version visibility checks

2025-02-17 15:01:42 +08:00 · 2020-09-06 21:33:19 -07:00 · 2020-09-06 21:33:19 -07:00 · 97cef3416e
commit 97cef3416e
parent 9560392516
6 changed files with 60 additions and 40 deletions
--- a/docker/docker-compose.yml
+++ b/docker/docker-compose.yml
@ -10,6 +10,7 @@ services:
    - "8080:8080"
    volumes:
    - ../:/app
+    - uploads:/uploads
    working_dir: /app
    depends_on:
      - 'db'
@ -94,7 +95,6 @@ services:
      DB_USER: "hangarauth"
      DB_PASSWORD: "hangarauth"
      DB_HOST: "db"
-      APP_HOST: "http://localhost:8080"
      SSO_ENDPOINT_hangar: "{ 'sync_sso_endpoint': ('http://app:8080/api/sync_sso'), 'sso_secret': 'changeme', 'api_key': 'changeme' }"
      DEBUG: "true"
      DJANGO_SETTINGS_MODULE: "spongeauth.settings.prod"
--- a/docker/hangar/Dockerfile
+++ b/docker/hangar/Dockerfile
@ -4,9 +4,10 @@ LABEL maintainer="Yannick Lamprecht <yannicklamprecht@live.de>"

 RUN set -x && \
    addgroup -g 1000 appuser && \
-    adduser -u 1000 -D -G appuser appuser
-
-RUN apk add yarn
+    adduser -u 1000 -D -G appuser appuser && \
+    mkdir /uploads && \
+    chown appuser:appuser /uploads && \
+    apk add yarn

 ENV TERM xterm-256color
 #
--- a/docker/hangar/application.yml
+++ b/docker/hangar/application.yml
@ -31,6 +31,7 @@ hangar:
  log-timings: false
  auth-url: "http://localhost:8000"
  base-url: "http://localhost:8080"
+  plugin-upload-dir: "/uploads"

  sponsors:
    - name: Beer
--- a/src/main/java/io/papermc/hangar/controller/UsersController.java
+++ b/src/main/java/io/papermc/hangar/controller/UsersController.java
@ -211,7 +211,7 @@ public class UsersController extends HangarController {
    @PostMapping("/verify")
    public ModelAndView verify(@RequestParam String returnPath, RedirectAttributes attributes) {
        try {
-            return redirectToSso(ssoService.getVerifyUrl(returnPath), attributes);
+            return redirectToSso(ssoService.getVerifyUrl(hangarConfig.getBaseUrl() + returnPath), attributes);
        } catch (HangarException e) {
            AlertUtil.showAlert(attributes, AlertUtil.AlertType.ERROR, e.getMessageKey(), e.getArgs());
            return Routes.SHOW_HOME.getRedirect();
--- a/src/main/java/io/papermc/hangar/controller/VersionsController.java
+++ b/src/main/java/io/papermc/hangar/controller/VersionsController.java
@ -64,7 +64,6 @@ import org.springframework.web.multipart.MultipartFile;
 import org.springframework.web.server.ResponseStatusException;
 import org.springframework.web.servlet.ModelAndView;
 import org.springframework.web.servlet.mvc.support.RedirectAttributes;
-import org.springframework.web.servlet.view.RedirectView;
 import org.springframework.web.util.WebUtils;

 import javax.servlet.http.Cookie;
@ -133,24 +132,25 @@ public class VersionsController extends HangarController {
    @GetMapping(value = "/api/project/{pluginId}/versions/recommended/download", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
    @ResponseBody
    public Object downloadRecommendedJarById(@PathVariable String pluginId, @RequestParam(required = false) String token) {
-        Long recommendedVersionId = projectsTable.get().getRecommendedVersionId();
-        if (recommendedVersionId == null) {
+        ProjectsTable project = projectsTable.get();
+        ProjectVersionsTable recommendedVersion = versionService.getRecommendedVersion(project);
+        if (recommendedVersion == null) {
            throw new ResponseStatusException(HttpStatus.NOT_FOUND);
        } else {
-            ProjectVersionsTable versionsTable = versionService.getVersion(projectsTable.get().getId(), recommendedVersionId);// TODO we need to check visibility here, the query currently doesnt do that
-            return sendVersion(projectsTable.get(), versionsTable, token, true);
+            return sendJar(project, recommendedVersion, token, true);
        }
    }

