From dd3c208fe1083d8b173c0cdf36efd19b081e6d00 Mon Sep 17 00:00:00 2001
From: hole-thu <hole_thu@riseup.net>
Date: Sun, 27 Mar 2022 23:52:59 +0800
Subject: [PATCH] feat: tmp user only write, no read

---
 src/api/attention.rs |  2 +-
 src/api/comment.rs   |  7 ++++++-
 src/api/mod.rs       |  2 ++
 src/api/operation.rs |  2 ++
 src/api/post.rs      | 17 ++++++++++++++---
 src/api/search.rs    |  4 +++-
 src/api/vote.rs      |  2 ++
 7 files changed, 30 insertions(+), 6 deletions(-)

diff --git a/src/api/attention.rs b/src/api/attention.rs
index 251d434..5fc8cfb 100644
--- a/src/api/attention.rs
+++ b/src/api/attention.rs
@@ -25,7 +25,7 @@ pub async fn attention_post(
     rconn: RdsConn,
 ) -> JsonAPI {
     // 临时用户不允许手动关注
-    user.id.ok_or_else(|| NotAllowed)?;
+    user.id.ok_or_else(|| YouAreTmp)?;
 
     let mut p = Post::get(&db, &rconn, ai.pid).await?;
     p.check_permission(&user, "r")?;
diff --git a/src/api/comment.rs b/src/api/comment.rs
index a7531ae..cbdabd2 100644
--- a/src/api/comment.rs
+++ b/src/api/comment.rs
@@ -61,9 +61,14 @@ pub async fn c2output<'r>(
                 BlockedUsers::check_blocked(rconn, user.id, &user.namehash, &c.author_hash)
                     .await
                     .unwrap_or_default();
+            let can_view = !is_blocked && user.id.is_some() || user.namehash.eq(&c.author_hash);
             Some(CommentOutput {
                 cid: c.id,
-                text: format!("{}{}", if c.is_tmp { "[tmp]\n" } else { "" }, c.content),
+                text: format!(
+                    "{}{}",
+                    if c.is_tmp { "[tmp]\n" } else { "" },
+                    if can_view { &c.content } else { "" }
+                ),
                 author_title: c.author_title.to_string(),
                 can_del: c.check_permission(user, "wd").is_ok(),
                 name_id: name_id,
diff --git a/src/api/mod.rs b/src/api/mod.rs
index 81a1bcf..5aa704a 100644
--- a/src/api/mod.rs
+++ b/src/api/mod.rs
@@ -92,6 +92,7 @@ pub enum PolicyError {
     IsDeleted,
     NotAllowed,
     TitleUsed,
+    YouAreTmp,
 }
 
 #[derive(Debug)]
@@ -121,6 +122,7 @@ impl<'r> Responder<'r, 'static> for APIError {
                     PolicyError::IsDeleted => "内容被删除",
                     PolicyError::NotAllowed => "不允许的操作",
                     PolicyError::TitleUsed => "头衔已被使用",
+                    PolicyError::YouAreTmp => "临时用户只可发布内容和进入单个洞"
                 }
             })
             .respond_to(req),
diff --git a/src/api/operation.rs b/src/api/operation.rs
index 183c191..8db9281 100644
--- a/src/api/operation.rs
+++ b/src/api/operation.rs
@@ -124,6 +124,8 @@ pub struct BlockInput {
 
 #[post("/block", data = "<bi>")]
 pub async fn block(bi: Form<BlockInput>, user: CurrentUser, db: Db, rconn: RdsConn) -> JsonAPI {
+    user.id.ok_or_else(|| NotAllowed)?;
+
     let mut blk = BlockedUsers::init(user.id.ok_or_else(|| NotAllowed)?, &rconn);
 
