From 7098ec276c51feb3c0cb19a907509cf8f35982c7 Mon Sep 17 00:00:00 2001
From: Ashish <51633862+ashishjh-bst@users.noreply.github.com>
Date: Fri, 5 Apr 2024 19:52:22 +0530
Subject: [PATCH] Removed ReadOnly Access for all members and all non members
 (#1628)

Co-authored-by: Ashish Jhanwar <ashishjh-bst@users.noreply.github.com>
---
 bot/admin_updater.go                     |   2 +-
 frontend/templates/cp_core_settings.html |   3 -
 web/handlers_auth.go                     |  10 +-
 web/handlers_general.go                  |  15 +--
 web/util.go                              |  12 +-
 web/web.go                               |   2 +-
 web/web_test.go                          | 161 -----------------------
 7 files changed, 13 insertions(+), 192 deletions(-)

diff --git a/bot/admin_updater.go b/bot/admin_updater.go
index 7911ae317b..f0fadf5f2f 100644
--- a/bot/admin_updater.go
+++ b/bot/admin_updater.go
@@ -97,7 +97,7 @@ func requestCheckBotAdmins(skipRename bool, mainServer, adminRole, readOnlyRole
 				}
 			}
 
-			if readOnlyAccessRole != 0 && common.ContainsInt64Slice(member.Roles, readOnlyAccessRole) {
+			if readOnlyRole != 0 && common.ContainsInt64Slice(member.Roles, readOnlyRole) {
 				err := common.RedisPool.Do(radix.FlatCmd(nil, "SADD", tmpRedisKeyReadOnlyAccess, member.User.ID))
 				if err != nil {
 					logger.WithError(err).Error("failed adding user to read only access users")
diff --git a/frontend/templates/cp_core_settings.html b/frontend/templates/cp_core_settings.html
index e943a892dd..459d63356c 100644
--- a/frontend/templates/cp_core_settings.html
+++ b/frontend/templates/cp_core_settings.html
@@ -27,9 +27,6 @@ <h2 class="card-title">Control panel access control</h2>
                             control panel</p>
                     </div>
 
-                    {{checkbox "AllowAllMembersReadOnly" "AllowAllMembersReadOnly" "Allow all members of your server read only access" .CoreConfig.AllowAllMembersReadOnly}}
-                    {{checkbox "AllowNonMembersReadOnly" "AllowNonMembersReadOnly" "Allow users not part of your server, including users not logged in, read only access" .CoreConfig.AllowNonMembersReadOnly}}
-
                     <hr />
 
                     <div class="form-group">
diff --git a/web/handlers_auth.go b/web/handlers_auth.go
index a089fbbd59..f6fceb6ca8 100644
--- a/web/handlers_auth.go
+++ b/web/handlers_auth.go
@@ -225,14 +225,6 @@ func GetUserAccessLevel(userID int64, g *common.GuildWithConnected, config *mode
 		return false, false
 	}
 
-	if config.AllowNonMembersReadOnly {
-		// everyone is allowed read access
-		hasRead = true
-	} else if userID != 0 && config.AllowAllMembersReadOnly {
-		// logged in and a member of the guild
-		hasRead = true
-	}
-
 	if len(config.AllowedWriteRoles) < 1 && len(config.AllowedReadOnlyRoles) < 1 {
 		// no need to check the roles, nothing set up
 		return
@@ -258,7 +250,7 @@ func GetUserAccessLevel(userID int64, g *common.GuildWithConnected, config *mode
 	return
 }
 
-// HasAccesstoGuildSettings retrusn true if the specified user (or 0 if not logged in or not on the server) has access
+// HasAccesstoGuildSettings retruns true if the specified user (or 0 if not logged in or not on the server) has access
 func HasAccesstoGuildSettings(userID int64, g *common.GuildWithConnected, config *models.CoreConfig, roleProvider func(guildID, userID int64) []int64, write bool) bool {
 	hasRead, hasWrite := GetUserAccessLevel(userID, g, config, roleProvider)
 	if hasWrite {
diff --git a/web/handlers_general.go b/web/handlers_general.go
index 9a33310f92..9a5b410f8a 100644
--- a/web/handlers_general.go
+++ b/web/handlers_general.go
@@ -370,7 +370,7 @@ func HandleReconnectShard(w http.ResponseWriter, r *http.Request) (TemplateData,
 	return HandleStatusHTML(w, r)
 }
 