    @GetMapping(value = "/api/project/{pluginId}/versions/{name}/download", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
    @ResponseBody
-    public Object downloadJarById(@PathVariable String pluginId, @PathVariable String name, @RequestParam(required = false) String token) {
-        ProjectVersionsTable versionsTable = versionService.getVersion(projectsTable.get().getId(), name);// TODO we need to check visibility here, the query currently doesnt do that
-        if (token != null) {
-            // TODO  confirmDownload0(version.id, Some(DownloadType.JarFile.value), Some(token)).orElseFail(notFound) *>
-            return sendJar(projectsTable.get(), versionsTable, token, true);
+    public Object downloadJarById(@PathVariable String pluginId, @PathVariable String name, @RequestParam Optional<String> token) {
+        ProjectsTable project = projectsTable.get();
+        ProjectVersionsTable pvt = projectVersionsTable.get();
+        if (token.isPresent()) {
+            confirmDownload0(DownloadType.JAR_FILE, token);
+            return sendJar(project, pvt, token.get(), true);
        } else {
-            return sendJar(projectsTable.get(), versionsTable, null, true);
+            return sendJar(project, pvt, token.orElse(null), true);
        }
    }

@ -242,24 +242,24 @@ public class VersionsController extends HangarController {
    @GetMapping(value = "/{author}/{slug}/versions/recommended/download", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
    @ResponseBody
    public Object downloadRecommended(@PathVariable String author, @PathVariable String slug, @RequestParam(required = false) String token) {
-        Long recommendedVersionId = projectsTable.get().getRecommendedVersionId();
-        if (recommendedVersionId == null) {
+        ProjectsTable project = projectsTable.get();
+        ProjectVersionsTable recommendedVersion = versionService.getRecommendedVersion(project);
+        if (recommendedVersion == null) {
            throw new ResponseStatusException(HttpStatus.NOT_FOUND);
        } else {
-            ProjectVersionsTable versionsTable = versionService.getVersion(projectsTable.get().getId(), recommendedVersionId);// TODO we need to check visibility here, the query currently doesnt do that
-            return sendVersion(projectsTable.get(), versionsTable, token, false);
+            return sendVersion(project, recommendedVersion, token, false);
        }
    }

    @GetMapping(value = "/{author}/{slug}/versions/recommended/jar", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
    @ResponseBody
    public Object downloadRecommendedJar(@PathVariable String author, @PathVariable String slug, @RequestParam(required = false) String token) {
-        Long recommendedVersionId = projectsTable.get().getRecommendedVersionId();
-        if (recommendedVersionId == null) {
+        ProjectsTable project = projectsTable.get();
+        ProjectVersionsTable recommendedVersion = versionService.getRecommendedVersion(project);
+        if (recommendedVersion == null) {
            throw new ResponseStatusException(HttpStatus.NOT_FOUND);
        } else {
-            ProjectVersionsTable versionsTable = versionService.getVersion(projectsTable.get().getId(), recommendedVersionId);// TODO we need to check visibility here, the query currently doesnt do that
-            return sendJar(projectsTable.get(), versionsTable, token, false);
+            return sendJar(project, recommendedVersion, token, false);
        }
    }

@ -512,8 +512,7 @@ public class VersionsController extends HangarController {
    @GetMapping(value = "/{author}/{slug}/versions/{version}/download", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
    @ResponseBody
    public Object download(@PathVariable String author, @PathVariable String slug, @PathVariable String version, @RequestParam(required = false) String token, @RequestParam(defaultValue = "false") boolean confirm) {
-        ProjectVersionsTable versionsTable = versionService.getVersion(projectsTable.get().getId(), version);// TODO we need to check visibility here, the query currently doesnt do that
-        return sendVersion(projectsTable.get(), versionsTable, token, confirm);
+        return sendVersion(projectsTable.get(), projectVersionsTable.get(), token, confirm);
    }

    private Object sendVersion(ProjectsTable project, ProjectVersionsTable version, String token, boolean confirm) {
@ -590,8 +589,7 @@ public class VersionsController extends HangarController {
    @GetMapping(value = "/{author}/{slug}/versions/{version}/jar", produces = MediaType.APPLICATION_OCTET_STREAM_VALUE)
    @ResponseBody
    public Object downloadJar(@PathVariable String author, @PathVariable String slug, @PathVariable String version, @RequestParam(required = false) String token) {
-        ProjectVersionsTable versionsTable = versionService.getVersion(projectsTable.get().getId(), version);// TODO we need to check visibility here, the query currently doesnt do that
-        return sendJar(projectsTable.get(), versionsTable, token, false);
+        return sendJar(projectsTable.get(), projectVersionsTable.get(), token, false);
    }

    private Object sendJar(ProjectsTable project, ProjectVersionsTable version, String token, boolean api) {
@ -601,13 +599,14 @@ public class VersionsController extends HangarController {
            boolean passed = checkConfirmation(version, token);

