From e090d98db0f84583da6e1ed611eec7939c3bec02 Mon Sep 17 00:00:00 2001 From: Thibault Duplessis Date: Tue, 13 Apr 2021 22:55:01 +0200 Subject: [PATCH] add team checks --- app/controllers/Team.scala | 36 ++++++++++++++++++----------- modules/team/src/main/TeamApi.scala | 4 +++- 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/app/controllers/Team.scala b/app/controllers/Team.scala index cbe5b162da..83609abadf 100644 --- a/app/controllers/Team.scala +++ b/app/controllers/Team.scala @@ -84,7 +84,7 @@ final class Team( ) private def usersExport(teamId: String, me: Option[lila.user.User], req: RequestHeader) = { - api.team(teamId) flatMap { + api teamEnabled teamId flatMap { _ ?? { team => val canView: Fu[Boolean] = if (team.publicMembers) fuccess(true) @@ -108,7 +108,7 @@ final class Team( def tournaments(teamId: String) = Open { implicit ctx => - env.team.teamRepo.enabled(teamId) flatMap { + api teamEnabled teamId flatMap { _ ?? { team => env.teamInfo.tournaments(team, 30, 30) map { tours => Ok(html.team.tournaments.page(team, tours)) @@ -119,14 +119,14 @@ final class Team( def edit(id: String) = Auth { implicit ctx => _ => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => fuccess(html.team.form.edit(team, forms edit team)) } } def update(id: String) = AuthBody { implicit ctx => me => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => implicit val req = ctx.body forms .edit(team) @@ -140,7 +140,7 @@ final class Team( def kickForm(id: String) = Auth { implicit ctx => me => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => env.team.memberRepo userIdsByTeam team.id map { userIds => html.team.admin.kick(team, userIds.filter(me.id !=)) } @@ -149,7 +149,7 @@ final class Team( def kick(id: String) = AuthBody { implicit ctx => me => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => implicit val req = ctx.body forms.selectMember.bindFromRequest().value ?? { api.kick(team, _, me) } inject Redirect( routes.Team.kickForm(team.id) @@ -158,7 +158,7 @@ final class Team( } def kickUser(teamId: String, userId: String) = Scoped(_.Team.Write) { _ => me => - api team teamId flatMap { + api teamEnabled teamId flatMap { _ ?? { team => if (team leaders me.id) api.kick(team, userId, me) inject jsonOkResult else Forbidden(jsonError("Not your team")).fuccess @@ -168,14 +168,14 @@ final class Team( def leadersForm(id: String) = Auth { implicit ctx => _ => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => Ok(html.team.admin.leaders(team, forms leaders team)).fuccess } } def leaders(id: String) = AuthBody { implicit ctx => me => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => implicit val req = ctx.body forms.leaders(team).bindFromRequest().value ?? { api.setLeaders(team, _, me, isGranted(_.ManageTeam)) @@ -256,7 +256,7 @@ final class Team( AuthOrScopedBody(_.Team.Write)( auth = implicit ctx => me => - api.team(id) flatMap { + api.teamEnabled(id) flatMap { _ ?? { team => api hasJoinedTooManyTeams me flatMap { tooMany => if (tooMany) @@ -428,7 +428,7 @@ final class Team( def pmAll(id: String) = Auth { implicit ctx => _ => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => env.tournament.api .visibleByTeam(team.id, 0, 20) .dmap(_.next) @@ -442,7 +442,7 @@ final class Team( AuthOrScopedBody(_.Team.Write)( auth = implicit ctx => me => - WithOwnedTeam(id) { team => + WithOwnedTeamEnabled(id) { team => doPmAll(team, me)(ctx.body).fold( err => env.tournament.api @@ -456,7 +456,7 @@ final class Team( }, scoped = implicit req => me => - api team id flatMap { + api teamEnabled id flatMap { _.filter(_ leaders me.id) ?? { team => doPmAll(team, me).fold( err => BadRequest(errorsAsJson(err)(reqLang)).fuccess, @@ -482,7 +482,7 @@ final class Team( def apiShow(id: String) = Open { ctx => JsonOptionOk { - api team id flatMap { + api teamEnabled id flatMap { _ ?? { team => for { joined <- ctx.userId.?? { api.belongsTo(id, _) } @@ -565,4 +565,12 @@ You received this because you are subscribed to messages of the team $url.""" if (ctx.userId.exists(team.leaders.contains) || isGranted(_.ManageTeam)) f(team) else renderTeam(team) map { Forbidden(_) } } + + private def WithOwnedTeamEnabled( + teamId: String + )(f: TeamModel => Fu[Result])(implicit ctx: Context): Fu[Result] = + WithOwnedTeam(teamId) { team => + if (team.enabled) f(team) + else notFound + } } diff --git a/modules/team/src/main/TeamApi.scala b/modules/team/src/main/TeamApi.scala index 8df3473dcc..e8f79b2c9f 100644 --- a/modules/team/src/main/TeamApi.scala +++ b/modules/team/src/main/TeamApi.scala @@ -34,6 +34,8 @@ final class TeamApi( def team(id: Team.ID) = teamRepo byId id + def teamEnabled(id: Team.ID) = teamRepo enabled id + def leaderTeam(id: Team.ID) = teamRepo.coll.byId[LeaderTeam](id, $doc("name" -> true)) def lightsByLeader = teamRepo.lightsByLeader _ @@ -143,7 +145,7 @@ final class TeamApi( def requestable(teamId: Team.ID, user: User): Fu[Option[Team]] = for { - teamOption <- teamRepo.coll.byId[Team](teamId) + teamOption <- teamEnabled(teamId) able <- teamOption.??(requestable(_, user)) } yield teamOption ifTrue able