-func HandleChanenlPermissions(w http.ResponseWriter, r *http.Request) interface{} {
+func HandleChannelPermissions(w http.ResponseWriter, r *http.Request) interface{} {
 	g := r.Context().Value(common.ContextKeyCurrentGuild).(*dstate.GuildSet)
 	c, _ := strconv.ParseInt(pat.Param(r, "channel"), 10, 64)
 	perms, err := botrest.GetChannelPermissions(g.ID, c)
@@ -451,10 +451,8 @@ func (p *ControlPanelPlugin) LoadServerHomeWidget(w http.ResponseWriter, r *http
 	const format = `<ul>
 	<li>Read-only roles: <code>%d</code></li>
 	<li>Write roles: <code>%d</code></li>
-	<li>All members read-only: %s</li>
-	<li>Allow absolutely everyone read-only access: %s</li>
 </ul>`
-	templateData["WidgetBody"] = template.HTML(fmt.Sprintf(format, len(config.AllowedReadOnlyRoles), len(config.AllowedWriteRoles), EnabledDisabledSpanStatus(config.AllowAllMembersReadOnly), EnabledDisabledSpanStatus(config.AllowNonMembersReadOnly)))
+	templateData["WidgetBody"] = template.HTML(fmt.Sprintf(format, len(config.AllowedReadOnlyRoles), len(config.AllowedWriteRoles)))
 
 	return templateData, nil
 }
@@ -464,10 +462,8 @@ func (p *ControlPanelPlugin) ServerHomeWidgetOrder() int {
 }
 
 type CoreConfigPostForm struct {
-	AllowedReadOnlyRoles    []int64 `valid:"role,true"`
-	AllowedWriteRoles       []int64 `valid:"role,true"`
-	AllowAllMembersReadOnly bool
-	AllowNonMembersReadOnly bool
+	AllowedReadOnlyRoles []int64 `valid:"role,true"`
+	AllowedWriteRoles    []int64 `valid:"role,true"`
 }
 
 func HandlePostCoreSettings(w http.ResponseWriter, r *http.Request) (TemplateData, error) {
@@ -479,9 +475,6 @@ func HandlePostCoreSettings(w http.ResponseWriter, r *http.Request) (TemplateDat
 		GuildID:              g.ID,
 		AllowedReadOnlyRoles: form.AllowedReadOnlyRoles,
 		AllowedWriteRoles:    form.AllowedWriteRoles,
-
-		AllowAllMembersReadOnly: form.AllowAllMembersReadOnly,
-		AllowNonMembersReadOnly: form.AllowNonMembersReadOnly,
 	}
 
 	err := common.CoreConfigSave(r.Context(), m)
diff --git a/web/util.go b/web/util.go
index 7955d7a66d..8de515a843 100644
--- a/web/util.go
+++ b/web/util.go
@@ -187,11 +187,10 @@ func CheckErr(t TemplateData, err error, errMsg string, logger func(...interface
 func IsAdminRequest(ctx context.Context, r *http.Request) (read bool, write bool) {
 
 	isReadOnlyReq := strings.EqualFold(r.Method, "GET") || strings.EqualFold(r.Method, "OPTIONS")
-
-	if v := ctx.Value(common.ContextKeyCurrentGuild); v != nil {
+	v := ctx.Value(common.ContextKeyCurrentGuild)
+	g := v.(*dstate.GuildSet)
+	if v != nil {
 		// accessing a server page
-		g := v.(*dstate.GuildSet)
-
 		gWithConnected := &common.GuildWithConnected{
 			UserGuild: &discordgo.UserGuild{
 				ID: g.ID,
@@ -232,8 +231,9 @@ func IsAdminRequest(ctx context.Context, r *http.Request) (read bool, write bool
 		}
 
 		if isReadOnlyReq {
-			// allow special read only acces for GET and OPTIONS requests, simple and works well
-			if hasAcces, err := bot.HasReadOnlyAccess(cast.ID); hasAcces && err == nil {
+			logrus.Infof("%s (%d) tried to access server %d with Global Read Only Permissions", cast.Username, cast.ID, g.ID)
+			// allow special read only access for GET and OPTIONS requests, simple and works well
+			if hasAccess, err := bot.HasReadOnlyAccess(cast.ID); hasAccess && err == nil {
 				return true, false
 			}
 		}
diff --git a/web/web.go b/web/web.go
index b488510173..8e2f8efa79 100644
--- a/web/web.go
+++ b/web/web.go
@@ -292,7 +292,7 @@ func setupRoutes() *goji.Mux {
 	RootMux.Handle(pat.Get("/api/:server"), ServerPublicAPIMux)
 	RootMux.Handle(pat.Get("/api/:server/*"), ServerPublicAPIMux)
 
