feat: tmp user only write, no read

3 years ago · dd3c208fe1
7 changed files with 30 additions and 6 deletions
--- a/src/api/attention.rs
+++ b/src/api/attention.rs
@ -25,7 +25,7 @@ pub async fn attention_post(
    rconn: RdsConn,
 ) -> JsonAPI {
    // 临时用户不允许手动关注
-    user.id.ok_or_else(|| NotAllowed)?;
+    user.id.ok_or_else(|| YouAreTmp)?;

    let mut p = Post::get(&db, &rconn, ai.pid).await?;
    p.check_permission(&user, "r")?;
--- a/src/api/comment.rs
+++ b/src/api/comment.rs
@ -61,9 +61,14 @@ pub async fn c2output<'r>(
                BlockedUsers::check_blocked(rconn, user.id, &user.namehash, &c.author_hash)
                    .await
                    .unwrap_or_default();
+            let can_view = !is_blocked && user.id.is_some() || user.namehash.eq(&c.author_hash);
            Some(CommentOutput {
                cid: c.id,
-                text: format!("{}{}", if c.is_tmp { "[tmp]\n" } else { "" }, c.content),
+                text: format!(
+                    "{}{}",
+                    if c.is_tmp { "[tmp]\n" } else { "" },
+                    if can_view { &c.content } else { "" }
+                ),
                author_title: c.author_title.to_string(),
                can_del: c.check_permission(user, "wd").is_ok(),
                name_id: name_id,
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@ -92,6 +92,7 @@ pub enum PolicyError {
    IsDeleted,
    NotAllowed,
    TitleUsed,
+    YouAreTmp,
 }

 #[derive(Debug)]
@ -121,6 +122,7 @@ impl<'r> Responder<'r, 'static> for APIError {
                    PolicyError::IsDeleted => "内容被删除",
                    PolicyError::NotAllowed => "不允许的操作",
                    PolicyError::TitleUsed => "头衔已被使用",
+                    PolicyError::YouAreTmp => "临时用户只可发布内容和进入单个洞"
                }
            })
            .respond_to(req),
--- a/src/api/operation.rs
+++ b/src/api/operation.rs
@ -124,6 +124,8 @@ pub struct BlockInput {

 #[post("/block", data = "<bi>")]
 pub async fn block(bi: Form<BlockInput>, user: CurrentUser, db: Db, rconn: RdsConn) -> JsonAPI {
+    user.id.ok_or_else(|| NotAllowed)?;
+
    let mut blk = BlockedUsers::init(user.id.ok_or_else(|| NotAllowed)?, &rconn);

    let nh_to_block = match bi.content_type.as_str() {
--- a/src/api/post.rs
+++ b/src/api/post.rs
@ -1,6 +1,6 @@
 use crate::api::comment::{c2output, CommentOutput};
 use crate::api::vote::get_poll_dict;
-use crate::api::{CurrentUser, JsonAPI, UGC};
+use crate::api::{CurrentUser, JsonAPI, UGC, PolicyError::*};
 use crate::db_conn::Db;
 use crate::libs::diesel_logger::LoggingConnection;
 use crate::models::*;
@ -67,9 +67,14 @@ async fn p2output(p: &Post, user: &CurrentUser, db: &Db, rconn: &RdsConn) -> Pos
    let is_blocked = BlockedUsers::check_blocked(rconn, user.id, &user.namehash, &p.author_hash)
        .await
        .unwrap_or_default();
+    let can_view = !is_blocked && user.id.is_some() || user.namehash.eq(&p.author_hash);
    PostOutput {
        pid: p.id,
-        text: format!("{}{}", if p.is_tmp { "[tmp]\n" } else { "" }, p.content),
+        text: format!(
+            "{}{}",
+            if p.is_tmp { "[tmp]\n" } else { "" },
+            if can_view { &p.content } else { "" }
+        ),
        cw: (!p.cw.is_empty()).then(|| p.cw.to_string()),
        n_attentions: p.n_attentions,
        n_comments: p.n_comments,
@ -105,7 +110,11 @@ async fn p2output(p: &Post, user: &CurrentUser, db: &Db, rconn: &RdsConn) -> Pos
        } else {
            None
        },
-        poll: get_poll_dict(p.id, rconn, &user.namehash).await,
+        poll: if can_view {
+            get_poll_dict(p.id, rconn, &user.namehash).await
+        } else {
+            None
+        },
        // for old version frontend
        timestamp: p.create_time.timestamp(),
        likenum: p.n_attentions,
@ -145,6 +154,7 @@ pub async fn get_list(
    db: Db,
    rconn: RdsConn,
 ) -> JsonAPI {
+    user.id.ok_or_else(|| YouAreTmp)?;
    let page = p.unwrap_or(1);
    let page_size = 25;
    let start = (page - 1) * page_size;
@ -205,6 +215,7 @@ pub async fn edit_cw(cwi: Form<CwInput>, user: CurrentUser, db: Db, rconn: RdsCo

 #[get("/getmulti?<pids>")]
 pub async fn get_multi(pids: Vec<i32>, user: CurrentUser, db: Db, rconn: RdsConn) -> JsonAPI {
+    user.id.ok_or_else(|| YouAreTmp)?;
    let ps = Post::get_multi(&db, &rconn, &pids).await?;
    let ps_data = ps2outputs(&ps, &user, &db, &rconn).await;

--- a/src/api/search.rs
+++ b/src/api/search.rs
@ -1,5 +1,5 @@
 use crate::api::post::ps2outputs;
-use crate::api::{CurrentUser, JsonAPI};
+use crate::api::{CurrentUser, JsonAPI, PolicyError::*};
 use crate::db_conn::Db;
 use crate::models::*;
 use crate::rds_conn::RdsConn;
@ -14,6 +14,8 @@ pub async fn search(
    db: Db,
    rconn: RdsConn,
 ) -> JsonAPI {
+    user.id.ok_or_else(|| YouAreTmp)?;
+
    let page_size = 25;
    let start = (page - 1) * page_size;

--- a/src/api/vote.rs
+++ b/src/api/vote.rs
@ -47,6 +47,8 @@ pub struct VoteInput {

 #[post("/vote", data = "<vi>")]
 pub async fn vote(vi: Form<VoteInput>, user: CurrentUser, rconn: RdsConn) -> JsonAPI {
+    user.id.ok_or_else(|| NotAllowed)?;
+
    let pid = vi.pid;
    let opts = PollOption::init(pid, &rconn).get_list().await?;
    if opts.is_empty() {