granblue.team/hensei-api
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update controllers to properly authorize

Browse source 
For some of these, they weren't authorizing at all, so this is a good safety improvement
This commit is contained in:
Justin Edmund 2023-01-31 02:51:38 -08:00
parent 4b7b48cbd3
commit 7d576c3485
5 changed files with 45 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

10
app/controllers/api/v1/grid_characters_controller.rb
View file

@ -7,7 +7,7 @@ module Api
before_action :find_party, only: :create before_action :find_party, only: :create
before_action :set, only: %i[update destroy] before_action :set, only: %i[update destroy]
before_action :check_authorization, only: %i[update destroy] before_action :authorize, only: %i[create update destroy]
before_action :find_incoming_character, only: :create before_action :find_incoming_character, only: :create
before_action :find_current_characters, only: :create before_action :find_current_characters, only: :create
@ -135,8 +135,12 @@ module Api
render_unauthorized_response if current_user && (party.user != current_user) render_unauthorized_response if current_user && (party.user != current_user)
end end
def check_authorization def authorize
render_unauthorized_response if @character.party.user != current_user # Create
unauthorized_create = @party && (@party.user != current_user || @party.edit_key != edit_key)
unauthorized_update = @character && @character.party && (@character.party.user != current_user || @character.party.edit_key != edit_key)
render_unauthorized_response if unauthorized_create || unauthorized_update
end end
# Specify whitelisted properties that can be modified. # Specify whitelisted properties that can be modified.

14
app/controllers/api/v1/grid_summons_controller.rb
View file

@ -3,12 +3,12 @@
module Api module Api
module V1 module V1
class GridSummonsController < Api::V1::ApiController class GridSummonsController < Api::V1::ApiController
before_action :set, only: %w[update destroy]
attr_reader :party, :incoming_summon attr_reader :party, :incoming_summon
before_action :set, only: %w[update destroy]
before_action :find_party, only: :create before_action :find_party, only: :create
before_action :find_incoming_summon, only: :create before_action :find_incoming_summon, only: :create
before_action :authorize, only: %i[create update destroy]
def create def create
# Create the GridSummon with the desired parameters # Create the GridSummon with the desired parameters
@ -94,6 +94,14 @@ module Api
meta: { replaced: conflict_position }) meta: { replaced: conflict_position })
end end
def authorize
# Create
unauthorized_create = @party && (@party.user != current_user || @party.edit_key != edit_key)
unauthorized_update = @summon && @summon.party && (@summon.party.user != current_user || @summon.party.edit_key != edit_key)
render_unauthorized_response if unauthorized_create || unauthorized_update
end
def set def set
@summon = GridSummon.where('id = ?', params[:id]).first @summon = GridSummon.where('id = ?', params[:id]).first
end end