            if (!passed) {
-                return new RedirectView(Routes.getRouteUrlOf("versions.showDownloadConfirm",
+                return Routes.VERSIONS_SHOW_DOWNLOAD_CONFIRM.getRedirect(
                        project.getOwnerName(),
                        project.getSlug(),
                        version.getVersionString(),
                        DownloadType.JAR_FILE.ordinal() + "",
                        api + "",
-                        null));
+                        null
+                );
            } else {
                String fileName = version.getFileName();
                Path path = projectFiles.getVersionDir(project.getOwnerName(), project.getName(), version.getVersionString()).resolve(fileName);
--- a/src/main/java/io/papermc/hangar/service/VersionService.java
+++ b/src/main/java/io/papermc/hangar/service/VersionService.java
@ -9,6 +9,8 @@ import io.papermc.hangar.db.model.ProjectVersionTagsTable;
 import io.papermc.hangar.db.model.ProjectVersionVisibilityChangesTable;
 import io.papermc.hangar.db.model.ProjectVersionsTable;
 import io.papermc.hangar.db.model.ProjectsTable;
+import io.papermc.hangar.db.model.UsersTable;
+import io.papermc.hangar.model.Permission;
 import io.papermc.hangar.model.TagColor;
 import io.papermc.hangar.model.Visibility;
 import io.papermc.hangar.model.generated.Dependency;
@ -37,7 +39,7 @@ import java.util.Set;
 import java.util.function.Supplier;

@Service
-public class VersionService {
+public class VersionService extends HangarService {

    private final HangarDao<ProjectVersionDao> versionDao;
    private final HangarDao<ProjectDao> projectDao;
@ -45,17 +47,19 @@ public class VersionService {
    private final ProjectService projectService;
    private final ChannelService channelService;
    private final UserService userService;
+    private final PermissionService permissionService;

    private final HttpServletRequest request;

    @Autowired
-    public VersionService(HangarDao<ProjectVersionDao> versionDao, HangarDao<ProjectDao> projectDao, HangarDao<VisibilityDao> visibilityDao, ProjectService projectService, ChannelService channelService, UserService userService, HttpServletRequest request) {
+    public VersionService(HangarDao<ProjectVersionDao> versionDao, HangarDao<ProjectDao> projectDao, HangarDao<VisibilityDao> visibilityDao, ProjectService projectService, ChannelService channelService, UserService userService, PermissionService permissionService, HttpServletRequest request) {
        this.versionDao = versionDao;
        this.projectDao = projectDao;
        this.visibilityDao = visibilityDao;
        this.projectService = projectService;
        this.channelService = channelService;
        this.userService = userService;
+        this.permissionService = permissionService;
        this.request = request;
    }

@ -63,14 +67,21 @@ public class VersionService {
    @RequestScope
    public Supplier<ProjectVersionsTable> projectVersionsTable() {
        Map<String, String> pathParams = RequestUtil.getPathParams(request);
-        if (!pathParams.keySet().containsAll(Set.of("author", "slug", "version"))) {
-            return () -> null;
-        } else {
+        if (pathParams.keySet().containsAll(Set.of("pluginId", "name"))) {
+            ProjectsTable project = projectService.projectsTable().get();
+            ProjectVersionsTable pvt = this.getVersion(project.getId(), pathParams.get("name"));
+            if (pvt == null) {
+                throw new ResponseStatusException(HttpStatus.NOT_FOUND);
+            }
+            return () -> pvt;
+        } else if (pathParams.keySet().containsAll(Set.of("author", "slug", "version"))) {
            ProjectVersionsTable pvt = this.getVersion(pathParams.get("author"), pathParams.get("slug"), pathParams.get("version"));
            if (pvt == null) {
                throw new ResponseStatusException(HttpStatus.NOT_FOUND);
            }
            return () -> pvt;
+        } else {
+            return () -> null;
        }
    }

@ -81,17 +92,25 @@ public class VersionService {
        return () -> this.getVersionData(projectService.projectData().get(), projectVersionsTable().get());
    }

-    public ProjectVersionsTable getVersion(long projectId, String versionString) {
-        return versionDao.get().getProjectVersion(projectId, "", versionString);
+    public ProjectVersionsTable getRecommendedVersion(ProjectsTable project) {
+        if (project.getRecommendedVersionId() == null) {
+            return null;
+        }
+        return versionDao.get().getProjectVersion(project.getId(), "", project.getRecommendedVersionId());
    }

-    public ProjectVersionsTable getVersion(long projectId, long versionId) {
-        return versionDao.get().getProjectVersion(projectId, "", versionId);
+    public ProjectVersionsTable getVersion(long projectId, String versionString) {
+        Permission perms = permissionService.getProjectPermissions(currentUser.get().map(UsersTable::getId).orElse(-10L), projectId);
+        ProjectVersionsTable pvt = versionDao.get().getProjectVersion(projectId, "", versionString);
+        if (!perms.has(Permission.SeeHidden) && !perms.has(Permission.IsProjectMember) && pvt.getVisibility() != Visibility.PUBLIC) {
+            return null;
+        }
+        return pvt;
    }

    public ProjectVersionsTable getVersion(String author, String slug, String versionString) {
        ProjectsTable projectsTable = projectDao.get().getBySlug(author, slug);
-        return versionDao.get().getProjectVersion(projectsTable.getId(), null, versionString);
+        return getVersion(projectsTable.getId(), versionString);
    }

    public void update(ProjectVersionsTable projectVersionsTable) {