deepcrayon
/
lila
1
0
Fork 0
Code Releases Activity

add team checks

pull/8649/head
Thibault Duplessis 2021-04-13 22:55:01 +02:00
parent 2f934b1049
commit e090d98db0
2 changed files with 25 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

36
app/controllers/Team.scala
View File

@ -84,7 +84,7 @@ final class Team(
) )
private def usersExport(teamId: String, me: Option[lila.user.User], req: RequestHeader) = { private def usersExport(teamId: String, me: Option[lila.user.User], req: RequestHeader) = {
api.team(teamId) flatMap { api teamEnabled teamId flatMap {
_ ?? { team => _ ?? { team =>
val canView: Fu[Boolean] = val canView: Fu[Boolean] =
if (team.publicMembers) fuccess(true) if (team.publicMembers) fuccess(true)
@ -108,7 +108,7 @@ final class Team(
def tournaments(teamId: String) = def tournaments(teamId: String) =
Open { implicit ctx => Open { implicit ctx =>
env.team.teamRepo.enabled(teamId) flatMap { api teamEnabled teamId flatMap {
_ ?? { team => _ ?? { team =>
env.teamInfo.tournaments(team, 30, 30) map { tours => env.teamInfo.tournaments(team, 30, 30) map { tours =>
Ok(html.team.tournaments.page(team, tours)) Ok(html.team.tournaments.page(team, tours))
@ -119,14 +119,14 @@ final class Team(
def edit(id: String) = def edit(id: String) =
Auth { implicit ctx => _ => Auth { implicit ctx => _ =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
fuccess(html.team.form.edit(team, forms edit team)) fuccess(html.team.form.edit(team, forms edit team))
} }
} }
def update(id: String) = def update(id: String) =
AuthBody { implicit ctx => me => AuthBody { implicit ctx => me =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
implicit val req = ctx.body implicit val req = ctx.body
forms forms
.edit(team) .edit(team)
@ -140,7 +140,7 @@ final class Team(
def kickForm(id: String) = def kickForm(id: String) =
Auth { implicit ctx => me => Auth { implicit ctx => me =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
env.team.memberRepo userIdsByTeam team.id map { userIds => env.team.memberRepo userIdsByTeam team.id map { userIds =>
html.team.admin.kick(team, userIds.filter(me.id !=)) html.team.admin.kick(team, userIds.filter(me.id !=))
} }
@ -149,7 +149,7 @@ final class Team(
def kick(id: String) = def kick(id: String) =
AuthBody { implicit ctx => me => AuthBody { implicit ctx => me =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
implicit val req = ctx.body implicit val req = ctx.body
forms.selectMember.bindFromRequest().value ?? { api.kick(team, _, me) } inject Redirect( forms.selectMember.bindFromRequest().value ?? { api.kick(team, _, me) } inject Redirect(
routes.Team.kickForm(team.id) routes.Team.kickForm(team.id)
@ -158,7 +158,7 @@ final class Team(
} }
def kickUser(teamId: String, userId: String) = def kickUser(teamId: String, userId: String) =
Scoped(_.Team.Write) { _ => me => Scoped(_.Team.Write) { _ => me =>
api team teamId flatMap { api teamEnabled teamId flatMap {
_ ?? { team => _ ?? { team =>
if (team leaders me.id) api.kick(team, userId, me) inject jsonOkResult if (team leaders me.id) api.kick(team, userId, me) inject jsonOkResult
else Forbidden(jsonError("Not your team")).fuccess else Forbidden(jsonError("Not your team")).fuccess
@ -168,14 +168,14 @@ final class Team(
def leadersForm(id: String) = def leadersForm(id: String) =
Auth { implicit ctx => _ => Auth { implicit ctx => _ =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
Ok(html.team.admin.leaders(team, forms leaders team)).fuccess Ok(html.team.admin.leaders(team, forms leaders team)).fuccess
} }
} }
def leaders(id: String) = def leaders(id: String) =
