From b5a24502167b67dcb9232f89047055d9a5cf7de4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Jaakko=20Kera=CC=88nen?= <jaakko.keranen@iki.fi>
Date: Mon, 15 May 2023 00:46:48 +0300
Subject: [PATCH 1/1] Improved moderator right checks

Users have moderator rights on their own "u/" subspaces: they can
delete comments by others.
---
 50_bubble.py |  6 ++++++
 composer.py  |  6 ++++--
 feeds.py     |  9 ++++++---
 model.py     | 38 +++++++++++++++++++++++---------------
 4 files changed, 39 insertions(+), 20 deletions(-)

diff --git a/50_bubble.py b/50_bubble.py
index ceed5b2..a80c32e 100644
--- a/50_bubble.py
+++ b/50_bubble.py
@@ -89,6 +89,7 @@ Bubble is open source:
             self.is_context_tracker = False
             self.user_follows = set()
             self.c_user = None   # User associated with the context subspace, if any
+            self.token = None
 
         def is_editable(self, post: Post):
             return self.user.role == User.ADMIN or post.user == self.user.id
@@ -98,6 +99,11 @@ Bubble is open source:
                 return True
             return post.subspace in self.user.moderated_subspace_ids
 
+        def get_token(self):
+            if not self.token:
+                self.token = self.db.get_token(self.user)
+            return self.token
+
         def feed_title(self):
             if self.c_user:
                 # User's feed can have a custom title.
diff --git a/composer.py b/composer.py
index 3e08fe4..28dd2d4 100644
--- a/composer.py
+++ b/composer.py
@@ -81,8 +81,10 @@ def make_composer_page(session):
     if not session.user:
         return 60, 'Must be signed in to edit posts'
 
-    if not session.is_editable(post) and \
-            (post_action == 'delete' and not session.is_deletable(post)):
+    if post_action == 'delete':
+        if not session.is_deletable(post):
+            return 61, 'Cannot delete post'
+    elif not session.is_editable(post):
         return 61, 'Cannot edit posts by other users'
 
     user_token = db.get_token(session.user)
diff --git a/feeds.py b/feeds.py
index 4e26462..3fbf786 100644
--- a/feeds.py
+++ b/feeds.py
@@ -196,7 +196,7 @@ def make_post_page(session, post):
                 page += f'=> /follow/post/{post.id} ➕ Follow {kind}\n'
 
         if session.is_deletable(post) and not session.is_editable(post):
-            page += f'\n=> /edit/{post.id}/delete/{session.db.get_token(session.user)} ❌ Delete {kind}\n'
+            page += f'\n=> /edit/{post.id}/delete/{session.get_token()} ❌ Delete {kind}\n'
         if session.user.id == post.user and post.sub_owner == post.user:
             antenna_feed = f"gemini://{session.bubble.hostname}{session.path}u/{session.user.name}/{post.id}/antenna"
             page += f'\n=> {session.bubble.antenna_url}?{urlparse.quote(antenna_feed)} Submit post to 📡 Antenna\n'
@@ -263,14 +263,17 @@ def make_post_page(session, post):
             comment_age = cmt.age()
             if comment_age != last_age:
                 last_age = comment_age
-                #comment_age = ' · ' + comment_age
             else:
                 comment_age = ''
 
             if session.user and (cmt.user == session.user.id or session.is_user_mod) and \
                     not session.is_context_locked:
                 # Actions on your own comments.
-                src += f'=> /edit/{cmt.id} ✏️ Edit{" · " if len(comment_age) else ""}{comment_age}\n'
+                age_suffix = f" · {comment_age}" if len(comment_age) else comment_age
+                if session.is_editable(cmt):
+                    src += f'=> /edit/{cmt.id} ✏️ Edit{age_suffix}\n'
+                elif session.is_deletable(cmt):
+                    src += f'=> /edit/{cmt.id}/delete/{session.get_token()} ❌ Delete{age_suffix}\n'
             elif len(comment_age):
                 src += comment_age + '\n'
 
diff --git a/model.py b/model.py
index 8da2cab..73612b6 100644
--- a/model.py
+++ b/model.py
@@ -514,35 +514,43 @@ class Database:
         cond = []
         values = []
         if id != None:
-            cond.append('id=?')
+            cond.append('u.id=?')
             values.append(id)
         elif name != None:
-            cond.append('name=?')
+            cond.append('u.name=?')
             values.append(name)
         if password:
-            cond.append('password=?')
+            cond.append('u.password=?')
             values.append(password)
         if not cond:
             return None
         cur.execute(f"""
             SELECT
-                id, name,
-                info, url, avatar,
-                role, flags,
-                notif, email,
-                password,
-                UNIX_TIMESTAMP(ts_password),
-                UNIX_TIMESTAMP(ts_created),
-                UNIX_TIMESTAMP(ts_active),
-                sort_post, sort_cmt
-            FROM users
+                u.id,
+                u.name,
+                u.info,
+                u.url,
+                u.avatar,
+                u.role,
+                u.flags,
+                u.notif,
+                u.email,
+                u.password,
+                UNIX_TIMESTAMP(u.ts_password),
+                UNIX_TIMESTAMP(u.ts_created),
+                UNIX_TIMESTAMP(u.ts_active),
+                u.sort_post,
+                u.sort_cmt,
+                s.id
+            FROM users u
+                JOIN subspaces s ON s.owner=u.id
             WHERE {' AND '.join(cond)}""", values)
 
         for (id, name, info, url, avatar, role, flags, notif, email, password, ts_password, ts_created, \
-             ts_active, sort_post, sort_cmt) in cur:
+             ts_active, sort_post, sort_cmt, user_subspace_id) in cur:
             user = User(id, name, info, url, avatar, role, flags, notif, email, \
                         password, ts_password, ts_created, ts_active,sort_post, sort_cmt)
-            user.moderated_subspace_ids = self.get_moderated_subspace_ids(user)
+            user.moderated_subspace_ids = [user_subspace_id] + self.get_moderated_subspace_ids(user)
             return user
 
         return None
-- 
2.34.1