slaesvuo/hledger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

web: Add missing capability guards to /manage and /download

Browse Source
This commit is contained in:
Jakub Zárybnický 2018-06-24 23:17:56 +02:00
parent 1df2cfb322
commit 8d1ee38627
1 changed files with 5 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
hledger-web/Hledger/Web/Handler/Common.hs
View File

@ -23,13 +23,16 @@ getRootR = redirect JournalR
getManageR :: Handler Html getManageR :: Handler Html
getManageR = do getManageR = do
VD{j} <- getViewData VD{caps, j} <- getViewData
when (CapManage `notElem` caps) (permissionDenied "Missing the 'manage' capability")
defaultLayout $ do defaultLayout $ do
setTitle "Manage journal" setTitle "Manage journal"
$(widgetFile "manage") $(widgetFile "manage")
getDownloadR :: FilePath -> Handler TypedContent getDownloadR :: FilePath -> Handler TypedContent
getDownloadR f = do getDownloadR f = do
(f', txt) <- journalFile404 f . j =<< getViewData VD{caps, j} <- getViewData
when (CapManage `notElem` caps) (permissionDenied "Missing the 'manage' capability")
(f', txt) <- journalFile404 f j
addHeader "Content-Disposition" ("attachment; filename=\"" <> T.pack f' <> "\"") addHeader "Content-Disposition" ("attachment; filename=\"" <> T.pack f' <> "\"")
sendResponse ("text/plain" :: ByteString, toContent txt) sendResponse ("text/plain" :: ByteString, toContent txt)