AuthBody { implicit ctx => me => AuthBody { implicit ctx => me =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
implicit val req = ctx.body implicit val req = ctx.body
forms.leaders(team).bindFromRequest().value ?? { forms.leaders(team).bindFromRequest().value ?? {
api.setLeaders(team, _, me, isGranted(_.ManageTeam)) api.setLeaders(team, _, me, isGranted(_.ManageTeam))
@ -256,7 +256,7 @@ final class Team(
AuthOrScopedBody(_.Team.Write)( AuthOrScopedBody(_.Team.Write)(
auth = implicit ctx => auth = implicit ctx =>
me => me =>
api.team(id) flatMap { api.teamEnabled(id) flatMap {
_ ?? { team => _ ?? { team =>
api hasJoinedTooManyTeams me flatMap { tooMany => api hasJoinedTooManyTeams me flatMap { tooMany =>
if (tooMany) if (tooMany)
@ -428,7 +428,7 @@ final class Team(
def pmAll(id: String) = def pmAll(id: String) =
Auth { implicit ctx => _ => Auth { implicit ctx => _ =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
env.tournament.api env.tournament.api
.visibleByTeam(team.id, 0, 20) .visibleByTeam(team.id, 0, 20)
.dmap(_.next) .dmap(_.next)
@ -442,7 +442,7 @@ final class Team(
AuthOrScopedBody(_.Team.Write)( AuthOrScopedBody(_.Team.Write)(
auth = implicit ctx => auth = implicit ctx =>
me => me =>
WithOwnedTeam(id) { team => WithOwnedTeamEnabled(id) { team =>
doPmAll(team, me)(ctx.body).fold( doPmAll(team, me)(ctx.body).fold(
err => err =>
env.tournament.api env.tournament.api
@ -456,7 +456,7 @@ final class Team(
}, },
scoped = implicit req => scoped = implicit req =>
me => me =>
api team id flatMap { api teamEnabled id flatMap {
_.filter(_ leaders me.id) ?? { team => _.filter(_ leaders me.id) ?? { team =>
doPmAll(team, me).fold( doPmAll(team, me).fold(
err => BadRequest(errorsAsJson(err)(reqLang)).fuccess, err => BadRequest(errorsAsJson(err)(reqLang)).fuccess,
@ -482,7 +482,7 @@ final class Team(
def apiShow(id: String) = def apiShow(id: String) =
Open { ctx => Open { ctx =>
JsonOptionOk { JsonOptionOk {
api team id flatMap { api teamEnabled id flatMap {
_ ?? { team => _ ?? { team =>
for { for {
joined <- ctx.userId.?? { api.belongsTo(id, _) } joined <- ctx.userId.?? { api.belongsTo(id, _) }
@ -565,4 +565,12 @@ You received this because you are subscribed to messages of the team $url."""
if (ctx.userId.exists(team.leaders.contains) || isGranted(_.ManageTeam)) f(team) if (ctx.userId.exists(team.leaders.contains) || isGranted(_.ManageTeam)) f(team)
else renderTeam(team) map { Forbidden(_) } else renderTeam(team) map { Forbidden(_) }
} }
private def WithOwnedTeamEnabled(
teamId: String
)(f: TeamModel => Fu[Result])(implicit ctx: Context): Fu[Result] =
WithOwnedTeam(teamId) { team =>
if (team.enabled) f(team)
else notFound
}
} }

4
modules/team/src/main/TeamApi.scala
View File

@ -34,6 +34,8 @@ final class TeamApi(
def team(id: Team.ID) = teamRepo byId id def team(id: Team.ID) = teamRepo byId id
def teamEnabled(id: Team.ID) = teamRepo enabled id
def leaderTeam(id: Team.ID) = teamRepo.coll.byId[LeaderTeam](id, $doc("name" -> true)) def leaderTeam(id: Team.ID) = teamRepo.coll.byId[LeaderTeam](id, $doc("name" -> true))
def lightsByLeader = teamRepo.lightsByLeader _ def lightsByLeader = teamRepo.lightsByLeader _
@ -143,7 +145,7 @@ final class TeamApi(
def requestable(teamId: Team.ID, user: User): Fu[Option[Team]] = def requestable(teamId: Team.ID, user: User): Fu[Option[Team]] =
for { for {
teamOption <- teamRepo.coll.byId[Team](teamId) teamOption <- teamEnabled(teamId)
able <- teamOption.??(requestable(_, user)) able <- teamOption.??(requestable(_, user))
} yield teamOption ifTrue able } yield teamOption ifTrue able