Thomas Citharel d41aa3b2fd
Disallow accessing identity page when logged in
And disallow calls to fetchPerson when not our own profile or unlogged

Signed-off-by: Thomas Citharel <tcit@tcit.fr>
2020-10-02 09:53:32 +02:00

367 lines
11 KiB
Elixir

defmodule Mobilizon.GraphQL.Resolvers.Person do
@moduledoc """
Handles the person-related GraphQL calls
"""
import Mobilizon.Users.Guards
alias Mobilizon.Actors
alias Mobilizon.Actors.Actor
alias Mobilizon.Events
alias Mobilizon.Events.Participant
alias Mobilizon.Storage.Page
alias Mobilizon.Users
alias Mobilizon.Users.User
import Mobilizon.Web.Gettext
alias Mobilizon.Federation.ActivityPub
alias Mobilizon.Web.{MediaProxy, Upload}
@doc """
Get a person
"""
def get_person(_parent, %{id: id}, %{context: %{current_user: %User{role: role}}}) do
with %Actor{suspended: suspended} = actor <- Actors.get_actor_with_preload(id, true),
true <- suspended == false or is_moderator(role),
actor <- proxify_pictures(actor) do
{:ok, actor}
else
_ ->
{:error, dgettext("errors", "Person with ID %{id} not found", id: id)}
end
end
@doc """
Find a person
"""
def fetch_person(_parent, %{preferred_username: preferred_username}, %{
context: %{current_user: %User{} = user}
}) do
with {:ok, %Actor{id: actor_id} = actor} <-
ActivityPub.find_or_make_actor_from_nickname(preferred_username),
{:own, {:is_owned, _}} <- {:own, User.owns_actor(user, actor_id)},
actor <- proxify_pictures(actor) do
{:ok, actor}
else
{:own, nil} ->
{:error, :unauthorized}
_ ->
{:error,
dgettext("errors", "Person with username %{username} not found",
username: preferred_username
)}
end
end
def fetch_person(_parent, _args, _resolution), do: {:error, :unauthenticated}
def list_persons(
_parent,
%{
preferred_username: preferred_username,
name: name,
domain: domain,
local: local,
suspended: suspended,
page: page,
limit: limit
},
%{
context: %{current_user: %User{role: role}}
}
)
when is_moderator(role) do
{:ok,
Actors.list_actors(:Person, preferred_username, name, domain, local, suspended, page, limit)}
end
def list_persons(_parent, _args, %{
context: %{current_user: %User{role: role}}
})
when not is_moderator(role) do
{:error, :unauthorized}
end
def list_persons(_parent, _args, _resolution) do
{:error, :unauthenticated}
end
@doc """
Returns the current actor for the currently logged-in user
"""
def get_current_person(_parent, _args, %{context: %{current_user: user}}) do
{:ok, Users.get_actor_for_user(user)}
end
def get_current_person(_parent, _args, _resolution) do
{:error, :unauthenticated}
end
@doc """
Returns the list of identities for the logged-in user
"""
def identities(_parent, _args, %{context: %{current_user: user}}) do
{:ok, Users.get_actors_for_user(user)}
end
def identities(_parent, _args, _resolution) do
{:error, :unauthenticated}
end
@doc """
This function is used to create more identities from an existing user
"""
def create_person(
_parent,
%{preferred_username: _preferred_username} = args,
%{context: %{current_user: user}} = _resolution
) do
args = Map.put(args, :user_id, user.id)
with args <- save_attached_pictures(args),
{:ok, %Actor{} = new_person} <- Actors.new_person(args) do
{:ok, new_person}
end
end
@doc """
This function is used to create more identities from an existing user
"""
def create_person(_parent, _args, _resolution) do
{:error, :unauthenticated}
end
@doc """
This function is used to update an existing identity
"""
def update_person(
_parent,
%{id: id} = args,
%{context: %{current_user: user}} = _resolution
) do
args = Map.put(args, :user_id, user.id)
with {:find_actor, %Actor{} = actor} <-
{:find_actor, Actors.get_actor(id)},
{:is_owned, %Actor{}} <- User.owns_actor(user, actor.id),
args <- save_attached_pictures(args),
{:ok, _activity, %Actor{} = actor} <- ActivityPub.update(actor, args, true) do
{:ok, actor}
else
{:find_actor, nil} ->
{:error, dgettext("errors", "Profile not found")}
{:is_owned, nil} ->
{:error, dgettext("errors", "Profile is not owned by authenticated user")}
end
end
def update_person(_parent, _args, _resolution) do
{:error, :unauthenticated}
end
@doc """
This function is used to delete an existing identity
"""
def delete_person(
_parent,
%{id: id} = _args,
%{context: %{current_user: user}} = _resolution
) do
with {:find_actor, %Actor{} = actor} <-
{:find_actor, Actors.get_actor(id)},
{:is_owned, %Actor{}} <- User.owns_actor(user, actor.id),
{:last_identity, false} <- {:last_identity, last_identity?(user)},
{:last_admin, false} <- {:last_admin, last_admin_of_a_group?(actor.id)},
{:ok, actor} <- Actors.delete_actor(actor) do
{:ok, actor}
else
{:find_actor, nil} ->
{:error, dgettext("errors", "Profile not found")}
{:last_identity, true} ->
{:error, dgettext("errors", "Cannot remove the last identity of a user")}
{:last_admin, true} ->
{:error, dgettext("errors", "Cannot remove the last administrator of a group")}
