From de275a27cbfe015177944b147bcc8962e2ee3784 Mon Sep 17 00:00:00 2001
From: kieran <kieran@harkin.me>
Date: Tue, 30 Apr 2024 22:35:15 +0100
Subject: [PATCH] Delete files

---
 src/db.rs     | 15 ++++++++++++---
 src/routes.rs | 23 +++++++++++++++++++----
 2 files changed, 31 insertions(+), 7 deletions(-)

diff --git a/src/db.rs b/src/db.rs
index 0d3eaeb..c8b13dc 100644
--- a/src/db.rs
+++ b/src/db.rs
@@ -27,7 +27,7 @@ impl Database {
         sqlx::migrate!("./migrations/").run(&self.pool).await
     }
 
-    pub async fn upsert_user(&self, pubkey: &Vec<u8>) -> Result<u32, Error> {
+    pub async fn upsert_user(&self, pubkey: &Vec<u8>) -> Result<u64, Error> {
         let res = sqlx::query("insert ignore into users(pubkey) values(?) returning id")
             .bind(pubkey)
             .fetch_optional(&self.pool)
@@ -42,6 +42,14 @@ impl Database {
         }
     }
 
+    pub async fn get_user_id(&self, pubkey: &Vec<u8>) -> Result<u64, Error> {
+        sqlx::query("select id from users where pubkey = ?")
+            .bind(pubkey)
+            .fetch_one(&self.pool)
+            .await?
+            .try_get(0)
+    }
+
     pub async fn add_file(&self, file: &FileUpload) -> Result<(), Error> {
         sqlx::query("insert into uploads(id,user_id,name,size,mime_type) values(?,?,?,?,?)")
             .bind(&file.id)
@@ -62,10 +70,11 @@ impl Database {
     }
 
     pub async fn delete_file(&self, file: &Vec<u8>) -> Result<(), Error> {
-        sqlx::query_as("delete from uploads where id = ?")
+        sqlx::query("delete from uploads where id = ?")
             .bind(&file)
             .execute(&self.pool)
-            .await?
+            .await?;
+        Ok(())
     }
 
     pub async fn list_files(&self, pubkey: &Vec<u8>) -> Result<Vec<FileUpload>, Error> {
diff --git a/src/routes.rs b/src/routes.rs
index 72a5f42..1e6ffdb 100644
--- a/src/routes.rs
+++ b/src/routes.rs
@@ -148,7 +148,7 @@ async fn head_blob(sha256: &str, fs: &State<FileStore>) -> BlossomResponse {
 }
 
 #[rocket::delete("/<sha256>")]
-async fn delete_blob(sha256: &str, fs: &State<FileStore>, db: &State<Database>) -> BlossomResponse {
+async fn delete_blob(sha256: &str, auth: BlossomAuth, fs: &State<FileStore>, db: &State<Database>) -> BlossomResponse {
     let sha256 = if sha256.contains(".") {
         sha256.split('.').next().unwrap()
     } else {
@@ -163,9 +163,24 @@ async fn delete_blob(sha256: &str, fs: &State<FileStore>, db: &State<Database>)
     if id.len() != 32 {
         return BlossomResponse::error("Invalid file id");
     }
-    if let Ok(Some(_info)) = db.get_file(&id).await {
-        db.delete_file(&id).await?;
-        fs::remove_file(fs.get(&id))?;
+    if !check_method(&auth.event, "delete") {
+        return BlossomResponse::error("Invalid request method tag");
+    }
+    if let Ok(Some(info)) = db.get_file(&id).await {
+        let pubkey_vec = auth.event.pubkey.to_bytes().to_vec();
+        let user = match db.get_user_id(&pubkey_vec).await {
+            Ok(u) => u,
+            Err(_e) => return BlossomResponse::error("User not found")
+        };
+        if user != info.user_id {
+            return BlossomResponse::error("You dont own this file, you cannot delete it");
+        }
+        if let Err(e) = db.delete_file(&id).await {
+            return BlossomResponse::error(format!("Failed to delete (db): {}", e));
+        }
+        if let Err(e) = fs::remove_file(fs.get(&id)) {
+            return BlossomResponse::error(format!("Failed to delete (fs): {}", e));
+        }
         BlossomResponse::StatusOnly(Status::Ok)
     } else {
         BlossomResponse::StatusOnly(Status::NotFound)