get rid of admin session; checking manually instead

author: metamuffin <metamuffin@disroot.org> 2025-05-31 03:26:45 +0200
committer: metamuffin <metamuffin@disroot.org> 2025-05-31 03:26:45 +0200
commit: 3e834092ba230ee081065a3b80ad227d585b5a13 (patch)
tree: b168d1524045716e6922c137f1ad92bdf3f47994 /server
parent: 3b15caade07e8fbe351fed9aceb3f435bf58368e (diff)
download: jellything-3e834092ba230ee081065a3b80ad227d585b5a13.tar
jellything-3e834092ba230ee081065a3b80ad227d585b5a13.tar.bz2
jellything-3e834092ba230ee081065a3b80ad227d585b5a13.tar.zst
5 files changed, 46 insertions, 57 deletions
diff --git a/server/src/api.rs b/server/src/api.rs
index d983548..4fecfb6 100644
--- a/server/src/api.rs
+++ b/server/src/api.rs
@@ -7,11 +7,7 @@ use super::ui::error::MyResult;
 use crate::helper::{accept::AcceptJson, language::AcceptLanguage, A};
 use jellycommon::{user::CreateSessionParams, NodeID};
 use jellyimport::asset_token::AssetInner;
-use jellylogic::{
-    login::login_logic,
-    node::get_nodes_modified_since,
-    session::{AdminSession, Session},
-};
+use jellylogic::{login::login_logic, node::get_nodes_modified_since, session::Session};
 use jellyui::locale::get_translation_table;
 use rocket::{get, post, response::Redirect, serde::json::Json, Either};
 use serde_json::{json, Value};
@@ -60,7 +56,8 @@ pub fn r_api_account_login(data: Json<CreateSessionParams>) -> MyResult<Value> {
 }
 
 #[get("/api/asset_token_raw/<token>")]
-pub fn r_api_asset_token_raw(_admin: A<AdminSession>, token: &str) -> MyResult<Json<AssetInner>> {
+pub fn r_api_asset_token_raw(session: A<Session>, token: &str) -> MyResult<Json<AssetInner>> {
+    session.0.assert_admin()?;
     Ok(Json(AssetInner::deser(token)?))
 }
 
diff --git a/server/src/helper/session.rs b/server/src/helper/session.rs
index 090330b..1417df0 100644
--- a/server/src/helper/session.rs
+++ b/server/src/helper/session.rs
@@ -6,7 +6,7 @@
 use super::A;
 use crate::ui::error::MyError;
 use anyhow::anyhow;
-use jellylogic::session::{bypass_auth_session, token_to_session, AdminSession, Session};
+use jellylogic::session::{bypass_auth_session, token_to_session, Session};
 use log::warn;
 use rocket::{
     async_trait,
@@ -65,28 +65,3 @@ impl<'r> FromRequest<'r> for A<Session> {
         }
     }
 }
-
-#[async_trait]
-impl<'r> FromRequest<'r> for A<AdminSession> {
-    type Error = MyError;
-    async fn from_request<'life0>(
-        request: &'r Request<'life0>,
-    ) -> request::Outcome<Self, Self::Error> {
-        match session_from_request(request).await {
-            Ok(x) => {
-                if x.user.admin {
-                    Outcome::Success(A(AdminSession(x)))
-                } else {
-                    Outcome::Error((
-                        Status::Unauthorized,
-                        MyError(anyhow!("you are not an admin")),
-                    ))
-                }
-            }
-            Err(e) => {
-                warn!("authentificated route rejected: {e:?}");
-                Outcome::Forward(Status::Unauthorized)
-            }
-        }
-    }
-}
diff --git a/server/src/ui/admin/log.rs b/server/src/ui/admin/log.rs
index f0a85f2..c26b697 100644
--- a/server/src/ui/admin/log.rs
+++ b/server/src/ui/admin/log.rs
@@ -10,7 +10,7 @@ use crate::{
 use jellyimport::is_importing;
 use jellylogic::{
     admin::log::{get_log_buffer, get_log_stream},
-    session::AdminSession,
+    session::Session,
 };
 use jellyui::{
     admin::log::{render_log_line, ServerLogPage},
@@ -23,10 +23,11 @@ use serde_json::json;
 
 #[get("/admin/log?<warnonly>", rank = 2)]
 pub fn r_admin_log<'a>(
-    session: A<AdminSession>,
+    session: A<Session>,
     warnonly: bool,
     lang: AcceptLanguage,
 ) -> MyResult<RawHtml<String>> {
+    session.0.assert_admin()?;
     let AcceptLanguage(lang) = lang;
     let messages = get_log_buffer(warnonly)
         .into_iter()
@@ -40,7 +41,7 @@ pub fn r_admin_log<'a>(
         RenderInfo {
             importing: is_importing(),
             session: Some(SessionInfo {
-                user: session.0 .0.user,
+                user: session.0.user,
             }),
         },
         lang,
@@ -49,14 +50,18 @@ pub fn r_admin_log<'a>(
 