-	ServerPublicAPIMux.Handle(pat.Get("/channelperms/:channel"), RequireActiveServer(APIHandler(HandleChanenlPermissions)))
+	ServerPublicAPIMux.Handle(pat.Get("/channelperms/:channel"), RequireActiveServer(APIHandler(HandleChannelPermissions)))
 
 	// Server selection has its own handler
 	RootMux.Handle(pat.Get("/manage"), SelectServerHomePageHandler)
diff --git a/web/web_test.go b/web/web_test.go
index 707a45a04d..e2c3042085 100644
--- a/web/web_test.go
+++ b/web/web_test.go
@@ -134,167 +134,6 @@ func TestHasAccesstoGuildSettings(t *testing.T) {
 
 			ShouldHaveAcces: true,
 		},
-
-		////////////////////////////////////
-		//   AllowNonMembersROAccess tests
-		////////////////////////////////////
-
-		// all users ro - normal user access
-		{
-			Name: "all users ro-normal user access (ro)",
-			Conf: &models.CoreConfig{
-				AllowNonMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: false,
-			ReadOnly: true,
-
-			ShouldHaveAcces: true,
-		},
-		{
-			Name: "all users ro-normal user access",
-			Conf: &models.CoreConfig{
-				AllowNonMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: false,
-			ReadOnly: false,
-
-			ShouldHaveAcces: false,
-		},
-		// all users ro - member access
-		{
-			Name: "all users ro-member access (ro)",
-			Conf: &models.CoreConfig{
-				AllowNonMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: true,
-
-			ShouldHaveAcces: true,
-		},
-		{
-			Name: "all users ro-member access",
-			Conf: &models.CoreConfig{
-				AllowNonMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: false,
-
-			ShouldHaveAcces: false,
-		},
-		// all users ro - admin access
-		{
-			Name: "all users ro-admin access (ro)",
-			Conf: &models.CoreConfig{
-				AllowNonMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, true),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: true,
-
-			ShouldHaveAcces: true,
-		},
-		{
-			Name: "all users ro-admin access",
-			Conf: &models.CoreConfig{
-				AllowNonMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, true),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: false,
-
-			ShouldHaveAcces: true,
-		},
-
-		////////////////////////////////////
-		//   AllMembersRO tests
-		////////////////////////////////////
-
-		// all members ro - normal user access
-		{
-			Name: "all members ro-normal user access (ro)",
-			Conf: &models.CoreConfig{
-				AllowAllMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: false,
-			ReadOnly: true,
-
-			ShouldHaveAcces: false,
-		},
-		{
-			Name: "all members ro-normal user access",
-			Conf: &models.CoreConfig{
-				AllowAllMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: false,
-			ReadOnly: false,
-
-			ShouldHaveAcces: false,
-		},
-		// all members ro - member access
-		{
-			Name: "all members ro-member access (ro)",
-			Conf: &models.CoreConfig{
-				AllowAllMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: true,
-
-			ShouldHaveAcces: true,
-		},
-		{
-			Name: "all members ro-member access",
-			Conf: &models.CoreConfig{
-				AllowAllMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, false),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: false,
-
-			ShouldHaveAcces: false,
-		},
-		// all members ro - admin access
-		{
-			Name: "all members ro-admin access (ro)",
-			Conf: &models.CoreConfig{
-				AllowAllMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, true),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: true,
-
-			ShouldHaveAcces: true,
-		},
-		{
-			Name: "all members ro-admin access",
-			Conf: &models.CoreConfig{
-				AllowAllMembersReadOnly: true,
-			},
-			GWC:      createUserGuild(true, false, true),
-			Roles:    nil,
-			IsMember: true,
-			ReadOnly: false,
-
-			ShouldHaveAcces: true,
-		},
-
 		////////////////////////////////////
 		//   Read only roles
 		////////////////////////////////////