2702b745d5
Added the EditUser, EditUserEmail, EditUserPassword, EditUserGroup, EditUserGroupSuperMod and EditUserGroupAdmin permissions. Allocations are now tracked in the benchmarks. The topics template is now tracked in the benchmarks. The entire topic, topics, forum and forums routes are now benchmarked. Initial attempts to benchmark the router have begun, I'll probably have a benchmark in a later commit without the fluff so that it's easier to see it's performance impact. Improved the security on some of the moderation routes. SettingLabel is now OptionLabel for easier reuse. Moved one of the inline queries into a prepared statement. Added the initial draft for the new router. Fixed a bug where you lose all of your guest permissions when your session is invalidated.
170 lines
4.4 KiB
Go
170 lines
4.4 KiB
Go
package main
|
|
import "strings"
|
|
import "strconv"
|
|
import "net/http"
|
|
import "golang.org/x/crypto/bcrypt"
|
|
import "database/sql"
|
|
import _ "github.com/go-sql-driver/mysql"
|
|
|
|
type User struct
|
|
{
|
|
ID int
|
|
Name string
|
|
Email string
|
|
Group int
|
|
Active bool
|
|
Is_Mod bool
|
|
Is_Super_Mod bool
|
|
Is_Admin bool
|
|
Is_Super_Admin bool
|
|
Is_Banned bool
|
|
Perms Perms
|
|
Session string
|
|
Loggedin bool
|
|
Avatar string
|
|
Message string
|
|
URLPrefix string
|
|
URLName string
|
|
Tag string
|
|
}
|
|
|
|
func SetPassword(uid int, password string) (error) {
|
|
salt, err := GenerateSafeString(saltLength)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
password = password + salt
|
|
hashed_password, err := bcrypt.GenerateFromPassword([]byte(password), bcrypt.DefaultCost)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
_, err = set_password_stmt.Exec(string(hashed_password), salt, uid)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
return nil
|
|
}
|
|
|
|
func SessionCheck(w http.ResponseWriter, r *http.Request) (user User, noticeList map[int]string, success bool) {
|
|
noticeList = make(map[int]string)
|
|
|
|
// Are there any session cookies..?
|
|
// Assign it to user.name to avoid having to create a temporary variable for the type conversion
|
|
cookie, err := r.Cookie("uid")
|
|
if err != nil {
|
|
user.Perms = GuestPerms
|
|
return user, noticeList, true
|
|
}
|
|
user.Name = cookie.Value
|
|
user.ID, err = strconv.Atoi(user.Name)
|
|
if err != nil {
|
|
user.Perms = GuestPerms
|
|
return user, noticeList, true
|
|
}
|
|
cookie, err = r.Cookie("session")
|
|
if err != nil {
|
|
user.Perms = GuestPerms
|
|
return user, noticeList, true
|
|
}
|
|
user.Session = cookie.Value
|
|
|
|
// Is this session valid..?
|
|
err = get_session_stmt.QueryRow(user.ID,user.Session).Scan(&user.ID, &user.Name, &user.Group, &user.Is_Super_Admin, &user.Session, &user.Avatar, &user.Message, &user.URLPrefix, &user.URLName)
|
|
if err == sql.ErrNoRows {
|
|
user.ID = 0
|
|
user.Session = ""
|
|
user.Perms = GuestPerms
|
|
return user, noticeList, true
|
|
} else if err != nil {
|
|
InternalError(err,w,r,user)
|
|
return user, noticeList, false
|
|
}
|
|
|
|
user.Is_Admin = user.Is_Super_Admin || groups[user.Group].Is_Admin
|
|
user.Is_Super_Mod = groups[user.Group].Is_Mod || user.Is_Admin
|
|
user.Is_Mod = user.Is_Super_Mod
|
|
user.Is_Banned = groups[user.Group].Is_Banned
|
|
user.Loggedin = !user.Is_Banned || user.Is_Super_Mod
|
|
if user.Is_Banned && user.Is_Super_Mod {
|
|
user.Is_Banned = false
|
|
}
|
|
|
|
if user.Is_Super_Admin {
|
|
user.Perms = AllPerms
|
|
} else {
|
|
user.Perms = groups[user.Group].Perms
|
|
}
|
|
|
|
if user.Is_Banned {
|
|
noticeList[0] = "Your account has been suspended. Some of your permissions may have been revoked."
|
|
}
|
|
|
|
if user.Avatar != "" {
|
|
if user.Avatar[0] == '.' {
|
|
user.Avatar = "/uploads/avatar_" + strconv.Itoa(user.ID) + user.Avatar
|
|
}
|
|
} else {
|
|
user.Avatar = strings.Replace(noavatar,"{id}",strconv.Itoa(user.ID),1)
|
|
}
|
|
return user, noticeList, true
|
|
}
|
|
|
|
func SimpleSessionCheck(w http.ResponseWriter, r *http.Request) (user User, success bool) {
|
|
// Are there any session cookies..?
|
|
// Assign it to user.name to avoid having to create a temporary variable for the type conversion
|
|
cookie, err := r.Cookie("uid")
|
|
if err != nil {
|
|
user.Perms = GuestPerms
|
|
return user, true
|
|
}
|
|
user.Name = cookie.Value
|
|
user.ID, err = strconv.Atoi(user.Name)
|
|
if err != nil {
|
|
user.Perms = GuestPerms
|
|
return user, true
|
|
}
|
|
cookie, err = r.Cookie("session")
|
|
if err != nil {
|
|
user.Perms = GuestPerms
|
|
return user, true
|
|
}
|
|
user.Session = cookie.Value
|
|
|
|
// Is this session valid..?
|
|
err = get_session_stmt.QueryRow(user.ID,user.Session).Scan(&user.ID, &user.Name, &user.Group, &user.Is_Super_Admin, &user.Session, &user.Avatar, &user.Message, &user.URLPrefix, &user.URLName)
|
|
if err == sql.ErrNoRows {
|
|
user.ID = 0
|
|
user.Session = ""
|
|
user.Perms = GuestPerms
|
|
return user, true
|
|
} else if err != nil {
|
|
InternalError(err,w,r,user)
|
|
return user, false
|
|
}
|
|
|
|
user.Is_Admin = user.Is_Super_Admin || groups[user.Group].Is_Admin
|
|
user.Is_Super_Mod = groups[user.Group].Is_Mod || user.Is_Admin
|
|
user.Is_Mod = user.Is_Super_Mod
|
|
user.Is_Banned = groups[user.Group].Is_Banned
|
|
user.Loggedin = !user.Is_Banned || user.Is_Super_Mod
|
|
if user.Is_Banned && user.Is_Super_Mod {
|
|
user.Is_Banned = false
|
|
}
|
|
|
|
if user.Is_Super_Admin {
|
|
user.Perms = AllPerms
|
|
} else {
|
|
user.Perms = groups[user.Group].Perms
|
|
}
|
|
|
|
if user.Avatar != "" {
|
|
if user.Avatar[0] == '.' {
|
|
user.Avatar = "/uploads/avatar_" + strconv.Itoa(user.ID) + user.Avatar
|
|
}
|
|
} else {
|
|
user.Avatar = strings.Replace(noavatar,"{id}",strconv.Itoa(user.ID),1)
|
|
}
|
|
return user, true
|
|
} |