 #[get("/admin/log?stream&<warnonly>&<html>", rank = 1)]
 pub fn r_admin_log_stream(
-    _session: A<AdminSession>,
+    session: A<Session>,
     ws: WebSocket,
     warnonly: bool,
     html: bool,
 ) -> Stream!['static] {
+    // TODO type problems
+    let ok = session.0.assert_admin().is_ok();
     let mut stream = get_log_stream(warnonly);
     Stream! { ws =>
-        if html {
+        if !ok {
+            yield Message::Text("unauthorized".to_string());
+        } else if html {
             let _ = ws;
             while let Ok(line) = stream.recv().await {
                 yield Message::Text(render_log_line(&line));
diff --git a/server/src/ui/admin/mod.rs b/server/src/ui/admin/mod.rs
index e3eb2d6..4e07afb 100644
--- a/server/src/ui/admin/mod.rs
+++ b/server/src/ui/admin/mod.rs
@@ -7,7 +7,7 @@ pub mod log;
 pub mod user;
 
 use super::error::MyResult;
-use crate::helper::{language::AcceptLanguage, A};
+use crate::helper::{language::AcceptLanguage, RequestInfo, A};
 use jellycommon::routes::u_admin_dashboard;
 use jellyimport::is_importing;
 use jellylogic::{
@@ -15,25 +15,27 @@ use jellylogic::{
         create_invite, delete_invite, do_import, get_import_errors, list_invites,
         update_search_index,
     },
-    session::AdminSession,
+    session::Session,
 };
 use jellyui::{
     admin::AdminDashboardPage,
+    locale::tr,
     render_page,
     scaffold::{RenderInfo, SessionInfo},
 };
 use rocket::{
     form::Form,
     get, post,
-    response::{content::RawHtml, Redirect},
+    response::{content::RawHtml, Flash, Redirect},
     FromForm,
 };
 
 #[get("/admin/dashboard")]
 pub async fn r_admin_dashboard(
-    session: A<AdminSession>,
+    session: A<Session>,
     lang: AcceptLanguage,
 ) -> MyResult<RawHtml<String>> {
+    session.0.assert_admin()?;
     let AcceptLanguage(lang) = lang;
     let flash = None;
 
@@ -57,7 +59,7 @@ pub async fn r_admin_dashboard(
         RenderInfo {
             importing: is_importing(),
             session: Some(SessionInfo {
-                user: session.0 .0.user,
+                user: session.0.user,
             }),
         },
         lang,
@@ -65,9 +67,12 @@ pub async fn r_admin_dashboard(
 }
 
 #[post("/admin/generate_invite")]
-pub async fn r_admin_invite(session: A<AdminSession>) -> MyResult<Redirect> {
-    let _ = create_invite(&session.0)?;
-    Ok(Redirect::temporary(u_admin_dashboard()))
+pub async fn r_admin_invite(ri: RequestInfo) -> MyResult<Flash<Redirect>> {
+    let i = create_invite(&ri.session)?;
+    Ok(Flash::success(
+        Redirect::to(u_admin_dashboard()),
+        tr(ri.lang, "admin.invite_create_success").replace("{invite}", &i),
+    ))
 }
 
 #[derive(FromForm)]
@@ -77,21 +82,24 @@ pub struct DeleteInvite {
 
 #[post("/admin/remove_invite", data = "<form>")]
 pub async fn r_admin_remove_invite(
-    session: A<AdminSession>,
+    session: A<Session>,
     form: Form<DeleteInvite>,
 ) -> MyResult<Redirect> {
+    session.0.assert_admin()?;
     delete_invite(&session.0, &form.invite)?;
     Ok(Redirect::temporary(u_admin_dashboard()))
 }
 
 #[post("/admin/import?<incremental>")]
-pub async fn r_admin_import(session: A<AdminSession>, incremental: bool) -> MyResult<Redirect> {
+pub async fn r_admin_import(session: A<Session>, incremental: bool) -> MyResult<Redirect> {
+    session.0.assert_admin()?;
     do_import(&session.0, incremental).await?.1?;
     Ok(Redirect::temporary(u_admin_dashboard()))
 }
 
