HandlerPageEdit: Use clearForPage() before setting Permissions

This commit is contained in:
Albert S. 2023-08-11 09:22:04 +02:00
parent 8998fb8793
commit f08e235d03

View File

@ -95,6 +95,9 @@ Response HandlerPageEdit::handleRequest(PageDao &pageDao, std::string pagename,
pagename = rename; pagename = rename;
} }
std::vector<std::pair<std::string, Permissions>> collectedPermissions;
auto permissionDao = this->database->createPermissionsDao();
for(const std::string &perm : perms) for(const std::string &perm : perms)
{ {
auto splitted = utils::split(perm, '|'); auto splitted = utils::split(perm, '|');
@ -102,23 +105,29 @@ Response HandlerPageEdit::handleRequest(PageDao &pageDao, std::string pagename,
{ {
return this->errorResponse("Invalid command", "permissions command is misformated"); return this->errorResponse("Invalid command", "permissions command is misformated");
} }
auto permissionDao = this->database->createPermissionsDao();
auto currentPermission = permissionDao->find(pagename, splitted[0]); auto currentPermission = permissionDao->find(pagename, splitted[0]);
Permissions newPermissions = Permissions{splitted[1]}; Permissions newPermissions = Permissions{splitted[1]};
if(!currentPermission || newPermissions != currentPermission.value()) if(!currentPermission || newPermissions != currentPermission.value())
{ {
if(this->userSession->user.permissions.canSetPagePerms()) if(!this->userSession->user.permissions.canSetPagePerms())
{
permissionDao->save(pagename, splitted[0], newPermissions);
}
else
{ {
this->database->rollbackTransaction(); this->database->rollbackTransaction();
return errorResponse("Invalid permissions", return errorResponse("Permission denied",
"You don't have permission to change page permissions"); "You don't have permission to change permissions. Don't touch the "
"permission commands");
} }
} }
collectedPermissions.emplace_back(splitted[0], newPermissions);
}
if(this->userSession->user.permissions.canSetPagePerms())
{
permissionDao->clearForPage(pagename);
for(auto &perms : collectedPermissions)
{
permissionDao->save(pagename, perms.first, perms.second);
}
} }
page.current_revision = current_revision; page.current_revision = current_revision;