Skip to content

Commit

Permalink
Removed ReadOnly Access for all members and all non members (#1628)
Browse files Browse the repository at this point in the history 
Co-authored-by: Ashish Jhanwar <[email protected]>
  • Loading branch information
@ashishjh-bst
ashishjh-bst and ashishjh-bst authored Apr 5, 2024
1 parent 1c8f198 commit 7098ec2
Show file tree
Hide file tree
Showing 7 changed files with 13 additions and 192 deletions.
2 changes: 1 addition & 1 deletion bot/admin_updater.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@ func requestCheckBotAdmins(skipRename bool, mainServer, adminRole, readOnlyRole
}
}

if readOnlyAccessRole != 0 && common.ContainsInt64Slice(member.Roles, readOnlyAccessRole) {
if readOnlyRole != 0 && common.ContainsInt64Slice(member.Roles, readOnlyRole) {
err := common.RedisPool.Do(radix.FlatCmd(nil, "SADD", tmpRedisKeyReadOnlyAccess, member.User.ID))
if err != nil {
logger.WithError(err).Error("failed adding user to read only access users")
Expand Down
3 changes: 0 additions & 3 deletions frontend/templates/cp_core_settings.html
View file
Original file line number Diff line number Diff line change
Expand Up @@ -27,9 +27,6 @@ <h2 class="card-title">Control panel access control</h2>
control panel</p>
</div>

{{checkbox "AllowAllMembersReadOnly" "AllowAllMembersReadOnly" "Allow all members of your server read only access" .CoreConfig.AllowAllMembersReadOnly}}
{{checkbox "AllowNonMembersReadOnly" "AllowNonMembersReadOnly" "Allow users not part of your server, including users not logged in, read only access" .CoreConfig.AllowNonMembersReadOnly}}

<hr />

<div class="form-group">
Expand Down
10 changes: 1 addition & 9 deletions web/handlers_auth.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -225,14 +225,6 @@ func GetUserAccessLevel(userID int64, g *common.GuildWithConnected, config *mode
return false, false
}

if config.AllowNonMembersReadOnly {
// everyone is allowed read access
hasRead = true
} else if userID != 0 && config.AllowAllMembersReadOnly {
// logged in and a member of the guild
hasRead = true
}

if len(config.AllowedWriteRoles) < 1 && len(config.AllowedReadOnlyRoles) < 1 {
// no need to check the roles, nothing set up
return
Expand All @@ -258,7 +250,7 @@ func GetUserAccessLevel(userID int64, g *common.GuildWithConnected, config *mode
return
}

// HasAccesstoGuildSettings retrusn true if the specified user (or 0 if not logged in or not on the server) has access
// HasAccesstoGuildSettings retruns true if the specified user (or 0 if not logged in or not on the server) has access
func HasAccesstoGuildSettings(userID int64, g *common.GuildWithConnected, config *models.CoreConfig, roleProvider func(guildID, userID int64) []int64, write bool) bool {
hasRead, hasWrite := GetUserAccessLevel(userID, g, config, roleProvider)
if hasWrite {
Expand Down
15 changes: 4 additions & 11 deletions web/handlers_general.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -370,7 +370,7 @@ func HandleReconnectShard(w http.ResponseWriter, r *http.Request) (TemplateData,
return HandleStatusHTML(w, r)
}

func HandleChanenlPermissions(w http.ResponseWriter, r *http.Request) interface{} {
func HandleChannelPermissions(w http.ResponseWriter, r *http.Request) interface{} {
g := r.Context().Value(common.ContextKeyCurrentGuild).(*dstate.GuildSet)
c, _ := strconv.ParseInt(pat.Param(r, "channel"), 10, 64)
perms, err := botrest.GetChannelPermissions(g.ID, c)
Expand Down Expand Up @@ -451,10 +451,8 @@ func (p *ControlPanelPlugin) LoadServerHomeWidget(w http.ResponseWriter, r *http
const format = `<ul>
<li>Read-only roles: <code>%d</code></li>
<li>Write roles: <code>%d</code></li>
<li>All members read-only: %s</li>
<li>Allow absolutely everyone read-only access: %s</li>
</ul>`
templateData["WidgetBody"] = template.HTML(fmt.Sprintf(format, len(config.AllowedReadOnlyRoles), len(config.AllowedWriteRoles), EnabledDisabledSpanStatus(config.AllowAllMembersReadOnly), EnabledDisabledSpanStatus(config.AllowNonMembersReadOnly)))
templateData["WidgetBody"] = template.HTML(fmt.Sprintf(format, len(config.AllowedReadOnlyRoles), len(config.AllowedWriteRoles)))

return templateData, nil
}
Expand All @@ -464,10 +462,8 @@ func (p *ControlPanelPlugin) ServerHomeWidgetOrder() int {
}

type CoreConfigPostForm struct {
AllowedReadOnlyRoles []int64 `valid:"role,true"`
AllowedWriteRoles []int64 `valid:"role,true"`
AllowAllMembersReadOnly bool
AllowNonMembersReadOnly bool
AllowedReadOnlyRoles []int64 `valid:"role,true"`
AllowedWriteRoles []int64 `valid:"role,true"`
}

func HandlePostCoreSettings(w http.ResponseWriter, r *http.Request) (TemplateData, error) {
Expand All @@ -479,9 +475,6 @@ func HandlePostCoreSettings(w http.ResponseWriter, r *http.Request) (TemplateDat
GuildID: g.ID,
AllowedReadOnlyRoles: form.AllowedReadOnlyRoles,
AllowedWriteRoles: form.AllowedWriteRoles,