 #[post("/admin/update_search")]
-pub async fn r_admin_update_search(session: A<AdminSession>) -> MyResult<Redirect> {
+pub async fn r_admin_update_search(session: A<Session>) -> MyResult<Redirect> {
+    session.0.assert_admin()?;
     update_search_index(&session.0).await?;
     Ok(Redirect::temporary(u_admin_dashboard()))
 }
diff --git a/server/src/ui/admin/user.rs b/server/src/ui/admin/user.rs
index 27d5256..e8dc332 100644
--- a/server/src/ui/admin/user.rs
+++ b/server/src/ui/admin/user.rs
@@ -12,7 +12,7 @@ use jellycommon::user::UserPermission;
 use jellyimport::is_importing;
 use jellylogic::{
     admin::user::{admin_users, delete_user, get_user, update_user_perms, GrantState},
-    session::AdminSession,
+    session::Session,
 };
 use jellyui::{
     admin::user::{AdminUserPage, AdminUsersPage},
@@ -22,7 +22,8 @@ use jellyui::{
 use rocket::{form::Form, get, post, response::content::RawHtml, FromForm, FromFormField};
 
 #[get("/admin/users")]
-pub fn r_admin_users(session: A<AdminSession>, lang: AcceptLanguage) -> MyResult<RawHtml<String>> {
+pub fn r_admin_users(session: A<Session>, lang: AcceptLanguage) -> MyResult<RawHtml<String>> {
+    session.0.assert_admin()?;
     let AcceptLanguage(lang) = lang;
     let r = admin_users(&session.0)?;
     Ok(RawHtml(render_page(
@@ -34,7 +35,7 @@ pub fn r_admin_users(session: A<AdminSession>, lang: AcceptLanguage) -> MyResult
         RenderInfo {
             importing: is_importing(),
             session: Some(SessionInfo {
-                user: session.0 .0.user,
+                user: session.0.user,
             }),
         },
         lang,
@@ -43,10 +44,11 @@ pub fn r_admin_users(session: A<AdminSession>, lang: AcceptLanguage) -> MyResult
 
 #[get("/admin/user/<name>")]
 pub fn r_admin_user<'a>(
-    session: A<AdminSession>,
+    session: A<Session>,
     name: &'a str,
     lang: AcceptLanguage,
 ) -> MyResult<RawHtml<String>> {
+    session.0.assert_admin()?;
     let AcceptLanguage(lang) = lang;
     let user = get_user(&session.0, name)?;
 
@@ -59,7 +61,7 @@ pub fn r_admin_user<'a>(
         RenderInfo {
             importing: is_importing(),
             session: Some(SessionInfo {
-                user: session.0 .0.user,
+                user: session.0.user,
             }),
         },
         lang,
@@ -81,11 +83,12 @@ pub enum UrlGrantState {
 
 #[post("/admin/user/<name>/update_permission", data = "<form>")]
 pub fn r_admin_user_permission(
-    session: A<AdminSession>,
+    session: A<Session>,
     form: Form<UserPermissionForm>,
     name: &str,
     lang: AcceptLanguage,
 ) -> MyResult<RawHtml<String>> {
+    session.0.assert_admin()?;
     let AcceptLanguage(lang) = lang;
     let perm = serde_json::from_str::<UserPermission>(&form.permission)
         .context("parsing provided permission")?;
@@ -112,7 +115,7 @@ pub fn r_admin_user_permission(
         RenderInfo {
             importing: is_importing(),
             session: Some(SessionInfo {
-                user: session.0 .0.user,
+                user: session.0.user,
             }),
         },
         lang,
@@ -121,10 +124,11 @@ pub fn r_admin_user_permission(
 
 #[post("/admin/<name>/remove")]
 pub fn r_admin_remove_user(
-    session: A<AdminSession>,
+    session: A<Session>,
     name: &str,
     lang: AcceptLanguage,
 ) -> MyResult<RawHtml<String>> {
+    session.0.assert_admin()?;
     let AcceptLanguage(lang) = lang;
     delete_user(&session.0, name)?;
     let r = admin_users(&session.0)?;
@@ -138,7 +142,7 @@ pub fn r_admin_remove_user(
         RenderInfo {
             importing: is_importing(),
             session: Some(SessionInfo {
-                user: session.0 .0.user,
+                user: session.0.user,
             }),
         },
         lang,
author	metamuffin <metamuffin@disroot.org>	2025-05-31 03:26:45 +0200
committer	metamuffin <metamuffin@disroot.org>	2025-05-31 03:26:45 +0200
commit	3e834092ba230ee081065a3b80ad227d585b5a13 (patch)
tree	b168d1524045716e6922c137f1ad92bdf3f47994 /server
parent	3b15caade07e8fbe351fed9aceb3f435bf58368e (diff)
download	jellything-3e834092ba230ee081065a3b80ad227d585b5a13.tar jellything-3e834092ba230ee081065a3b80ad227d585b5a13.tar.bz2 jellything-3e834092ba230ee081065a3b80ad227d585b5a13.tar.zst