Remove read privilege. Public data is now readable by everyone without having to pass an API token. Feel free to test around as much as you like!
This commit is contained in:
parent
534d5183ed
commit
0a870ee742
30
app/start.go
30
app/start.go
|
@ -39,28 +39,26 @@ func Start(conf common.Conf, dbO *sql.DB) *gin.Engine {
|
||||||
gv1.POST("/tokens/new", Method(v1.TokenNewPOST))
|
gv1.POST("/tokens/new", Method(v1.TokenNewPOST))
|
||||||
gv1.GET("/tokens/self/delete", Method(v1.TokenSelfDeleteGET))
|
gv1.GET("/tokens/self/delete", Method(v1.TokenSelfDeleteGET))
|
||||||
|
|
||||||
// Auth-free API endpoints
|
// Auth-free API endpoints (public data)
|
||||||
gv1.GET("/ping", Method(v1.PingGET))
|
gv1.GET("/ping", Method(v1.PingGET))
|
||||||
gv1.GET("/surprise_me", Method(v1.SurpriseMeGET))
|
gv1.GET("/surprise_me", Method(v1.SurpriseMeGET))
|
||||||
gv1.GET("/privileges", Method(v1.PrivilegesGET))
|
gv1.GET("/privileges", Method(v1.PrivilegesGET))
|
||||||
gv1.GET("/doc", Method(v1.DocGET))
|
gv1.GET("/doc", Method(v1.DocGET))
|
||||||
gv1.GET("/doc/content", Method(v1.DocContentGET))
|
gv1.GET("/doc/content", Method(v1.DocContentGET))
|
||||||
gv1.GET("/doc/rules", Method(v1.DocRulesGET))
|
gv1.GET("/doc/rules", Method(v1.DocRulesGET))
|
||||||
|
gv1.GET("/users", Method(v1.UsersGET))
|
||||||
// Read privilege required
|
gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET))
|
||||||
gv1.GET("/users", Method(v1.UsersGET, common.PrivilegeRead))
|
gv1.GET("/users/full", Method(v1.UserFullGET))
|
||||||
gv1.GET("/users/self", Method(v1.UserSelfGET, common.PrivilegeRead))
|
gv1.GET("/users/userpage", Method(v1.UserUserpageGET))
|
||||||
gv1.GET("/users/whatid", Method(v1.UserWhatsTheIDGET, common.PrivilegeRead))
|
gv1.GET("/users/lookup", Method(v1.UserLookupGET))
|
||||||
gv1.GET("/users/full", Method(v1.UserFullGET, common.PrivilegeRead))
|
gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET))
|
||||||
gv1.GET("/users/userpage", Method(v1.UserUserpageGET, common.PrivilegeRead))
|
gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET))
|
||||||
gv1.GET("/users/lookup", Method(v1.UserLookupGET, common.PrivilegeRead))
|
gv1.GET("/badges", Method(v1.BadgesGET))
|
||||||
gv1.GET("/users/scores/best", Method(v1.UserScoresBestGET, common.PrivilegeRead))
|
gv1.GET("/beatmaps", Method(v1.BeatmapGET))
|
||||||
gv1.GET("/users/scores/recent", Method(v1.UserScoresRecentGET, common.PrivilegeRead))
|
gv1.GET("/leaderboard", Method(v1.LeaderboardGET))
|
||||||
gv1.GET("/badges", Method(v1.BadgesGET, common.PrivilegeRead))
|
gv1.GET("/tokens", Method(v1.TokenGET))
|
||||||
gv1.GET("/beatmaps", Method(v1.BeatmapGET, common.PrivilegeRead))
|
gv1.GET("/users/self", Method(v1.UserSelfGET))
|
||||||
gv1.GET("/leaderboard", Method(v1.LeaderboardGET, common.PrivilegeRead))
|
gv1.GET("/tokens/self", Method(v1.TokenSelfGET))
|
||||||
gv1.GET("/tokens", Method(v1.TokenGET, common.PrivilegeRead))
|
|
||||||
gv1.GET("/tokens/self", Method(v1.TokenSelfGET, common.PrivilegeRead))
|
|
||||||
|
|
||||||
// ReadConfidential privilege required
|
// ReadConfidential privilege required
|
||||||
gv1.GET("/friends", Method(v1.FriendsGET, common.PrivilegeReadConfidential))
|
gv1.GET("/friends", Method(v1.FriendsGET, common.PrivilegeReadConfidential))
|
||||||
|
|
|
@ -19,7 +19,7 @@ func GetTokenFull(token string, db *sql.DB) (common.Token, bool) {
|
||||||
&t.ID, &t.UserID, &privs, &priv8,
|
&t.ID, &t.UserID, &privs, &priv8,
|
||||||
)
|
)
|
||||||
if priv8 {
|
if priv8 {
|
||||||
privs = common.PrivilegeRead | common.PrivilegeReadConfidential | common.PrivilegeWrite
|
privs = common.PrivilegeReadConfidential | common.PrivilegeWrite
|
||||||
}
|
}
|
||||||
t.Privileges = common.Privileges(privs)
|
t.Privileges = common.Privileges(privs)
|
||||||
switch {
|
switch {
|
||||||
|
|
|
@ -26,7 +26,7 @@ func PrivilegesGET(md common.MethodData) common.CodeMessager {
|
||||||
r := privilegesData{}
|
r := privilegesData{}
|
||||||
r.Code = 200
|
r.Code = 200
|
||||||
// This code sucks.
