerVars, &user, &strictmode) + common.RunVhook("topic_create_pre_loop", w, r, fid, &header, &user, &strictmode) // TODO: Re-add support for plugin_guilds var forumList []common.Forum @@ -306,12 +304,12 @@ func CreateTopic(w http.ResponseWriter, r *http.Request, user common.User, sfid } } - ctpage := common.CreateTopicPage{"Create Topic", user, headerVars, forumList, fid} + ctpage := common.CreateTopicPage{header, forumList, fid} if common.RunPreRenderHook("pre_render_create_topic", w, r, &user, &ctpage) { return nil } - err = common.RunThemeTemplate(headerVars.Theme.Name, "create_topic", ctpage, w) + err = common.RunThemeTemplate(header.Theme.Name, "create_topic", ctpage, w) if err != nil { return common.InternalError(err, w, r) } @@ -511,6 +509,9 @@ func EditTopicSubmit(w http.ResponseWriter, r *http.Request, user common.User, s if !user.Perms.ViewTopic || !user.Perms.EditTopic { return common.NoPermissionsJSQ(w, r, user, isJs) } + if topic.IsClosed && !user.Perms.CloseTopic { + return common.NoPermissionsJSQ(w, r, user, isJs) + } err = topic.Update(r.PostFormValue("topic_name"), r.PostFormValue("topic_content")) // TODO: Avoid duplicating this across this route and the topic creation route diff --git a/templates/topic.html b/templates/topic.html index 440f136d..a36c8afe 100644 --- a/templates/topic.html +++ b/templates/topic.html @@ -15,10 +15,13 @@

{{.Topic.Title}}

{{if .Topic.IsClosed}}🔒︎{{end}} + {{/** TODO: Does this need to be guarded by a permission? It's only visible in edit mode anyway, which can't be triggered, if they don't have the permission **/}} + {{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}} {{if .CurrentUser.Perms.EditTopic}} {{end}} + {{end}}
{{if .Poll.ID}} @@ -58,7 +61,9 @@ {{if .CurrentUser.Perms.LikeItem}} {{end}} + {{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}} {{if .CurrentUser.Perms.EditTopic}}{{end}} + {{end}} {{if .CurrentUser.Perms.DeleteTopic}}{{end}} @@ -91,7 +96,9 @@    {{if $.CurrentUser.Perms.LikeItem}}{{if .Liked}}{{else}}{{end}}{{end}} + {{if not $.Topic.IsClosed or $.CurrentUser.Perms.CloseTopic}} {{if $.CurrentUser.Perms.EditReply}}{{end}} + {{end}} {{if $.CurrentUser.Perms.DeleteReply}}{{end}} {{if $.CurrentUser.Perms.ViewIPs}}{{end}} @@ -106,6 +113,7 @@ {{end}}{{end}} {{if .CurrentUser.Perms.CreateReply}} +{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
@@ -136,6 +144,7 @@
{{end}} +{{end}} diff --git a/templates/topic_alt.html b/templates/topic_alt.html index 71333f2f..66cf102d 100644 --- a/templates/topic_alt.html +++ b/templates/topic_alt.html @@ -14,10 +14,13 @@

{{.Topic.Title}}

{{/** TODO: Inline this CSS **/}} {{if .Topic.IsClosed}}🔒︎{{end}} + {{/** TODO: Does this need to be guarded by a permission? It's only visible in edit mode anyway, which can't be triggered, if they don't have the permission **/}} + {{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}} {{if .CurrentUser.Perms.EditTopic}} {{end}} + {{end}} @@ -66,7 +69,9 @@
{{if .CurrentUser.Loggedin}} {{if .CurrentUser.Perms.LikeItem}}{{end}} + {{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}} {{if .CurrentUser.Perms.EditTopic}}{{end}} + {{end}} {{if .CurrentUser.Perms.DeleteTopic}}{{end}} {{if .CurrentUser.Perms.CloseTopic}} {{if .Topic.IsClosed}}{{else}}{{end}}{{end}} @@ -102,7 +107,9 @@
{{if $.CurrentUser.Loggedin}} {{if $.CurrentUser.Perms.LikeItem}}{{end}} + {{if not $.Topic.IsClosed or $.CurrentUser.Perms.CloseTopic}} {{if $.CurrentUser.Perms.EditReply}}{{end}} + {{end}} {{if $.CurrentUser.Perms.DeleteReply}}{{end}} {{if $.CurrentUser.Perms.ViewIPs}}{{end}} @@ -121,6 +128,7 @@ {{end}}
{{if .CurrentUser.Perms.CreateReply}} +{{if not .Topic.IsClosed or .CurrentUser.Perms.CloseTopic}}
 
@@ -158,6 +166,7 @@
{{end}} +{{end}} diff --git a/themes/nox/public/main.css b/themes/nox/public/main.css index 6073ca15..e39f46c5 100644 --- a/themes/nox/public/main.css +++ b/themes/nox/public/main.css @@ -222,8 +222,9 @@ h1, h3 { } .pageitem { - background-color: #444444; - padding: 6px; + font-size: 17px; + background-color: #444444; + padding: 7px; margin-right: 6px; }