5 files changed, 24 insertions, 13 deletions

diff --git a/server/src/routes/ui/admin/log.rs b/server/src/routes/ui/admin/log.rs
index de91acd..9e57bab 100644
--- a/server/src/routes/ui/admin/log.rs
+++ b/server/src/routes/ui/admin/log.rs
@@ -20,7 +20,7 @@ use std::{
     sync::{LazyLock, RwLock},
 };
 
-const MAX_LOG_LEN: usize = 4000;
+const MAX_LOG_LEN: usize = 4096;
 
 static LOGGER: LazyLock<Log> = LazyLock::new(Log::new);
 
diff --git a/server/src/routes/ui/assets.rs b/server/src/routes/ui/assets.rs
index b1a13da..05ddc7c 100644
--- a/server/src/routes/ui/assets.rs
+++ b/server/src/routes/ui/assets.rs
@@ -34,6 +34,7 @@ pub async fn r_item_assets(
         .get(&db, id)?
         .only_if_permitted(&session.user.permissions)
         .ok_or(anyhow!("node does not exist"))?;
+
     let mut asset = match role {
         AssetRole::Backdrop => node.private.backdrop,
         AssetRole::Poster => node.private.poster,
diff --git a/server/src/routes/ui/error.rs b/server/src/routes/ui/error.rs
index 98c6b7f..c0685e1 100644
--- a/server/src/routes/ui/error.rs
+++ b/server/src/routes/ui/error.rs
@@ -103,36 +103,38 @@ impl From<serde_json::Error> for MyError {
 }
 impl From<jellybase::database::CommitError> for MyError {
     fn from(err: jellybase::database::CommitError) -> Self {
-        MyError(anyhow::anyhow!("{err}"))
+        MyError(anyhow::anyhow!("database oopsie during commit: {err}"))
     }
 }
 impl From<jellybase::database::CompactionError> for MyError {
     fn from(err: jellybase::database::CompactionError) -> Self {
-        MyError(anyhow::anyhow!("{err}"))
+        MyError(anyhow::anyhow!("database oopsie during compaction: {err}"))
     }
 }
 impl From<jellybase::database::DatabaseError> for MyError {
     fn from(err: jellybase::database::DatabaseError) -> Self {
-        MyError(anyhow::anyhow!("{err}"))
+        MyError(anyhow::anyhow!("generic database oopsie: {err}"))
     }
 }
 impl From<jellybase::database::SavepointError> for MyError {
     fn from(err: jellybase::database::SavepointError) -> Self {
-        MyError(anyhow::anyhow!("{err}"))
+        MyError(anyhow::anyhow!(
+            "database oopsie during savepointing: {err}"
+        ))
     }
 }
 impl From<jellybase::database::StorageError> for MyError {
     fn from(err: jellybase::database::StorageError) -> Self {
-        MyError(anyhow::anyhow!("{err}"))
+        MyError(anyhow::anyhow!("database oopsie, storage error: {err}"))
     }
 }
 impl From<jellybase::database::TableError> for MyError {
     fn from(err: jellybase::database::TableError) -> Self {
-        MyError(anyhow::anyhow!("{err}"))
+        MyError(anyhow::anyhow!("database oopsie, table error: {err}"))
     }
 }
 impl From<jellybase::database::TransactionError> for MyError {
     fn from(err: jellybase::database::TransactionError) -> Self {
-        MyError(anyhow::anyhow!("{err}"))
+        MyError(anyhow::anyhow!("database oopsie during transaction: {err}"))
     }
 }
diff --git a/server/src/routes/ui/node.rs b/server/src/routes/ui/node.rs
index c055953..4b3f861 100644
--- a/server/src/routes/ui/node.rs
+++ b/server/src/routes/ui/node.rs
@@ -255,6 +255,7 @@ impl DatabaseNodeUserDataExt for DataAcid {
             id.to_owned(),
             T_NODE
                 .get(self, id)?
+                .only_if_permitted(&session.user.permissions)
                 .ok_or(anyhow!("node does not exist: {id}"))?
                 .public,
             T_USER_NODE
diff --git a/server/src/routes/userdata.rs b/server/src/routes/userdata.rs
index 8803bde..c113bb6 100644
--- a/server/src/routes/userdata.rs
+++ b/server/src/routes/userdata.rs
@@ -6,7 +6,10 @@
 use super::ui::{account::session::Session, error::MyResult, node::DatabaseNodeUserDataExt};
 use crate::routes::ui::node::rocket_uri_macro_r_library_node;
 use anyhow::anyhow;
-use jellybase::database::{DataAcid, ReadableTable, Ser, TableExt, T_NODE, T_USER_NODE};
+use jellybase::{
+    database::{DataAcid, ReadableTable, Ser, TableExt, T_NODE, T_USER_NODE},
+    permission::NodePermissionExt,
+};
 use jellycommon::user::{NodeUserData, WatchedState};
 use rocket::{
     get, post, response::Redirect, serde::json::Json, FromFormField, State, UriDisplayQuery,
@@ -36,9 +39,10 @@ pub async fn r_player_watched(
     id: &str,
     state: UrlWatchedState,
 ) -> MyResult<Redirect> {
-    T_NODE.get(db, id)?.ok_or(anyhow!("node does not exist"))?;
-
-    // let key = (session.user.name.clone(), id.to_owned());
+    T_NODE
+        .get(db, id)?
+        .only_if_permitted(&session.user.permissions)
+        .ok_or(anyhow!("node does not exist"))?;
 
     let txn = db.begin_write()?;
     let mut user_nodes = txn.open_table(T_USER_NODE)?;
@@ -68,7 +72,10 @@ pub async fn r_player_progress(
     id: &str,
     t: f64,
 ) -> MyResult<()> {
-    T_NODE.get(db, id)?.ok_or(anyhow!("node does not exist"))?;
+    T_NODE
+        .get(db, id)?
+        .only_if_permitted(&session.user.permissions)
+        .ok_or(anyhow!("node does not exist"))?;
 
     let txn = db.begin_write()?;
     let mut user_nodes = txn.open_table(T_USER_NODE)?;