allow api use via current_site, better check for current_site

2025-05-15 08:57:17 +02:00 · 2024-02-16 10:50:36 -06:00 · 2024-02-16 10:50:36 -06:00 · 59dbc1b2e1
commit 59dbc1b2e1
parent b89ffc2bad
5 changed files with 23 additions and 36 deletions
--- a/app/api.rb
+++ b/app/api.rb
@ -183,6 +183,8 @@ post '/api/:name' do
 end

 def require_api_credentials
+  return true if current_site
+
  if !request.env['HTTP_AUTHORIZATION'].nil?
    init_api_credentials
    api_error(403, 'email_not_validated', 'you need to validate your email address before using the API') if email_not_validated?
--- a/app/create.rb
+++ b/app/create.rb
@ -64,15 +64,6 @@ end

 post '/create' do
  content_type :json
-
-  if banned?(true)
-    signout
-    session[:banned] = true if !session[:banned]
-
-    flash[:error] = 'There was an error, please <a href="/contact">contact support</a> to log in.'
-    redirect '/'
-  end
-
  dashboard_if_signed_in

  @site = Site.new(
--- a/app_helpers.rb
+++ b/app_helpers.rb
@ -16,8 +16,6 @@ end

 def require_login
  redirect '/' unless signed_in? && current_site
-  enforce_ban if banned?
-  signout if deleted?
 end

 def signed_in?
@ -27,30 +25,18 @@ end
 def current_site
  return nil if session[:id].nil?
  @_site ||= Site[id: session[:id]]
+  @_parent_site ||= @_site.parent
+
+  if @_site.is_banned || @_site.is_deleted || (@_parent_site && (@_parent_site.is_banned || @_parent_site.is_deleted))
+    signout
+    redirect '/'
+  end
+
+  @_site
 end

 def parent_site
-  return nil if current_site.nil?
-  current_site.parent? ? current_site : current_site.parent
-end
-
-def deleted?
-  return true if current_site && current_site.is_deleted
-  false
-end
-
-def banned?(ip_check=false)
-  #return true if session[:banned]
-  return true if current_site && (current_site.is_banned || parent_site.is_banned)
-
-  return true if ip_check && Site.banned_ip?(request.ip)
-  false
-end
-
-def enforce_ban
-  signout
-  session[:banned] = true
-  redirect '/'
+  @_parent_site || current_site
 end

 def meta_robots(newtag=nil)
--- a/models/site.rb
+++ b/models/site.rb
@ -524,10 +524,6 @@ class Site < Sequel::Model
    true
  end

-  def is_banned?
-    is_banned
-  end
-
  def unban!
    undelete!
    self.is_banned = false
--- a/tests/api_tests.rb
+++ b/tests/api_tests.rb
@ -308,6 +308,18 @@ describe 'api' do
      _(site_file_exists?('test.jpg')).must_equal true
    end

+    it 'succeeds with valid user session' do
+      create_site
+      post '/api/upload',
+           {'test.jpg' => Rack::Test::UploadedFile.new('./tests/files/test.jpg', 'image/jpeg'),
+            'csrf_token' => 'abcd'},
+           {'rack.session' => { 'id' => @site.id, '_csrf_token' => 'abcd' }}
+
+      _(res[:result]).must_equal 'success'
+      _(last_response.status).must_equal 200
+      _(site_file_exists?('test.jpg')).must_equal true
+    end
+
    it 'fails with bad api key' do
      create_site
      @site.generate_api_key!