AllowAllMembersReadOnly: form.AllowAllMembersReadOnly,
AllowNonMembersReadOnly: form.AllowNonMembersReadOnly,
}

err := common.CoreConfigSave(r.Context(), m)
Expand Down
12 changes: 6 additions & 6 deletions web/util.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -187,11 +187,10 @@ func CheckErr(t TemplateData, err error, errMsg string, logger func(...interface
func IsAdminRequest(ctx context.Context, r *http.Request) (read bool, write bool) {

isReadOnlyReq := strings.EqualFold(r.Method, "GET") || strings.EqualFold(r.Method, "OPTIONS")

if v := ctx.Value(common.ContextKeyCurrentGuild); v != nil {
v := ctx.Value(common.ContextKeyCurrentGuild)
g := v.(*dstate.GuildSet)
if v != nil {
// accessing a server page
g := v.(*dstate.GuildSet)

gWithConnected := &common.GuildWithConnected{
UserGuild: &discordgo.UserGuild{
ID: g.ID,
Expand Down Expand Up @@ -232,8 +231,9 @@ func IsAdminRequest(ctx context.Context, r *http.Request) (read bool, write bool
}

if isReadOnlyReq {
// allow special read only acces for GET and OPTIONS requests, simple and works well
if hasAcces, err := bot.HasReadOnlyAccess(cast.ID); hasAcces && err == nil {
logrus.Infof("%s (%d) tried to access server %d with Global Read Only Permissions", cast.Username, cast.ID, g.ID)
// allow special read only access for GET and OPTIONS requests, simple and works well
if hasAccess, err := bot.HasReadOnlyAccess(cast.ID); hasAccess && err == nil {
return true, false
}
}
Expand Down
2 changes: 1 addition & 1 deletion web/web.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -292,7 +292,7 @@ func setupRoutes() *goji.Mux {
RootMux.Handle(pat.Get("/api/:server"), ServerPublicAPIMux)
RootMux.Handle(pat.Get("/api/:server/*"), ServerPublicAPIMux)

ServerPublicAPIMux.Handle(pat.Get("/channelperms/:channel"), RequireActiveServer(APIHandler(HandleChanenlPermissions)))
ServerPublicAPIMux.Handle(pat.Get("/channelperms/:channel"), RequireActiveServer(APIHandler(HandleChannelPermissions)))

// Server selection has its own handler
RootMux.Handle(pat.Get("/manage"), SelectServerHomePageHandler)
Expand Down
161 changes: 0 additions & 161 deletions web/web_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -134,167 +134,6 @@ func TestHasAccesstoGuildSettings(t *testing.T) {

ShouldHaveAcces: true,
},

////////////////////////////////////
// AllowNonMembersROAccess tests
////////////////////////////////////

// all users ro - normal user access
{
Name: "all users ro-normal user access (ro)",
Conf: &models.CoreConfig{
AllowNonMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: false,
ReadOnly: true,

ShouldHaveAcces: true,
},
{
Name: "all users ro-normal user access",
Conf: &models.CoreConfig{
AllowNonMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: false,
ReadOnly: false,

ShouldHaveAcces: false,
},
// all users ro - member access
{
Name: "all users ro-member access (ro)",
Conf: &models.CoreConfig{
AllowNonMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: true,
ReadOnly: true,

ShouldHaveAcces: true,
},
{
Name: "all users ro-member access",
Conf: &models.CoreConfig{
AllowNonMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: true,
ReadOnly: false,

ShouldHaveAcces: false,
},
// all users ro - admin access
{
Name: "all users ro-admin access (ro)",
Conf: &models.CoreConfig{
AllowNonMembersReadOnly: true,
},
GWC: createUserGuild(true, false, true),
Roles: nil,
IsMember: true,
ReadOnly: true,

ShouldHaveAcces: true,
},
{
Name: "all users ro-admin access",
Conf: &models.CoreConfig{
AllowNonMembersReadOnly: true,
},
GWC: createUserGuild(true, false, true),
Roles: nil,
IsMember: true,
ReadOnly: false,

ShouldHaveAcces: true,
},

////////////////////////////////////
// AllMembersRO tests
////////////////////////////////////

// all members ro - normal user access
{
Name: "all members ro-normal user access (ro)",
Conf: &models.CoreConfig{
AllowAllMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: false,
ReadOnly: true,

ShouldHaveAcces: false,
},
{
Name: "all members ro-normal user access",
Conf: &models.CoreConfig{
AllowAllMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: false,
ReadOnly: false,

ShouldHaveAcces: false,
},
// all members ro - member access
{
Name: "all members ro-member access (ro)",
Conf: &models.CoreConfig{
AllowAllMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: true,
ReadOnly: true,

ShouldHaveAcces: true,
},
{
Name: "all members ro-member access",
Conf: &models.CoreConfig{
AllowAllMembersReadOnly: true,
},
GWC: createUserGuild(true, false, false),
Roles: nil,
IsMember: true,
ReadOnly: false,

ShouldHaveAcces: false,
},
// all members ro - admin access
{
Name: "all members ro-admin access (ro)",
Conf: &models.CoreConfig{
AllowAllMembersReadOnly: true,
},
GWC: createUserGuild(true, false, true),
Roles: nil,
IsMember: true,
ReadOnly: true,

ShouldHaveAcces: true,
},
{
Name: "all members ro-admin access",
Conf: &models.CoreConfig{
AllowAllMembersReadOnly: true,
},
GWC: createUserGuild(true, false, true),
Roles: nil,
IsMember: true,
ReadOnly: false,

ShouldHaveAcces: true,
},

////////////////////////////////////
// Read only roles
////////////////////////////////////
Expand Down

0 comments on commit 7098ec2

Please sign in to comment.