23
app/controllers/api/v1/grid_weapons_controller.rb
View file

@ -3,12 +3,12 @@
module Api module Api
module V1 module V1
class GridWeaponsController < Api::V1::ApiController class GridWeaponsController < Api::V1::ApiController
before_action :set, except: %w[create update_uncap_level]
attr_reader :party, :incoming_weapon attr_reader :party, :incoming_weapon
before_action :set, except: %w[create update_uncap_level]
before_action :find_party, only: :create before_action :find_party, only: :create
before_action :find_incoming_weapon, only: :create before_action :find_incoming_weapon, only: :create
before_action :authorize, only: %i[create update destroy]
def create def create
# Create the GridWeapon with the desired parameters # Create the GridWeapon with the desired parameters
@ -121,15 +121,15 @@ module Api
# Render the conflict view as a string # Render the conflict view as a string
def render_conflict_view(conflict_weapon, incoming_weapon, incoming_position) def render_conflict_view(conflict_weapon, incoming_weapon, incoming_position)
ConflictBlueprint.render(nil, view: :weapons, ConflictBlueprint.render(nil, view: :weapons,
conflict_weapon: conflict_weapon, conflict_weapon: conflict_weapon,
incoming_weapon: incoming_weapon, incoming_weapon: incoming_weapon,
incoming_position: incoming_position) incoming_position: incoming_position)
end end
def render_grid_weapon_view(grid_weapon, conflict_position) def render_grid_weapon_view(grid_weapon, conflict_position)
GridWeaponBlueprint.render(grid_weapon, view: :full, GridWeaponBlueprint.render(grid_weapon, view: :full,
root: :grid_weapon, root: :grid_weapon,
meta: { replaced: conflict_position }) meta: { replaced: conflict_position })
end end
def save_weapon(weapon) def save_weapon(weapon)
@ -183,6 +183,15 @@ module Api
@weapon = GridWeapon.where('id = ?', params[:id]).first @weapon = GridWeapon.where('id = ?', params[:id]).first
end end
def authorize
# Create
ap @party
unauthorized_create = @party && (@party.user != current_user || @party.edit_key != edit_key)
unauthorized_update = @weapon && @weapon.party && (@weapon.party.user != current_user || @weapon.party.edit_key != edit_key)
render_unauthorized_response if unauthorized_create || unauthorized_update
end
# Specify whitelisted properties that can be modified. # Specify whitelisted properties that can be modified.
def weapon_params def weapon_params
params.require(:weapon).permit( params.require(:weapon).permit(

5
app/controllers/api/v1/jobs_controller.rb
View file

@ -4,6 +4,7 @@ module Api
module V1 module V1
class JobsController < Api::V1::ApiController class JobsController < Api::V1::ApiController
before_action :set, only: %w[update_job update_job_skills] before_action :set, only: %w[update_job update_job_skills]
before_action :authorize, only: %w[update_job update_job_skills]
def all def all
render json: JobBlueprint.render(Job.all) render json: JobBlueprint.render(Job.all)
@ -165,6 +166,10 @@ module Api
end end
end end
def authorize
render_unauthorized_response if @party.user != current_user || @party.edit_key != edit_key
end
def set def set
@party = Party.where('id = ?', params[:id]).first @party = Party.where('id = ?', params[:id]).first
end end

9
app/controllers/api/v1/parties_controller.rb
View file

@ -6,6 +6,7 @@ module Api
before_action :set_from_slug, before_action :set_from_slug,
except: %w[create destroy update index favorites] except: %w[create destroy update index favorites]
before_action :set, only: %w[update destroy] before_action :set, only: %w[update destroy]
before_action :authorize, only: %w[update destroy]
def create def create
party = Party.new party = Party.new
@ -40,8 +41,6 @@ module Api
end end
def update def update
render_unauthorized_response if @party.user != current_user
@party.attributes = party_params.except(:skill1_id, :skill2_id, :skill3_id) @party.attributes = party_params.except(:skill1_id, :skill2_id, :skill3_id)
# TODO: Validate accessory with job # TODO: Validate accessory with job
@ -52,7 +51,6 @@ module Api
end end
def destroy def destroy
render_unauthorized_response if @party.user != current_user
return render json: PartyBlueprint.render(@party, view: :destroyed, root: :checkin) if @party.destroy return render json: PartyBlueprint.render(@party, view: :destroyed, root: :checkin) if @party.destroy
end end
@ -123,6 +121,10 @@ module Api
private private
def authorize
render_unauthorized_response if @character.party.user != current_user || @party.edit_key != edit_key
end
def build_conditions(params) def build_conditions(params)
unless params['recency'].blank? unless params['recency'].blank?
start_time = (DateTime.current - params['recency'].to_i.seconds) start_time = (DateTime.current - params['recency'].to_i.seconds)
@ -174,6 +176,7 @@ module Api
params.require(:party).permit( params.require(:party).permit(
:user_id, :user_id,
:local_id, :local_id,
:edit_key,
:extra, :extra,
:name, :name,
:description, :description,