Улучшение безопасности и обработки ошибок. Этап 1. #8
This commit is contained in:
@@ -13,16 +13,17 @@ init(Req, _Opts) ->
|
||||
end.
|
||||
|
||||
moderate(Req) ->
|
||||
case auth_admin(Req) of
|
||||
{ok, _AdminId, Req1} ->
|
||||
case authenticate_and_check_admin(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
TargetType = cowboy_req:binding(target_type, Req1),
|
||||
TargetId = cowboy_req:binding(id, Req1),
|
||||
case lists:member(TargetType, ?VALID_TARGETS) of
|
||||
true ->
|
||||
{ok, Body, Req2} = cowboy_req:read_body(Req1),
|
||||
try jsx:decode(Body, [return_maps]) of
|
||||
#{<<"action">> := Action} ->
|
||||
apply_moderation(TargetType, TargetId, Action, Req2);
|
||||
#{<<"action">> := Action} = BodyMap ->
|
||||
Reason = maps:get(<<"reason">>, BodyMap, <<"">>),
|
||||
apply_moderation(TargetType, TargetId, Action, Reason, Req2, AdminId);
|
||||
_ ->
|
||||
send_error(Req2, 400, <<"Missing 'action' field">>)
|
||||
catch
|
||||
@@ -35,68 +36,95 @@ moderate(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
apply_moderation(<<"calendar">>, Id, Action, Req) ->
|
||||
handle_calendar(Id, Action, Req);
|
||||
apply_moderation(<<"event">>, Id, Action, Req) ->
|
||||
handle_event(Id, Action, Req);
|
||||
apply_moderation(<<"review">>, Id, Action, Req) ->
|
||||
handle_review(Id, Action, Req);
|
||||
apply_moderation(<<"user">>, Id, Action, Req) ->
|
||||
handle_user(Id, Action, Req).
|
||||
apply_moderation(<<"calendar">>, Id, Action, Reason, Req, AdminId) ->
|
||||
handle_calendar(Id, Action, Reason, Req, AdminId);
|
||||
apply_moderation(<<"event">>, Id, Action, Reason, Req, AdminId) ->
|
||||
handle_event(Id, Action, Reason, Req, AdminId);
|
||||
apply_moderation(<<"review">>, Id, Action, Reason, Req, AdminId) ->
|
||||
handle_review(Id, Action, Reason, Req, AdminId);
|
||||
apply_moderation(<<"user">>, Id, Action, Reason, Req, AdminId) ->
|
||||
handle_user(Id, Action, Reason, Req, AdminId).
|
||||
|
||||
handle_calendar(Id, <<"freeze">>, Req) ->
|
||||
case core_calendar:freeze(Id) of
|
||||
{ok, Calendar} -> send_json(Req, 200, calendar_to_json(Calendar));
|
||||
handle_calendar(Id, <<"freeze">>, Reason, Req, AdminId) ->
|
||||
case core_calendar:freeze(Id, Reason) of
|
||||
{ok, Calendar} ->
|
||||
log_audit(AdminId, <<"freeze_calendar">>, <<"calendar">>, Id, Reason),
|
||||
send_json(Req, 200, calendar_to_json(Calendar));
|
||||
{error, not_found} -> send_error(Req, 404, <<"Calendar not found">>)
|
||||
end;
|
||||
handle_calendar(Id, <<"unfreeze">>, Req) ->
|
||||
case core_calendar:unfreeze(Id) of
|
||||
{ok, Calendar} -> send_json(Req, 200, calendar_to_json(Calendar));
|
||||
handle_calendar(Id, <<"unfreeze">>, Reason, Req, AdminId) ->
|
||||
case core_calendar:unfreeze(Id, Reason) of
|
||||
{ok, Calendar} ->
|
||||
log_audit(AdminId, <<"unfreeze_calendar">>, <<"calendar">>, Id, Reason),
|
||||
send_json(Req, 200, calendar_to_json(Calendar));
|
||||
{error, not_found} -> send_error(Req, 404, <<"Calendar not found">>)
|
||||
end;
|
||||
handle_calendar(_Id, _Action, Req) ->
|
||||
handle_calendar(_Id, _Action, _Reason, Req, _AdminId) ->
|
||||
send_error(Req, 400, <<"Invalid action for calendar">>).
