fix(api): don't require '@me' string on own-system-only endpoints

2021-11-28 18:33:41 -05:00
parent e85073665e
commit 318b9b5b66
4 changed files with 42 additions and 26 deletions
--- a/PluralKit.API/Controllers/v2/DiscordControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/DiscordControllerV2.cs
@@ -14,10 +14,13 @@ public class DiscordControllerV2: PKControllerBase
    public DiscordControllerV2(IServiceProvider svc) : base(svc) { }


-    [HttpGet("systems/@me/guilds/{guild_id}")]
-    public async Task<IActionResult> SystemGuildGet(ulong guild_id)
+    [HttpGet("systems/{systemRef}/guilds/{guild_id}")]
+    public async Task<IActionResult> SystemGuildGet(string systemRef, ulong guild_id)
    {
-        var system = await ResolveSystem("@me");
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        var settings = await _repo.GetSystemGuild(guild_id, system.Id, false);
        if (settings == null)
            throw Errors.SystemGuildNotFound;
@@ -29,10 +32,13 @@ public class DiscordControllerV2: PKControllerBase
        return Ok(settings.ToJson(member?.Hid));
    }

-    [HttpPatch("systems/@me/guilds/{guild_id}")]
-    public async Task<IActionResult> DoSystemGuildPatch(ulong guild_id, [FromBody] JObject data)
+    [HttpPatch("systems/{systemRef}/guilds/{guild_id}")]
+    public async Task<IActionResult> DoSystemGuildPatch(string systemRef, ulong guild_id, [FromBody] JObject data)
    {
-        var system = await ResolveSystem("@me");
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        var settings = await _repo.GetSystemGuild(guild_id, system.Id, false);
        if (settings == null)
            throw Errors.SystemGuildNotFound;
--- a/PluralKit.API/Controllers/v2/SwitchControllerV2.cs
+++ b/PluralKit.API/Controllers/v2/SwitchControllerV2.cs
@@ -77,14 +77,16 @@ public class SwitchControllerV2: PKControllerBase
    }


-    [HttpPost("systems/@me/switches")]
-    public async Task<IActionResult> SwitchCreate([FromBody] PostSwitchParams data)
+    [HttpPost("systems/{systemRef}/switches")]
+    public async Task<IActionResult> SwitchCreate(string systemRef, [FromBody] PostSwitchParams data)
    {
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (data.Members.Distinct().Count() != data.Members.Count)
            throw Errors.DuplicateMembersInList;

-        var system = await ResolveSystem("@me");
-
        if (data.Timestamp != null && await _repo.GetSwitches(system.Id).Select(x => x.Timestamp)
                .ContainsAsync(data.Timestamp.Value))
            throw Errors.SameSwitchTimestampError;
@@ -155,11 +157,15 @@ public class SwitchControllerV2: PKControllerBase
        });
    }

-    [HttpPatch("systems/@me/switches/{switchRef}")]
-    public async Task<IActionResult> SwitchPatch(string switchRef, [FromBody] JObject data)
+    [HttpPatch("systems/{systemRef}/switches/{switchRef}")]
+    public async Task<IActionResult> SwitchPatch(string systemRef, string switchRef, [FromBody] JObject data)
    {
        // for now, don't need to make a PatchObject for this, since it's only one param

+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (!Guid.TryParse(switchRef, out var switchId))
            throw Errors.InvalidSwitchId;

@@ -169,10 +175,6 @@ public class SwitchControllerV2: PKControllerBase

        var value = Instant.FromDateTimeOffset(DateTime.Parse(valueStr).ToUniversalTime());

-        var system = await ResolveSystem("@me");
-        if (system == null)
-            throw Errors.SystemNotFound;
-
        var sw = await _repo.GetSwitchByUuid(switchId);
        if (sw == null || system.Id != sw.System)
            throw Errors.SwitchNotFoundPublic;
@@ -191,15 +193,18 @@ public class SwitchControllerV2: PKControllerBase
        });
    }

-    [HttpPatch("systems/@me/switches/{switchRef}/members")]
-    public async Task<IActionResult> SwitchMemberPatch(string switchRef, [FromBody] JArray data)
+    [HttpPatch("systems/{systemRef}/switches/{switchRef}/members")]
+    public async Task<IActionResult> SwitchMemberPatch(string systemRef, string switchRef, [FromBody] JArray data)
    {
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (!Guid.TryParse(switchRef, out var switchId))
+            throw Errors.SwitchNotFound;

-            if (data.Distinct().Count() != data.Count)
-                throw Errors.DuplicateMembersInList;
-
-        var system = await ResolveSystem("@me");
+        if (data.Distinct().Count() != data.Count)
+            throw Errors.DuplicateMembersInList;

        var sw = await _repo.GetSwitchByUuid(switchId);
        if (sw == null)
@@ -235,13 +240,16 @@ public class SwitchControllerV2: PKControllerBase
        });
    }

-    [HttpDelete("systems/@me/switches/{switchRef}")]
-    public async Task<IActionResult> SwitchDelete(string switchRef)
+    [HttpDelete("systems/{systemRef}/switches/{switchRef}")]
+    public async Task<IActionResult> SwitchDelete(string systemRef, string switchRef)
    {
+        var system = await ResolveSystem(systemRef);
+        if (ContextFor(system) != LookupContext.ByOwner)
+            throw Errors.GenericMissingPermissions;
+
        if (!Guid.TryParse(switchRef, out var switchId))
            throw Errors.InvalidSwitchId;

-        var system = await ResolveSystem("@me");
        var sw = await _repo.GetSwitchByUuid(switchId);
        if (sw == null || system.Id != sw.System)
            throw Errors.SwitchNotFoundPublic;