HandlerPageEdit: Use clearForPage() before setting Permissions

database/permissionsdao.h

@@ -9,6 +9,8 @@ class PermissionsDao
 	PermissionsDao();
 	virtual std::optional<Permissions> find(std::string pagename, std::string username) = 0;
 	virtual void save(std::string pagename, std::string username, Permissions perms) = 0;
+	virtual void clearForPage(std::string pagename) = 0;
+
 	virtual ~PermissionsDao() = default;
 };
 

database/permissionsdaosqlite.cpp

@@ -59,3 +59,16 @@ void PermissionsDaoSqlite::save(std::string pagename, std::string username, Perm
 		throwFrom(e);
 	}
 }
+
+void PermissionsDaoSqlite::clearForPage(std::string pagename)
+{
+	try
+	{
+		auto stmt = *db << "DELETE FROM permissions WHERE page = (SELECT id FROM page WHERE name = ?)" << pagename;
+		stmt.execute();
+	}
+	catch(sqlite::sqlite_exception &e)
+	{
+		throwFrom(e);
+	}
+}

database/permissionsdaosqlite.h

@@ -10,6 +10,7 @@ class PermissionsDaoSqlite : public PermissionsDao, protected SqliteDao
 
 	std::optional<Permissions> find(std::string pagename, std::string username) override;
 	virtual void save(std::string pagename, std::string username, Permissions perms) override;
+	virtual void clearForPage(std::string pagename) override;
 	using SqliteDao::SqliteDao;
 };
 

handlers/handlerpageedit.cpp

@@ -95,6 +95,9 @@ Response HandlerPageEdit::handleRequest(PageDao &pageDao, std::string pagename,
 					pagename = rename;
 				}
 
+				std::vector<std::pair<std::string, Permissions>> collectedPermissions;
+
+				auto permissionDao = this->database->createPermissionsDao();
 				for(const std::string &perm : perms)
 				{
 					auto splitted = utils::split(perm, '|');
@@ -102,23 +105,29 @@ Response HandlerPageEdit::handleRequest(PageDao &pageDao, std::string pagename,
 					{
 						return this->errorResponse("Invalid command", "permissions command is misformated");
 					}
-					auto permissionDao = this->database->createPermissionsDao();
 					auto currentPermission = permissionDao->find(pagename, splitted[0]);
 
 					Permissions newPermissions = Permissions{splitted[1]};
 					if(!currentPermission || newPermissions != currentPermission.value())
 					{
-						if(this->userSession->user.permissions.canSetPagePerms())
+						if(!this->userSession->user.permissions.canSetPagePerms())
-						{
-							permissionDao->save(pagename, splitted[0], newPermissions);
-						}
-						else
 						{
 							this->database->rollbackTransaction();
-							return errorResponse("Invalid permissions",
+							return errorResponse("Permission denied",
-												 "You don't have permission to change page permissions");
+												 "You don't have permission to change permissions. Don't touch the "
+												 "permission commands");
 						}
 					}
+					collectedPermissions.emplace_back(splitted[0], newPermissions);
+				}
+
+				if(this->userSession->user.permissions.canSetPagePerms())
+				{
+					permissionDao->clearForPage(pagename);
+					for(auto &perms : collectedPermissions)
+					{
+						permissionDao->save(pagename, perms.first, perms.second);
+					}
 				}
 
 				page.current_revision = current_revision;