From 2a85b6a136deed10b418e60cd29d98f3720e3eac Mon Sep 17 00:00:00 2001
From: koko <koko@drones.gay>
Date: Mon, 5 Jun 2023 17:45:25 -0400
Subject: [PATCH] Disallow moderators/administrators from issuing cases against
 each other (#781)

* Disallow moderators/administrators from issuing cases against each other

* Resolve suggestions from reviewers

* Only request user from db if id is valid
---
 ProjectLighthouse.Localization/Error.resx         |  7 ++-----
 .../StringLists/ErrorStrings.cs                   |  3 +--
 .../Pages/Moderation/NewCasePage.cshtml           | 11 +++++++++++
 .../Pages/Moderation/NewCasePage.cshtml.cs        | 15 ++++++++++++++-
 4 files changed, 28 insertions(+), 8 deletions(-)

diff --git a/ProjectLighthouse.Localization/Error.resx b/ProjectLighthouse.Localization/Error.resx
index 131424b0..1692f130 100644
--- a/ProjectLighthouse.Localization/Error.resx
+++ b/ProjectLighthouse.Localization/Error.resx
@@ -30,9 +30,6 @@
     <data name="password_doesnt_match" xml:space="preserve">
         <value>Passwords do not match!</value>
     </data>
-    <data name="token_invalid" xml:space="preserve">
-        <value>Invalid Token</value>
-    </data>
     <data name="captcha_failed" xml:space="preserve">
         <value>You must complete the captcha correctly.</value>
     </data>
@@ -42,7 +39,7 @@
     <data name="email_invalid" xml:space="preserve">
         <value>Email address field is required.</value>
     </data>
-    <data name="user_banned" xml:space="preserve">
-        <value>You have been banned. Please contact an administrator for more information.\nReason: {0}</value>
+    <data name="action_no_permission" xml:space="preserve">
+        <value>You don't have permissions to perform this action.</value>
     </data>
 </root>
\ No newline at end of file
diff --git a/ProjectLighthouse.Localization/StringLists/ErrorStrings.cs b/ProjectLighthouse.Localization/StringLists/ErrorStrings.cs
index ea942865..c64c68b1 100644
--- a/ProjectLighthouse.Localization/StringLists/ErrorStrings.cs
+++ b/ProjectLighthouse.Localization/StringLists/ErrorStrings.cs
@@ -9,8 +9,7 @@ public static class ErrorStrings
     public static readonly TranslatableString EmailInvalid = create("email_invalid");
     public static readonly TranslatableString EmailTaken = create("email_taken");
     public static readonly TranslatableString CaptchaFailed = create("captcha_failed");
-    public static readonly TranslatableString TokenInvalid = create("token_invalid");
-    public static readonly TranslatableString UserIsBanned = create("user_banned");
+    public static readonly TranslatableString ActionNoPermission = create("action_no_permission");
     
     private static TranslatableString create(string key) => new(TranslationAreas.Error, key);
 }
\ No newline at end of file
diff --git a/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml b/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml
index ec666361..0ed8cadd 100644
--- a/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml
+++ b/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml
@@ -1,4 +1,5 @@
 @page "/moderation/newCase"
+@using LBPUnion.ProjectLighthouse.Localization.StringLists
 @model LBPUnion.ProjectLighthouse.Servers.Website.Pages.Moderation.NewCasePage
 
 @{
@@ -9,6 +10,16 @@
 <form method="post">
     @Html.AntiForgeryToken()
     
+    @if (!string.IsNullOrWhiteSpace(Model.Error))
+    {
+        <div class="ui negative message">
+            <div class="header">
+                @Model.Translate(GeneralStrings.Error)
+            </div>
+            <p style="white-space: pre-line">@Model.Error</p>
+        </div>
+    }
+    
     <input type="hidden" name="type" value="@((int)Model.Type)"/>
     <input type="hidden" name="affectedId" value="@Model.AffectedId"/>
 
diff --git a/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml.cs b/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml.cs
index 2c9daf57..a44e032d 100644
--- a/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml.cs
+++ b/ProjectLighthouse.Servers.Website/Pages/Moderation/NewCasePage.cshtml.cs
@@ -1,9 +1,11 @@
 using LBPUnion.ProjectLighthouse.Database;
+using LBPUnion.ProjectLighthouse.Localization.StringLists;
 using LBPUnion.ProjectLighthouse.Servers.Website.Pages.Layouts;
 using LBPUnion.ProjectLighthouse.Types.Entities.Moderation;
 using LBPUnion.ProjectLighthouse.Types.Entities.Profile;
 using LBPUnion.ProjectLighthouse.Types.Moderation.Cases;
 using Microsoft.AspNetCore.Mvc;
+using Microsoft.EntityFrameworkCore;
 
 namespace LBPUnion.ProjectLighthouse.Servers.Website.Pages.Moderation;
 
@@ -15,6 +17,8 @@ public class NewCasePage : BaseLayout
     public CaseType Type { get; set; }
     public int AffectedId { get; set; }
 
+    public string? Error { get; private set; }
+
     public IActionResult OnGet([FromQuery] CaseType? type, [FromQuery] int? affectedId)
     {
         UserEntity? user = this.Database.UserFromWebRequest(this.Request);
@@ -42,7 +46,16 @@ public class NewCasePage : BaseLayout
         
         // if id is invalid then return bad request
         if (!await type.Value.IsIdValid((int)affectedId, this.Database)) return this.BadRequest();
-        
+
+        UserEntity? affectedUserEntity =
+            await this.Database.Users.FirstOrDefaultAsync(u => u.UserId == affectedId.Value);
+
+        if (affectedUserEntity?.IsModerator ?? false)
+        {
+            this.Error = this.Translate(ErrorStrings.ActionNoPermission);
+            return this.Page();
+        }
+
         ModerationCaseEntity @case = new()
         {
             Type = type.Value,