     let nh_to_block = match bi.content_type.as_str() {
diff --git a/src/api/post.rs b/src/api/post.rs
index 6252a25..a64a963 100644
--- a/src/api/post.rs
+++ b/src/api/post.rs
@@ -1,6 +1,6 @@
 use crate::api::comment::{c2output, CommentOutput};
 use crate::api::vote::get_poll_dict;
-use crate::api::{CurrentUser, JsonAPI, UGC};
+use crate::api::{CurrentUser, JsonAPI, UGC, PolicyError::*};
 use crate::db_conn::Db;
 use crate::libs::diesel_logger::LoggingConnection;
 use crate::models::*;
@@ -67,9 +67,14 @@ async fn p2output(p: &Post, user: &CurrentUser, db: &Db, rconn: &RdsConn) -> Pos
     let is_blocked = BlockedUsers::check_blocked(rconn, user.id, &user.namehash, &p.author_hash)
         .await
         .unwrap_or_default();
+    let can_view = !is_blocked && user.id.is_some() || user.namehash.eq(&p.author_hash);
     PostOutput {
         pid: p.id,
-        text: format!("{}{}", if p.is_tmp { "[tmp]\n" } else { "" }, p.content),
+        text: format!(
+            "{}{}",
+            if p.is_tmp { "[tmp]\n" } else { "" },
+            if can_view { &p.content } else { "" }
+        ),
         cw: (!p.cw.is_empty()).then(|| p.cw.to_string()),
         n_attentions: p.n_attentions,
         n_comments: p.n_comments,
@@ -105,7 +110,11 @@ async fn p2output(p: &Post, user: &CurrentUser, db: &Db, rconn: &RdsConn) -> Pos
         } else {
             None
         },
-        poll: get_poll_dict(p.id, rconn, &user.namehash).await,
+        poll: if can_view {
+            get_poll_dict(p.id, rconn, &user.namehash).await
+        } else {
+            None
+        },
         // for old version frontend
         timestamp: p.create_time.timestamp(),
         likenum: p.n_attentions,
@@ -145,6 +154,7 @@ pub async fn get_list(
     db: Db,
     rconn: RdsConn,
 ) -> JsonAPI {
+    user.id.ok_or_else(|| YouAreTmp)?;
     let page = p.unwrap_or(1);
     let page_size = 25;
     let start = (page - 1) * page_size;
@@ -205,6 +215,7 @@ pub async fn edit_cw(cwi: Form<CwInput>, user: CurrentUser, db: Db, rconn: RdsCo
 
 #[get("/getmulti?<pids>")]
 pub async fn get_multi(pids: Vec<i32>, user: CurrentUser, db: Db, rconn: RdsConn) -> JsonAPI {
+    user.id.ok_or_else(|| YouAreTmp)?;
     let ps = Post::get_multi(&db, &rconn, &pids).await?;
     let ps_data = ps2outputs(&ps, &user, &db, &rconn).await;
 
diff --git a/src/api/search.rs b/src/api/search.rs
index e5bf73b..361558f 100644
--- a/src/api/search.rs
+++ b/src/api/search.rs
@@ -1,5 +1,5 @@
 use crate::api::post::ps2outputs;
-use crate::api::{CurrentUser, JsonAPI};
+use crate::api::{CurrentUser, JsonAPI, PolicyError::*};
 use crate::db_conn::Db;
 use crate::models::*;
 use crate::rds_conn::RdsConn;
@@ -14,6 +14,8 @@ pub async fn search(
     db: Db,
     rconn: RdsConn,
 ) -> JsonAPI {
+    user.id.ok_or_else(|| YouAreTmp)?;
+
     let page_size = 25;
     let start = (page - 1) * page_size;
 
diff --git a/src/api/vote.rs b/src/api/vote.rs
index fb42944..8a39ca0 100644
--- a/src/api/vote.rs
+++ b/src/api/vote.rs
@@ -47,6 +47,8 @@ pub struct VoteInput {
 
 #[post("/vote", data = "<vi>")]
 pub async fn vote(vi: Form<VoteInput>, user: CurrentUser, rconn: RdsConn) -> JsonAPI {
+    user.id.ok_or_else(|| NotAllowed)?;
+
     let pid = vi.pid;
     let opts = PollOption::init(pid, &rconn).get_list().await?;
     if opts.is_empty() {