Differences From
Artifact [35b3cb0b8a]:
245 245
246 246 ::badurl:: do co:complain(404, 'invalid URL', 'this URL does not reference extant content or functionality') return end
247 247 ::badop :: do co:complain(405, 'invalid operation', 'the operation you have attempted on this post is not meaningful') return end
248 248 end
249 249
250 250 terra http.configure(co: &lib.srv.convo, path: hpath, meth: method.t)
251 251 var msg = pstring.null()
252 + -- first things first, do priv checks
253 + if path.ct >= 1 then
254 + if not co.who.rights.powers.config() and (
255 + path(1):cmp(lib.str.lit 'srv') or
256 + path(1):cmp(lib.str.lit 'badge') or
257 + path(1):cmp(lib.str.lit 'emoji')
258 + ) then goto nopriv
259 +
260 + elseif not co.who.rights.powers.rebrand() and (
261 + path(1):cmp(lib.str.lit 'brand')
262 + ) then goto nopriv
263 +
264 + elseif not co.who.rights.powers.acct() and (
265 + path(1):cmp(lib.str.lit 'profile') or
266 + path(1):cmp(lib.str.lit 'acct')
267 + ) then goto nopriv
268 +
269 + elseif not co.who.rights.powers:affect_users() and (
270 + path(1):cmp(lib.str.lit 'users')
271 + ) then goto nopriv end
272 + end
273 +
252 274 if meth == method.post and path.ct >= 1 then
253 275 var user_refresh = false var fail = false
254 276 if path(1):cmp(lib.str.lit 'profile') then
255 277 lib.dbg('updating profile')
256 278 co.who.bio = co:postv('bio')._0
257 279 co.who.nym = co:postv('nym')._0
258 280 if co.who.bio ~= nil and @co.who.bio == 0 then co.who.bio = nil end
................................................................................
279 301 if resethue then
280 302 co.srv:actor_conf_int_reset(co.who.id, 'ui-accent')
281 303 co.ui_hue = co.srv.cfg.ui_hue
282 304 end
283 305
284 306 msg = lib.str.plit 'profile changes saved'
285 307 --user_refresh = true -- not really necessary here, actually
286 - elseif path(1):cmp(lib.str.lit 'srv') then
287 - if not co.who.rights.powers.config() then goto nopriv end
288 - elseif path(1):cmp(lib.str.lit 'brand') then
289 - if not co.who.rights.powers.rebrand() then goto nopriv end
290 - elseif path(1):cmp(lib.str.lit 'users') then
291 - if not co.who.rights.powers:affect_users() then goto nopriv end
292 308
293 309 elseif path(1):cmp(lib.str.lit 'sec') then
294 310 var act = co:ppostv('act')
295 311 if act:cmp(lib.str.plit 'invalidate') then
296 312 lib.dbg('setting user\'s cookie validation time to now')
297 313 co.who.source:auth_sigtime_user_alter(co.who.id, lib.osclock.time(nil))
298 314 -- the current session has been invalidated as well, so we need to immediately install a new authentication cookie with the same aid so the user doesn't need to log back in all over again
299 315 co:installkey('/conf/sec',co.aid)
300 316 return
317 + end
318 + elseif path(1):cmp(lib.str.lit 'users') and path.ct >= 2 then
319 + var userid, ok = lib.math.shorthand.parse(path(2).ptr, path(2).ct)
320 + if ok then
321 + var usr = co.srv:actor_fetch_uid(userid) defer usr:free()
322 + if not co.who:overpowers(usr.ptr) then goto nopriv end
301 323 end
302 324 end
303 325
304 326 if user_refresh then -- refresh the user info for the renderer
305 327 var usr = co.srv:actor_fetch_uid(co.who.id)
306 328 lib.mem.heapf(co.who)
307 329 co.who = usr.ptr