v3: added a roles/permissions system, added user management tab on user profile
All checks were successful
Build and Publish Docker Image / build-and-push (push) Successful in 42s

This commit is contained in:
khannurien
2026-06-28 06:21:23 +00:00
parent b567e390d9
commit 810faaf21a
22 changed files with 341 additions and 60 deletions

View File

@@ -8,6 +8,7 @@ import {
isUpdateCommentRequest,
} from "../model/interfaces.ts";
import { authMiddleware } from "../middleware/auth.ts";
import { can } from "../lib/permissions.ts";
import { parseOptionalAuth } from "../lib/auth.ts";
import { parsePagination } from "../lib/pagination.ts";
import {
@@ -66,7 +67,7 @@ router.post("/dumps/:dumpId/comments", authMiddleware, async (ctx) => {
// PATCH /api/comments/:commentId — auth required
router.patch("/comments/:commentId", authMiddleware, async (ctx) => {
const userId = ctx.state.user.userId;
const isAdmin = ctx.state.user.isAdmin ?? false;
const canModerate = can(ctx.state.user, "comment:moderate");
const body = await ctx.request.body.json();
if (!isUpdateCommentRequest(body)) {
throw new APIException(
@@ -79,7 +80,7 @@ router.patch("/comments/:commentId", authMiddleware, async (ctx) => {
ctx.params.commentId,
body.body,
userId,
isAdmin,
canModerate,
);
if (!isPrivate) broadcastCommentUpdated(comment);
const responseBody: APIResponse<Comment> = { success: true, data: comment };
@@ -110,11 +111,11 @@ router.get("/comments/:commentId/likers", async (ctx) => {
// DELETE /api/comments/:commentId — auth required
router.delete("/comments/:commentId", authMiddleware, (ctx) => {
const userId = ctx.state.user.userId;
const isAdmin = ctx.state.user.isAdmin ?? false;
const canModerate = can(ctx.state.user, "comment:moderate");
const { dumpId, isPrivate } = deleteComment(
ctx.params.commentId,
userId,
isAdmin,
canModerate,
);
if (!isPrivate) broadcastCommentDeleted(ctx.params.commentId, dumpId);
const responseBody: APIResponse<null> = { success: true, data: null };

View File

@@ -11,6 +11,7 @@ import {
} from "../model/interfaces.ts";
import { authMiddleware } from "../middleware/auth.ts";
import { can } from "../lib/permissions.ts";
import { parseOptionalAuth } from "../lib/auth.ts";
import { parsePagination } from "../lib/pagination.ts";
import { validateImageUpload } from "../lib/upload.ts";
@@ -126,10 +127,10 @@ router.get("/", async (ctx) => {
router.put("/:dumpId/file", authMiddleware, async (ctx) => {
const dumpId = ctx.params.dumpId;
const userId = ctx.state.user?.userId;
const userId = ctx.state.user.userId;
const dump = getDump(dumpId, userId);
if (userId !== dump.userId && !ctx.state.user?.isAdmin) {
if (userId !== dump.userId && !can(ctx.state.user, "dump:moderate")) {
throw new APIException(
APIErrorCode.UNAUTHORIZED,
403,
@@ -162,7 +163,7 @@ router.put("/:dumpId/file", authMiddleware, async (ctx) => {
router.put("/:dumpId", authMiddleware, async (ctx) => {
const dumpId = ctx.params.dumpId;
const userId = ctx.state.user?.userId;
const userId = ctx.state.user.userId;
const body = await ctx.request.body.json();
if (!isUpdateDumpRequest(body)) {
@@ -175,7 +176,7 @@ router.put("/:dumpId", authMiddleware, async (ctx) => {
const dump = getDump(dumpId, userId);
if (userId !== dump.userId && !ctx.state.user?.isAdmin) {
if (userId !== dump.userId && !can(ctx.state.user, "dump:moderate")) {
throw new APIException(
APIErrorCode.UNAUTHORIZED,
403,
@@ -190,10 +191,10 @@ router.put("/:dumpId", authMiddleware, async (ctx) => {
router.put("/:dumpId/thumbnail", authMiddleware, async (ctx) => {
const dumpId = ctx.params.dumpId;
const userId = ctx.state.user?.userId;
const userId = ctx.state.user.userId;
const dump = getDump(dumpId, userId);
if (userId !== dump.userId && !ctx.state.user?.isAdmin) {
if (userId !== dump.userId && !can(ctx.state.user, "dump:moderate")) {
throw new APIException(
APIErrorCode.UNAUTHORIZED,
403,
@@ -232,10 +233,10 @@ router.put("/:dumpId/thumbnail", authMiddleware, async (ctx) => {
router.delete("/:dumpId/thumbnail", authMiddleware, async (ctx) => {
const dumpId = ctx.params.dumpId;
const userId = ctx.state.user?.userId;
const userId = ctx.state.user.userId;
const dump = getDump(dumpId, userId);
if (userId !== dump.userId && !ctx.state.user?.isAdmin) {
if (userId !== dump.userId && !can(ctx.state.user, "dump:moderate")) {
throw new APIException(
APIErrorCode.UNAUTHORIZED,
403,
@@ -250,10 +251,10 @@ router.delete("/:dumpId/thumbnail", authMiddleware, async (ctx) => {
router.post("/:dumpId/refresh-metadata", authMiddleware, async (ctx) => {
const dumpId = ctx.params.dumpId;
const userId = ctx.state.user?.userId;
const userId = ctx.state.user.userId;
const dump = getDump(dumpId, userId);
if (userId !== dump.userId && !ctx.state.user?.isAdmin) {
if (userId !== dump.userId && !can(ctx.state.user, "dump:moderate")) {
throw new APIException(
APIErrorCode.UNAUTHORIZED,
403,
@@ -268,10 +269,10 @@ router.post("/:dumpId/refresh-metadata", authMiddleware, async (ctx) => {
router.delete("/:dumpId", authMiddleware, async (ctx) => {
const dumpId = ctx.params.dumpId;
const userId = ctx.state.user?.userId;
const userId = ctx.state.user.userId;
const dump = getDump(dumpId, userId);
if (userId !== dump.userId && !ctx.state.user?.isAdmin) {
if (userId !== dump.userId && !can(ctx.state.user, "dump:moderate")) {
throw new APIException(
APIErrorCode.UNAUTHORIZED,
403,

