Disallow moderators/administrators from issuing cases against each other (#781)

* Disallow moderators/administrators from issuing cases against each other * Resolve suggestions from reviewers * Only request user from db if id is valid
2025-04-19 19:14:51 +00:00 · 2023-06-05 17:45:25 -04:00 · 2023-06-05 17:45:25 -04:00 · 2a85b6a136
commit 2a85b6a136
parent 572c942ee8
4 changed files with 28 additions and 8 deletions
--- a/ProjectLighthouse.Localization/Error.resx
+++ b/ProjectLighthouse.Localization/Error.resx
@ -30,9 +30,6 @@
    <data name="password_doesnt_match" xml:space="preserve">
        <value>Passwords do not match!</value>
    </data>
-    <data name="token_invalid" xml:space="preserve">
-        <value>Invalid Token</value>
-    </data>
    <data name="captcha_failed" xml:space="preserve">
        <value>You must complete the captcha correctly.</value>
    </data>
@ -42,7 +39,7 @@
    <data name="email_invalid" xml:space="preserve">
        <value>Email address field is required.</value>
    </data>
-    <data name="user_banned" xml:space="preserve">
-        <value>You have been banned. Please contact an administrator for more information.\nReason: {0}</value>
+    <data name="action_no_permission" xml:space="preserve">
+        <value>You don't have permissions to perform this action.</value>
    </data>
 </root>
--- a/ProjectLighthouse.Localization/StringLists/ErrorStrings.cs
+++ b/ProjectLighthouse.Localization/StringLists/ErrorStrings.cs
@ -9,8 +9,7 @@ public static class ErrorStrings
    public static readonly TranslatableString EmailInvalid = create("email_invalid");
    public static readonly TranslatableString EmailTaken = create("email_taken");
    public static readonly TranslatableString CaptchaFailed = create("captcha_failed");
-    public static readonly TranslatableString TokenInvalid = create("token_invalid");
-    public static readonly TranslatableString UserIsBanned = create("user_banned");
+    public static readonly TranslatableString ActionNoPermission = create("action_no_permission");
    
    private static TranslatableString create(string key) => new(TranslationAreas.Error, key);
 }
--- a/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml
+++ b/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml
@ -1,4 +1,5 @@
@page "/moderation/newCase"
+@using LBPUnion.ProjectLighthouse.Localization.StringLists
@model LBPUnion.ProjectLighthouse.Servers.Website.Pages.Moderation.NewCasePage

@{
@ -9,6 +10,16 @@
 <form method="post">
    @Html.AntiForgeryToken()
    
+    @if (!string.IsNullOrWhiteSpace(Model.Error))
+    {
+        <div class="ui negative message">
+            <div class="header">
+                @Model.Translate(GeneralStrings.Error)
+            </div>
+            <p style="white-space: pre-line">@Model.Error</p>
+        </div>
+    }
+    
    <input type="hidden" name="type" value="@((int)Model.Type)"/>
    <input type="hidden" name="affectedId" value="@Model.AffectedId"/>

--- a/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml.cs
+++ b/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml.cs
@ -1,9 +1,11 @@
 using LBPUnion.ProjectLighthouse.Database;
+using LBPUnion.ProjectLighthouse.Localization.StringLists;
 using LBPUnion.ProjectLighthouse.Servers.Website.Pages.Layouts;
 using LBPUnion.ProjectLighthouse.Types.Entities.Moderation;
 using LBPUnion.ProjectLighthouse.Types.Entities.Profile;
 using LBPUnion.ProjectLighthouse.Types.Moderation.Cases;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;

 namespace LBPUnion.ProjectLighthouse.Servers.Website.Pages.Moderation;

@ -15,6 +17,8 @@ public class NewCasePage : BaseLayout
    public CaseType Type { get; set; }
    public int AffectedId { get; set; }

+    public string? Error { get; private set; }
+
    public IActionResult OnGet([FromQuery] CaseType? type, [FromQuery] int? affectedId)
    {
        UserEntity? user = this.Database.UserFromWebRequest(this.Request);
@ -42,7 +46,16 @@ public class NewCasePage : BaseLayout
        
        // if id is invalid then return bad request
        if (!await type.Value.IsIdValid((int)affectedId, this.Database)) return this.BadRequest();
-        
+
+        UserEntity? affectedUserEntity =
+            await this.Database.Users.FirstOrDefaultAsync(u => u.UserId == affectedId.Value);
+
+        if (affectedUserEntity?.IsModerator ?? false)
+        {
+            this.Error = this.Translate(ErrorStrings.ActionNoPermission);
+            return this.Page();
+        }
+
        ModerationCaseEntity @case = new()
        {
            Type = type.Value,