fix(api): don't require '@me' string on own-system-only endpoints

2021-11-28 18:33:41 -05:00 · 2021-11-28 18:33:41 -05:00 · 318b9b5b66
commit 318b9b5b66
parent e85073665e
4 changed files with 42 additions and 26 deletions
--- a/PluralKit.API/Controllers/v2/DiscordControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/DiscordControllerV2.cs
@ -14,10 +14,13 @@ public class DiscordControllerV2: PKControllerBase
    public DiscordControllerV2(IServiceProvider svc) : base(svc) { }


-    [HttpGet("systems/@me/guilds/{guild_id}")]
-    public async Task<IActionResult> SystemGuildGet(ulong guild_id)
+    [HttpGet("systems/{systemRef}/guilds/{guild_id}")]
+    public async Task<IActionResult> SystemGuildGet(string systemRef, ulong guild_id)
    {
-        var system = await ResolveSystem("@me");
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        var settings = await _repo.GetSystemGuild(guild_id, system.Id, false);
        if (settings == null)
            throw Errors.SystemGuildNotFound;
@ -29,10 +32,13 @@ public class DiscordControllerV2: PKControllerBase
        return Ok(settings.ToJson(member?.Hid));
    }

-    [HttpPatch("systems/@me/guilds/{guild_id}")]
-    public async Task<IActionResult> DoSystemGuildPatch(ulong guild_id, [FromBody] JObject data)
+    [HttpPatch("systems/{systemRef}/guilds/{guild_id}")]
+    public async Task<IActionResult> DoSystemGuildPatch(string systemRef, ulong guild_id, [FromBody] JObject data)
    {
-        var system = await ResolveSystem("@me");
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        var settings = await _repo.GetSystemGuild(guild_id, system.Id, false);
        if (settings == null)
            throw Errors.SystemGuildNotFound;
--- a/PluralKit.API/Controllers/v2/SwitchControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/SwitchControllerV2.cs
@ -77,14 +77,16 @@ public class SwitchControllerV2: PKControllerBase
    }


-    [HttpPost("systems/@me/switches")]
-    public async Task<IActionResult> SwitchCreate([FromBody] PostSwitchParams data)
+    [HttpPost("systems/{systemRef}/switches")]
+    public async Task<IActionResult> SwitchCreate(string systemRef, [FromBody] PostSwitchParams data)
    {
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (data.Members.Distinct().Count() != data.Members.Count)
            throw Errors.DuplicateMembersInList;

-        var system = await ResolveSystem("@me");
-
        if (data.Timestamp != null && await _repo.GetSwitches(system.Id).Select(x => x.Timestamp)
                .ContainsAsync(data.Timestamp.Value))
            throw Errors.SameSwitchTimestampError;
@ -155,11 +157,15 @@ public class SwitchControllerV2: PKControllerBase
        });
    }

-    [HttpPatch("systems/@me/switches/{switchRef}")]
-    public async Task<IActionResult> SwitchPatch(string switchRef, [FromBody] JObject data)
+    [HttpPatch("systems/{systemRef}/switches/{switchRef}")]
+    public async Task<IActionResult> SwitchPatch(string systemRef, string switchRef, [FromBody] JObject data)
    {
        // for now, don't need to make a PatchObject for this, since it's only one param

+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (!Guid.TryParse(switchRef, out var switchId))
            throw Errors.InvalidSwitchId;

@ -169,10 +175,6 @@ public class SwitchControllerV2: PKControllerBase

        var value = Instant.FromDateTimeOffset(DateTime.Parse(valueStr).ToUniversalTime());

-        var system = await ResolveSystem("@me");
-        if (system == null)
-            throw Errors.SystemNotFound;
-
        var sw = await _repo.GetSwitchByUuid(switchId);
        if (sw == null || system.Id != sw.System)
            throw Errors.SwitchNotFoundPublic;
@ -191,15 +193,18 @@ public class SwitchControllerV2: PKControllerBase
        });
    }

-    [HttpPatch("systems/@me/switches/{switchRef}/members")]
-    public async Task<IActionResult> SwitchMemberPatch(string switchRef, [FromBody] JArray data)
+    [HttpPatch("systems/{systemRef}/switches/{switchRef}/members")]
+    public async Task<IActionResult> SwitchMemberPatch(string systemRef, string switchRef, [FromBody] JArray data)
    {
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (!Guid.TryParse(switchRef, out var switchId))
+            throw Errors.SwitchNotFound;

-            if (data.Distinct().Count() != data.Count)
-                throw Errors.DuplicateMembersInList;
-
-        var system = await ResolveSystem("@me");
+        if (data.Distinct().Count() != data.Count)
+            throw Errors.DuplicateMembersInList;

        var sw = await _repo.GetSwitchByUuid(switchId);
        if (sw == null)
@ -235,13 +240,16 @@ public class SwitchControllerV2: PKControllerBase
        });
    }

-    [HttpDelete("systems/@me/switches/{switchRef}")]
-    public async Task<IActionResult> SwitchDelete(string switchRef)
+    [HttpDelete("systems/{systemRef}/switches/{switchRef}")]
+    public async Task<IActionResult> SwitchDelete(string systemRef, string switchRef)
    {
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (!Guid.TryParse(switchRef, out var switchId))
            throw Errors.InvalidSwitchId;

-        var system = await ResolveSystem("@me");
        var sw = await _repo.GetSwitchByUuid(switchId);
        if (sw == null || system.Id != sw.System)
            throw Errors.SwitchNotFoundPublic;
--- a/PluralKit.API/Errors.cs
+++ b/PluralKit.API/Errors.cs
@ -72,6 +72,7 @@ public static class Errors
 {
    public static PKError GenericBadRequest = new(400, 0, "400: Bad Request");
    public static PKError GenericAuthError = new(401, 0, "401: Missing or invalid Authorization header");
+    public static PKError GenericMissingPermissions = new(403, 0, "403: Missing permissions to access this resource");

    public static PKError SystemNotFound = new(404, 20001, "System not found.");
    public static PKError MemberNotFound = new(404, 20002, "Member not found.");
--- a/docs/content/api/endpoints.md
+++ b/docs/content/api/endpoints.md
@ -204,7 +204,8 @@ Takes an array of member references as input. (An empty list is accepted.) Retur
 ---
 ## Switches

-*`switchRef` must be a switch's UUID. On POST/PATCH/DELETE endpoints, `systemRef` must be `@me`.*
+*`switchRef` must be a switch's UUID. `systemRef` can be a system's short (5-character) ID, a system's UUID, the ID of a Discord account linked to the system, or the string `@me` to refer to the currently authenticated system.*
+

 ### Get System Switches