View File

@@ -4,13 +4,18 @@ import {
APIErrorCode,
APIException,
isLoginUserRequest,
isRole,
isUpdateUserRequest,
type PaginatedData,
validateRegisterUserRequest,
} from "../model/interfaces.ts";
import { createJWT, verifyPassword } from "../lib/jwt.ts";
import { type AuthContext, authMiddleware } from "../middleware/auth.ts";
import {
type AuthContext,
authMiddleware,
requirePermission,
} from "../middleware/auth.ts";
import { parseOptionalAuth } from "../lib/auth.ts";
import { parsePagination } from "../lib/pagination.ts";
import {
@@ -86,7 +91,7 @@ router.post("/register", async (ctx) => {
const authToken = await createJWT({
userId: user.id,
username: user.username,
isAdmin: user.isAdmin,
role: user.role,
});
const { passwordHash: _, ...publicUser } = user;
@@ -124,7 +129,7 @@ router.post("/login", async (ctx) => {
const token = await createJWT({
userId: user.id,
username: user.username,
isAdmin: user.isAdmin,
role: user.role,
});
const { passwordHash: _, ...publicUser } = user;
@@ -250,12 +255,42 @@ router.patch("/me", authMiddleware, async (ctx: AuthContext) => {
"Invalid request",
);
}
const updated = await updateUser(ctx.state.user.userId, body);
// Self-service profile updates must never set the role. Role assignment is
// done out-of-band (DB/seed); stripping it here prevents self-promotion.
const { role: _role, ...safeBody } = body;
const updated = await updateUser(ctx.state.user.userId, safeBody);
const { passwordHash: _, email: _email, ...publicUser } = updated;
broadcastUserUpdated(publicUser);
ctx.response.body = { success: true, data: publicUser };
});
// Set another user's role. Requires the user:manage permission.
router.patch(
"/:userId/role",
authMiddleware,
requirePermission("user:manage"),
async (ctx: AuthContext<"/:userId/role">) => {
const body = await ctx.request.body.json();
const role: unknown = body?.role;
if (!isRole(role)) {
throw new APIException(APIErrorCode.VALIDATION_ERROR, 400, "Invalid role");
}
// Disallow changing your own role: prevents an admin from accidentally
// locking themselves out, and self-promotion is meaningless anyway.
if (ctx.params.userId === ctx.state.user.userId) {
throw new APIException(
APIErrorCode.VALIDATION_ERROR,
400,
"Cannot change your own role",
);
}
const updated = await updateUser(ctx.params.userId, { role });
const { passwordHash: _, email: _email, ...publicUser } = updated;
broadcastUserUpdated(publicUser);
ctx.response.body = { success: true, data: publicUser };
},
);
// User search for @mention autocomplete
router.get("/search", (ctx) => {
const q = (ctx.request.url.searchParams.get("q") ?? "").trim();