diff --git a/asite.py b/asite.py index 6d77d4b..d91e97b 100644 --- a/asite.py +++ b/asite.py @@ -172,6 +172,9 @@ def modpack(id): if User.get_permission_token(session["token"], "modpacks_manage") == 0: return redirect(request.referrer) + + if User_modpack.get_user_modpackpermission(session["token"], id) == False: + return redirect(request.referrer) try: modpack = Modpack.get_by_id(id) @@ -420,6 +423,9 @@ def modpackbuild(id): if User.get_permission_token(session["token"], "modpacks_manage") == 0: return redirect(request.referrer) + + if User_modpack.get_user_modpackpermission(session["token"], Build.get_modpackid_by_id(id)) == False: + return redirect(request.referrer) try: listmod = Mod.get_all_pretty_names() diff --git a/models/build.py b/models/build.py index 3da9150..631a3e9 100644 --- a/models/build.py +++ b/models/build.py @@ -89,6 +89,19 @@ def get_modpackname_by_id(cls, id): flash("unable to get modpackname by id", "error") return None return (name) + + @classmethod + def get_modpackid_by_id(cls, id): + conn = Database.get_connection() + cur = conn.cursor(dictionary=True) + cur.execute("SELECT modpack_id FROM builds WHERE id = %s", (id,)) + try: + row = cur.fetchone()["modpack_id"] + conn.commit() + return (row) + except: + flash("unable to get modpackid by id", "error") + return 0 @classmethod def get_by_id(cls, id): diff --git a/models/user_modpack.py b/models/user_modpack.py index fa25bd0..7a73959 100644 --- a/models/user_modpack.py +++ b/models/user_modpack.py @@ -48,6 +48,35 @@ def get_all_user_modpacks(id) -> list: return rows return [] + @staticmethod + def get_user_modpackpermission(token: str, modpack_id) -> list: + conn = Database.get_connection() + cur = conn.cursor(dictionary=True) + cur.execute("SELECT user_id FROM sessions WHERE token = %s", (token,)) + try: + user_id = cur.fetchone()["user_id"] + conn.commit() + except: + flash("unable to fetch user_id for permission check", "error") + return False + cur.execute("SELECT solder_full FROM user_permissions WHERE user_id = %s", (user_id,)) + try: + row = cur.fetchone()["solder_full"] + conn.commit() + if row == 1: + return True + except: + flash("unable to check your admin permission", "error") + cur.execute("SELECT modpack_id FROM user_modpack WHERE user_id = %s AND modpack_id = %s", (user_id, modpack_id)) + try: + rows = cur.fetchone()["modpack_id"] + conn.commit() + if rows == modpack_id: + return True + except: + flash("Permission denied to this modpack", "error") + return False + @staticmethod def get_user_permission(id) -> list: conn = Database.get_connection()