Remove read privilege. Public data is now readable by everyone without having to pass an API token. Feel free to test around as much as you like!

This commit is contained in:
Howl 2016-07-06 14:22:43 +02:00
parent 534d5183ed
commit 0a870ee742
4 changed files with 18 additions and 25 deletions

View File

@ -39,28 +39,26 @@ func Start(conf common.Conf, dbO *sql.DB) *gin.Engine {
gv1.POST("/tokens/new", Method(v1.TokenNewPOST)) gv1.POST("/tokens/new", Method(v1.TokenNewPOST))
gv1.GET("/tokens/self/delete", Method(v1.TokenSelfDeleteGET)) gv1.GET("/tokens/self/delete", Method(v1.TokenSelfDeleteGET))
// Auth-free API endpoints // Auth-free API endpoints (public data)
gv1.GET("/ping", Method(v1.PingGET)) gv1.GET("/ping", Method(v1.PingGET))
gv1.GET("/surprise_me", Method(v1.SurpriseMeGET)) gv1.GET("/surprise_me", Method(v1.SurpriseMeGET))
gv1.GET("/privileges", Method(v1.PrivilegesGET)) gv1.GET("/privileges", Method(v1.PrivilegesGET))
gv1.GET("/doc", Method(v1.DocGET)) gv1.GET("/doc", Method(v1.DocGET))
gv1.GET("/doc/content", Method(v1.DocContentGET)) gv1.GET("/doc/content", Method(v1.DocContentGET))
gv1.GET("/doc/rules", Method(v1.DocRulesGET)) gv1.GET("/doc/rules", Method(v1.DocRulesGET))
gv1.GET("/users", Method(v1.UsersGET))
// Read privilege required gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET))
gv1.GET("/users", Method(v1.UsersGET, common.PrivilegeRead)) gv1.GET("/users/full", Method(v1.UserFullGET))
gv1.GET("/users/self", Method(v1.UserSelfGET, common.PrivilegeRead)) gv1.GET("/users/userpage", Method(v1.UserUserpageGET))
gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET, common.PrivilegeRead)) gv1.GET("/users/lookup", Method(v1.UserLookupGET))
gv1.GET("/users/full", Method(v1.UserFullGET, common.PrivilegeRead)) gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET))
gv1.GET("/users/userpage", Method(v1.UserUserpageGET, common.PrivilegeRead)) gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET))
gv1.GET("/users/lookup", Method(v1.UserLookupGET, common.PrivilegeRead)) gv1.GET("/badges", Method(v1.BadgesGET))
gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET, common.PrivilegeRead)) gv1.GET("/beatmaps", Method(v1.BeatmapGET))
gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET, common.PrivilegeRead)) gv1.GET("/leaderboard", Method(v1.LeaderboardGET))
gv1.GET("/badges", Method(v1.BadgesGET, common.PrivilegeRead)) gv1.GET("/tokens", Method(v1.TokenGET))
gv1.GET("/beatmaps", Method(v1.BeatmapGET, common.PrivilegeRead)) gv1.GET("/users/self", Method(v1.UserSelfGET))
gv1.GET("/leaderboard", Method(v1.LeaderboardGET, common.PrivilegeRead)) gv1.GET("/tokens/self", Method(v1.TokenSelfGET))
gv1.GET("/tokens", Method(v1.TokenGET, common.PrivilegeRead))
gv1.GET("/tokens/self", Method(v1.TokenSelfGET, common.PrivilegeRead))
// ReadConfidential privilege required // ReadConfidential privilege required
gv1.GET("/friends", Method(v1.FriendsGET, common.PrivilegeReadConfidential)) gv1.GET("/friends", Method(v1.FriendsGET, common.PrivilegeReadConfidential))

View File

@ -19,7 +19,7 @@ func GetTokenFull(token string, db *sql.DB) (common.Token, bool) {
&t.ID, &t.UserID, &privs, &priv8, &t.ID, &t.UserID, &privs, &priv8,
) )
if priv8 { if priv8 {
privs = common.PrivilegeRead | common.PrivilegeReadConfidential | common.PrivilegeWrite privs = common.PrivilegeReadConfidential | common.PrivilegeWrite
} }
t.Privileges = common.Privileges(privs) t.Privileges = common.Privileges(privs)
switch { switch {

View File

@ -26,7 +26,7 @@ func PrivilegesGET(md common.MethodData) common.CodeMessager {
r := privilegesData{} r := privilegesData{}
r.Code = 200 r.Code = 200
// This code sucks. // This code sucks.
r.Read = md.User.Privileges.HasPrivilegeRead() r.Read = true
r.ReadConfidential = md.User.Privileges.HasPrivilegeReadConfidential() r.ReadConfidential = md.User.Privileges.HasPrivilegeReadConfidential()
r.Write = md.User.Privileges.HasPrivilegeWrite() r.Write = md.User.Privileges.HasPrivilegeWrite()
r.ManageBadges = md.User.Privileges.HasPrivilegeManageBadges() r.ManageBadges = md.User.Privileges.HasPrivilegeManageBadges()

View File

@ -4,7 +4,7 @@ import "strings"
// These are the various privileges a token can have. // These are the various privileges a token can have.
const ( const (
PrivilegeRead = 1 << iota // pretty much public data: leaderboard, scores, user profiles (without confidential stuff like email) PrivilegeRead = 1 << iota // used to be to fetch public data, such as user information etc. this is deprecated.
PrivilegeReadConfidential // (eventual) private messages, reports... of self PrivilegeReadConfidential // (eventual) private messages, reports... of self
PrivilegeWrite // change user information, write into confidential stuff... PrivilegeWrite // change user information, write into confidential stuff...
PrivilegeManageBadges // can change various users' badges. PrivilegeManageBadges // can change various users' badges.
@ -22,11 +22,6 @@ const (
// Privileges is a bitwise enum of the privileges of an user's API key. // Privileges is a bitwise enum of the privileges of an user's API key.
type Privileges uint64 type Privileges uint64
// HasPrivilegeRead returns whether the Read privilege is included in the privileges.
func (p Privileges) HasPrivilegeRead() bool {
return p&PrivilegeRead != 0
}
// HasPrivilegeReadConfidential returns whether the ReadConfidential privilege is included in the privileges. // HasPrivilegeReadConfidential returns whether the ReadConfidential privilege is included in the privileges.
func (p Privileges) HasPrivilegeReadConfidential() bool { func (p Privileges) HasPrivilegeReadConfidential() bool {
return p&PrivilegeReadConfidential != 0 return p&PrivilegeReadConfidential != 0
@ -114,7 +109,7 @@ func (p Privileges) String() string {
} }
var privilegeMustBe = [...]int{ var privilegeMustBe = [...]int{
UserPrivilegeNormal, 1 << 30, // read is deprecated, and should be given out to no-one.
UserPrivilegeNormal, UserPrivilegeNormal,
UserPrivilegeNormal, UserPrivilegeNormal,
AdminPrivilegeAccessRAP | AdminPrivilegeManageBadges, AdminPrivilegeAccessRAP | AdminPrivilegeManageBadges,