Delete files

2024-04-30 22:35:15 +01:00 · 2024-04-30 22:35:15 +01:00 · de275a27cb
commit de275a27cb
parent 6ed9088aaa
2 changed files with 31 additions and 7 deletions
--- a/src/db.rs
+++ b/src/db.rs
@ -27,7 +27,7 @@ impl Database {
        sqlx::migrate!("./migrations/").run(&self.pool).await
    }

-    pub async fn upsert_user(&self, pubkey: &Vec<u8>) -> Result<u32, Error> {
+    pub async fn upsert_user(&self, pubkey: &Vec<u8>) -> Result<u64, Error> {
        let res = sqlx::query("insert ignore into users(pubkey) values(?) returning id")
            .bind(pubkey)
            .fetch_optional(&self.pool)
@ -42,6 +42,14 @@ impl Database {
        }
    }

+    pub async fn get_user_id(&self, pubkey: &Vec<u8>) -> Result<u64, Error> {
+        sqlx::query("select id from users where pubkey = ?")
+            .bind(pubkey)
+            .fetch_one(&self.pool)
+            .await?
+            .try_get(0)
+    }
+
    pub async fn add_file(&self, file: &FileUpload) -> Result<(), Error> {
        sqlx::query("insert into uploads(id,user_id,name,size,mime_type) values(?,?,?,?,?)")
            .bind(&file.id)
@ -62,10 +70,11 @@ impl Database {
    }

    pub async fn delete_file(&self, file: &Vec<u8>) -> Result<(), Error> {
-        sqlx::query_as("delete from uploads where id = ?")
+        sqlx::query("delete from uploads where id = ?")
            .bind(&file)
            .execute(&self.pool)
-            .await?
+            .await?;
+        Ok(())
    }

    pub async fn list_files(&self, pubkey: &Vec<u8>) -> Result<Vec<FileUpload>, Error> {
--- a/src/routes.rs
+++ b/src/routes.rs
@ -148,7 +148,7 @@ async fn head_blob(sha256: &str, fs: &State<FileStore>) -> BlossomResponse {
 }

 #[rocket::delete("/<sha256>")]
-async fn delete_blob(sha256: &str, fs: &State<FileStore>, db: &State<Database>) -> BlossomResponse {
+async fn delete_blob(sha256: &str, auth: BlossomAuth, fs: &State<FileStore>, db: &State<Database>) -> BlossomResponse {
    let sha256 = if sha256.contains(".") {
        sha256.split('.').next().unwrap()
    } else {
@ -163,9 +163,24 @@ async fn delete_blob(sha256: &str, fs: &State<FileStore>, db: &State<Database>)
    if id.len() != 32 {
        return BlossomResponse::error("Invalid file id");
    }
-    if let Ok(Some(_info)) = db.get_file(&id).await {
-        db.delete_file(&id).await?;
-        fs::remove_file(fs.get(&id))?;
+    if !check_method(&auth.event, "delete") {
+        return BlossomResponse::error("Invalid request method tag");
+    }
+    if let Ok(Some(info)) = db.get_file(&id).await {
+        let pubkey_vec = auth.event.pubkey.to_bytes().to_vec();
+        let user = match db.get_user_id(&pubkey_vec).await {
+            Ok(u) => u,
+            Err(_e) => return BlossomResponse::error("User not found")
+        };
+        if user != info.user_id {
+            return BlossomResponse::error("You dont own this file, you cannot delete it");
+        }
+        if let Err(e) = db.delete_file(&id).await {
+            return BlossomResponse::error(format!("Failed to delete (db): {}", e));
+        }
+        if let Err(e) = fs::remove_file(fs.get(&id)) {
+            return BlossomResponse::error(format!("Failed to delete (fs): {}", e));
+        }
        BlossomResponse::StatusOnly(Status::Ok)
    } else {
        BlossomResponse::StatusOnly(Status::NotFound)