feat: allow suspended *and* self-deleted users to access a handful of pages

2024-12-17 18:08:43 +01:00 · 2024-12-17 18:08:43 +01:00 · f766a2054b
commit f766a2054b
parent 36cb1d2043
7 changed files with 32 additions and 16 deletions
--- a/Foxnouns.Backend/Dto/User.cs
+++ b/Foxnouns.Backend/Dto/User.cs
@ -48,6 +48,7 @@ public record UserResponse(
    [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)] Instant? LastActive,
    [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)] Instant? LastSidReroll,
    [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)] string? Timezone,
+    [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)] bool? Suspended,
    [property: JsonProperty(NullValueHandling = NullValueHandling.Ignore)] bool? Deleted
 );

--- a/Foxnouns.Backend/Middleware/LimitMiddleware.cs
+++ b/Foxnouns.Backend/Middleware/LimitMiddleware.cs
@ -23,25 +23,29 @@ public class LimitMiddleware : IMiddleware
        Endpoint? endpoint = ctx.GetEndpoint();
        LimitAttribute? attribute = endpoint?.Metadata.GetMetadata<LimitAttribute>();

+        Token? token = ctx.GetToken();
+
        if (attribute == null)
        {
+            // Check for authorize attribute
+            // If it exists, and the user is deleted, throw an error.
+            if (
+                endpoint?.Metadata.GetMetadata<AuthorizeAttribute>() != null
+                && token?.User.Deleted == true
+            )
+            {
+                throw new ApiError.Forbidden("Deleted users cannot access this endpoint.");
+            }
+
            await next(ctx);
            return;
        }

-        Token? token = ctx.GetToken();
-        if (
-            token?.User.Deleted == true
-            && (!attribute.UsableBySuspendedUsers || token.User.DeletedBy == null)
-        )
-        {
+        if (token?.User.Deleted == true && !attribute.UsableBySuspendedUsers)
            throw new ApiError.Forbidden("Deleted users cannot access this endpoint.");
-        }

        if (attribute.RequireAdmin && token?.User.Role != UserRole.Admin)
-        {
            throw new ApiError.Forbidden("This endpoint can only be used by admins.");
-        }

        if (
            attribute.RequireModerator
--- a/Foxnouns.Backend/Services/ModerationRendererService.cs
+++ b/Foxnouns.Backend/Services/ModerationRendererService.cs
@ -21,7 +21,6 @@ using Newtonsoft.Json.Linq;
 namespace Foxnouns.Backend.Services;

 public class ModerationRendererService(
-    DatabaseContext db,
    UserRendererService userRenderer,
    MemberRendererService memberRenderer
 )
--- a/Foxnouns.Backend/Services/UserRendererService.cs
+++ b/Foxnouns.Backend/Services/UserRendererService.cs
@ -115,6 +115,7 @@ public class UserRendererService(
            tokenHidden ? user.LastActive : null,
            tokenHidden ? user.LastSidReroll : null,
            tokenHidden ? user.Timezone ?? "<none>" : null,
+            tokenHidden ? user is { Deleted: true, DeletedBy: not null } : null,
            tokenHidden ? user.Deleted : null
        );
    }