{:is_owned, nil} ->
{:error, dgettext("errors", "Profile is not owned by authenticated user")}
end
end
def delete_person(_parent, _args, _resolution) do
{:error, :unauthenticated}
end
defp last_identity?(user) do
length(Users.get_actors_for_user(user)) <= 1
end
defp save_attached_pictures(args) do
Enum.reduce([:avatar, :banner], args, fn key, args ->
if Map.has_key?(args, key) && !is_nil(args[key][:picture]) do
pic = args[key][:picture]
with {:ok, %{name: name, url: url, content_type: content_type, size: _size}} <-
Upload.store(pic.file, type: key, description: pic.alt) do
Map.put(args, key, %{"name" => name, "url" => url, "mediaType" => content_type})
end
else
args
end
end)
end
@doc """
This function is used to register a person afterwards the user has been created (but not activated)
"""
def register_person(_parent, args, _resolution) do
with {:ok, %User{} = user} <- Users.get_user_by_email(args.email),
user_actor <- Users.get_actor_for_user(user),
no_actor <- is_nil(user_actor),
{:no_actor, true} <- {:no_actor, no_actor},
args <- Map.put(args, :user_id, user.id),
args <- save_attached_pictures(args),
{:ok, %Actor{} = new_person} <- Actors.new_person(args, true) do
{:ok, new_person}
else
{:error, :user_not_found} ->
{:error, dgettext("errors", "No user with this email was found")}
{:no_actor, _} ->
{:error, dgettext("errors", "You already have a profile for this user")}
{:error, %Ecto.Changeset{} = e} ->
{:error, e}
end
end
@doc """
Returns the participation for a specific event
"""
def person_participations(
%Actor{id: actor_id},
%{event_id: event_id},
%{context: %{current_user: user}}
) do
with {:is_owned, %Actor{} = _actor} <- User.owns_actor(user, actor_id),
{:no_participant, {:ok, %Participant{} = participant}} <-
{:no_participant, Events.get_participant(event_id, actor_id)} do
{:ok, %Page{elements: [participant], total: 1}}
else
{:is_owned, nil} ->
{:error, dgettext("errors", "Profile is not owned by authenticated user")}
{:no_participant, _} ->
{:ok, %Page{elements: [], total: 0}}
end
end
@doc """
Returns the list of events this person is going to
"""
def person_participations(%Actor{id: actor_id} = actor, %{page: page, limit: limit}, %{
context: %{current_user: %User{role: role} = user}
}) do
{:is_owned, actor_found} = User.owns_actor(user, actor_id)
res =
cond do
not is_nil(actor_found) ->
true
is_moderator(role) ->
true
true ->
false
end
with {:is_owned, true} <- {:is_owned, res},
%Page{} = page <- Events.list_event_participations_for_actor(actor, page, limit) do
{:ok, page}
else
{:is_owned, false} ->
{:error, dgettext("errors", "Profile is not owned by authenticated user")}
end
end
@doc """
Returns the list of events this person is going to
"""
def person_memberships(%Actor{id: actor_id}, _args, %{context: %{current_user: user}}) do
with {:is_owned, %Actor{} = actor} <- User.owns_actor(user, actor_id),
participations <- Actors.list_members_for_actor(actor) do
{:ok, participations}
else
{:is_owned, nil} ->
{:error, dgettext("errors", "Profile is not owned by authenticated user")}
end
end
def proxify_pictures(%Actor{} = actor) do
actor
|> proxify_avatar
|> proxify_banner
end
def user_for_person(%Actor{type: :Person, user_id: user_id}, _args, %{
context: %{current_user: %User{role: role}}
})
when is_moderator(role) do
with false <- is_nil(user_id),
%User{} = user <- Users.get_user(user_id) do
{:ok, user}
else
true ->
{:ok, nil}
_ ->
{:error, dgettext("errors", "User not found")}
end
end
def user_for_person(_, _args, _resolution), do: {:error, nil}
def organized_events_for_person(
%Actor{user_id: actor_user_id} = actor,
%{page: page, limit: limit},
%{
context: %{current_user: %User{id: user_id, role: role}}
}
) do
with true <- actor_user_id == user_id or is_moderator(role),
%Page{} = page <- Events.list_organized_events_for_actor(actor, page, limit) do
{:ok, page}
end
end
def organized_events_for_person(_parent, _args, _resolution),
do: {:ok, %Page{elements: [], total: 0}}
# We check that the actor is not the last administrator/creator of a group
@spec last_admin_of_a_group?(integer()) :: boolean()
defp last_admin_of_a_group?(actor_id) do
length(Actors.list_group_ids_where_last_administrator(actor_id)) > 0
end
@spec proxify_avatar(Actor.t()) :: Actor.t()
defp proxify_avatar(%Actor{avatar: %{url: avatar_url} = avatar} = actor) do
actor |> Map.put(:avatar, avatar |> Map.put(:url, MediaProxy.url(avatar_url)))
end
@spec proxify_avatar(Actor.t()) :: Actor.t()
defp proxify_avatar(%Actor{} = actor), do: actor
@spec proxify_banner(Actor.t()) :: Actor.t()
defp proxify_banner(%Actor{banner: %{url: banner_url} = banner} = actor) do
actor |> Map.put(:banner, banner |> Map.put(:url, MediaProxy.url(banner_url)))
end
@spec proxify_banner(Actor.t()) :: Actor.t()
defp proxify_banner(%Actor{} = actor), do: actor
end