|
// This code sucks.
|
||||||
r.Read = md.User.Privileges.HasPrivilegeRead()
|
r.Read = true
|
||||||
r.ReadConfidential = md.User.Privileges.HasPrivilegeReadConfidential()
|
r.ReadConfidential = md.User.Privileges.HasPrivilegeReadConfidential()
|
||||||
r.Write = md.User.Privileges.HasPrivilegeWrite()
|
r.Write = md.User.Privileges.HasPrivilegeWrite()
|
||||||
r.ManageBadges = md.User.Privileges.HasPrivilegeManageBadges()
|
r.ManageBadges = md.User.Privileges.HasPrivilegeManageBadges()
|
||||||
|
|
|
@ -4,7 +4,7 @@ import "strings"
|
||||||
|
|
||||||
// These are the various privileges a token can have.
|
// These are the various privileges a token can have.
|
||||||
const (
|
const (
|
||||||
PrivilegeRead = 1 << iota // pretty much public data: leaderboard, scores, user profiles (without confidential stuff like email)
|
PrivilegeRead = 1 << iota // used to be to fetch public data, such as user information etc. this is deprecated.
|
||||||
PrivilegeReadConfidential // (eventual) private messages, reports... of self
|
PrivilegeReadConfidential // (eventual) private messages, reports... of self
|
||||||
PrivilegeWrite // change user information, write into confidential stuff...
|
PrivilegeWrite // change user information, write into confidential stuff...
|
||||||
PrivilegeManageBadges // can change various users' badges.
|
PrivilegeManageBadges // can change various users' badges.
|
||||||
|
@ -22,11 +22,6 @@ const (
|
||||||
// Privileges is a bitwise enum of the privileges of an user's API key.
|
// Privileges is a bitwise enum of the privileges of an user's API key.
|
||||||
type Privileges uint64
|
type Privileges uint64
|
||||||
|
|
||||||
// HasPrivilegeRead returns whether the Read privilege is included in the privileges.
|
|
||||||
func (p Privileges) HasPrivilegeRead() bool {
|
|
||||||
return p&PrivilegeRead != 0
|
|
||||||
}
|
|
||||||
|
|
||||||
// HasPrivilegeReadConfidential returns whether the ReadConfidential privilege is included in the privileges.
|
// HasPrivilegeReadConfidential returns whether the ReadConfidential privilege is included in the privileges.
|
||||||
func (p Privileges) HasPrivilegeReadConfidential() bool {
|
func (p Privileges) HasPrivilegeReadConfidential() bool {
|
||||||
return p&PrivilegeReadConfidential != 0
|
return p&PrivilegeReadConfidential != 0
|
||||||
|
@ -114,7 +109,7 @@ func (p Privileges) String() string {
|
||||||
}
|
}
|
||||||
|
|
||||||
var privilegeMustBe = [...]int{
|
var privilegeMustBe = [...]int{
|
||||||
UserPrivilegeNormal,
|
1 << 30, // read is deprecated, and should be given out to no-one.
|
||||||
UserPrivilegeNormal,
|
UserPrivilegeNormal,
|
||||||
UserPrivilegeNormal,
|
UserPrivilegeNormal,
|
||||||
AdminPrivilegeAccessRAP | AdminPrivilegeManageBadges,
|
AdminPrivilegeAccessRAP | AdminPrivilegeManageBadges,
|
||||||
|
|
Loading…
Reference in New Issue
Block a user