slaesvuo/hledger
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
95d33f20f6
hledger/hledger-web/Hledger/Web/Handler/EditR.hs
Simon Michael 95d33f20f6 imp:web: access control UX cleanups (fix #834) 
Changes:

1. rename the sandstorm "manage" permission to "edit"
(old permission names: view, add, manage;
 new permission names: view, add, edit).

Rationale: "edit" best describes this permission's current powers, to users and to operators.
If we ever added more manager-type features we'd want that to be a new permission,
not a rename of the existing one (which would change the powers of existing users).

2. rename the sandstorm roles for consistency with permissions
(old role names: viewer, editor, manager;
 new role names: viewer, adder, editor)

Rationale: it's needed to avoid confusion.

3. add a new option: --allow=view|add|edit|sandstorm (default: add).
'sandstorm' sets permissions according to the X-Sandstorm-Permissions header.
Drop the --capabilities and --capabilities-header options.

Rationale: it's simpler and more intuitive.

4. replace "capability" with "permission" in ui/docs/code.

Rationale: consistent with the above, more familiar.
2023-10-24 13:37:36 +01:00

52 lines
1.6 KiB
Haskell
Raw Blame History

{-# LANGUAGE LambdaCase #-}
{-# LANGUAGE NamedFieldPuns #-}
{-# LANGUAGE OverloadedStrings #-}
{-# LANGUAGE QuasiQuotes #-}
{-# LANGUAGE ScopedTypeVariables #-}
{-# LANGUAGE TemplateHaskell #-}
module Hledger.Web.Handler.EditR
( getEditR
, postEditR
) where
import Control.Monad.Except (runExceptT)
import Hledger.Web.Import
import Hledger.Web.Widget.Common
(fromFormSuccess, helplink, journalFile404, writeJournalTextIfValidAndChanged)
editForm :: FilePath -> Text -> Form Text
editForm f txt =
identifyForm "edit" $ \extra -> do
(tRes, tView) <- mreq textareaField fs (Just (Textarea txt))
pure (unTextarea <$> tRes, $(widgetFile "edit-form"))
where
fs = FieldSettings "text" mzero mzero mzero [("class", "form-control"), ("rows", "25")]
getEditR :: FilePath -> Handler ()
getEditR f = do
checkServerSideUiEnabled
postEditR f
postEditR :: FilePath -> Handler ()
postEditR f = do
checkServerSideUiEnabled
VD {perms, j} <- getViewData
when (EditPermission `notElem` perms) (permissionDenied "Missing the 'edit' permission")
(f', txt) <- journalFile404 f j
((res, view), enctype) <- runFormPost (editForm f' txt)
newtxt <- fromFormSuccess (showForm view enctype) res
runExceptT (writeJournalTextIfValidAndChanged f newtxt) >>= \case
Left e -> do
setMessage $ "Failed to load journal: " <> toHtml e
showForm view enctype
Right () -> do
setMessage $ "Saved journal " <> toHtml f <> "\n"
redirect JournalR
where
showForm view enctype =
sendResponse <=< defaultLayout $ do
setTitle "Edit journal"
[whamlet|<form method=post enctype=#{enctype}>^{view}|]
Reference in New Issue View Git Blame Copy Permalink