|
||||
|
||||
handle_event(Id, <<"freeze">>, Req) ->
|
||||
case core_event:freeze(Id) of
|
||||
{ok, Event} -> send_json(Req, 200, event_to_json(Event));
|
||||
handle_event(Id, <<"freeze">>, Reason, Req, AdminId) ->
|
||||
case core_event:freeze(Id, Reason) of
|
||||
{ok, Event} ->
|
||||
log_audit(AdminId, <<"freeze_event">>, <<"event">>, Id, Reason),
|
||||
send_json(Req, 200, event_to_json(Event));
|
||||
{error, not_found} -> send_error(Req, 404, <<"Event not found">>)
|
||||
end;
|
||||
handle_event(Id, <<"unfreeze">>, Req) ->
|
||||
case core_event:unfreeze(Id) of
|
||||
{ok, Event} -> send_json(Req, 200, event_to_json(Event));
|
||||
handle_event(Id, <<"unfreeze">>, Reason, Req, AdminId) ->
|
||||
case core_event:unfreeze(Id, Reason) of
|
||||
{ok, Event} ->
|
||||
log_audit(AdminId, <<"unfreeze_event">>, <<"event">>, Id, Reason),
|
||||
send_json(Req, 200, event_to_json(Event));
|
||||
{error, not_found} -> send_error(Req, 404, <<"Event not found">>)
|
||||
end;
|
||||
handle_event(_Id, _Action, Req) ->
|
||||
handle_event(_Id, _Action, _Reason, Req, _AdminId) ->
|
||||
send_error(Req, 400, <<"Invalid action for event">>).
|
||||
|
||||
handle_review(Id, <<"hide">>, Req) ->
|
||||
case core_review:hide(Id) of
|
||||
{ok, Review} -> send_json(Req, 200, review_to_json(Review));
|
||||
handle_review(Id, <<"hide">>, Reason, Req, AdminId) ->
|
||||
case core_review:hide(Id, Reason) of
|
||||
{ok, Review} ->
|
||||
log_audit(AdminId, <<"hide_review">>, <<"review">>, Id, Reason),
|
||||
send_json(Req, 200, review_to_json(Review));
|
||||
{error, not_found} -> send_error(Req, 404, <<"Review not found">>)
|
||||
end;
|
||||
handle_review(Id, <<"show">>, Req) ->
|
||||
case core_review:show(Id) of
|
||||
{ok, Review} -> send_json(Req, 200, review_to_json(Review));
|
||||
handle_review(Id, <<"unhide">>, Reason, Req, AdminId) ->
|
||||
case core_review:unhide(Id, Reason) of
|
||||
{ok, Review} ->
|
||||
log_audit(AdminId, <<"unhide_review">>, <<"review">>, Id, Reason),
|
||||
send_json(Req, 200, review_to_json(Review));
|
||||
{error, not_found} -> send_error(Req, 404, <<"Review not found">>)
|
||||
end;
|
||||
handle_review(_Id, _Action, Req) ->
|
||||
handle_review(_Id, _Action, _Reason, Req, _AdminId) ->
|
||||
send_error(Req, 400, <<"Invalid action for review">>).
|
||||
|
||||
handle_user(Id, <<"block">>, Req) ->
|
||||
case core_user:block(Id) of
|
||||
{ok, User} -> send_json(Req, 200, user_to_json(User));
|
||||
handle_user(Id, <<"block">>, Reason, Req, AdminId) ->
|
||||
case core_user:block(Id, Reason) of
|
||||
{ok, User} ->
|
||||
log_audit(AdminId, <<"block_user">>, <<"user">>, Id, Reason),
|
||||
send_json(Req, 200, user_to_json(User));
|
||||
{error, not_found} -> send_error(Req, 404, <<"User not found">>)
|
||||
end;
|
||||
handle_user(Id, <<"unblock">>, Req) ->
|
||||
case core_user:unblock(Id) of
|
||||
{ok, User} -> send_json(Req, 200, user_to_json(User));
|
||||
handle_user(Id, <<"unblock">>, Reason, Req, AdminId) ->
|
||||
case core_user:unblock(Id, Reason) of
|
||||
{ok, User} ->
|
||||
log_audit(AdminId, <<"unblock_user">>, <<"user">>, Id, Reason),
|
||||
send_json(Req, 200, user_to_json(User));
|
||||
{error, not_found} -> send_error(Req, 404, <<"User not found">>)
|
||||
end;
|
||||
handle_user(_Id, _Action, Req) ->
|
||||
handle_user(_Id, _Action, _Reason, Req, _AdminId) ->
|
||||
send_error(Req, 400, <<"Invalid action for user">>).
|
||||
|
||||
auth_admin(Req) ->
|
||||
%% ── АУДИТ ──────────────────────────────────────────────────
|
||||
log_audit(AdminId, Action, EntityType, EntityId, Reason) ->
|
||||
case core_admin:get_by_id(AdminId) of
|
||||
{ok, Admin} ->
|
||||
core_admin_audit:log(AdminId, Admin#admin.email, Admin#admin.role,
|
||||
Action, EntityType, EntityId,
|
||||
client_ip(), Reason);
|
||||
_ -> ok
|
||||
end.
|
||||
|
||||
%% ── ВСПОМОГАТЕЛЬНЫЕ ФУНКЦИИ ────────────────────────────────
|
||||
authenticate_and_check_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
@@ -107,31 +135,37 @@ auth_admin(Req) ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
client_ip() -> <<"127.0.0.1">>.
|
||||
|
||||
calendar_to_json(C) ->
|
||||
#{
|
||||
id => C#calendar.id,
|
||||
title => C#calendar.title,
|
||||
status => atom_to_binary(C#calendar.status, utf8)
|
||||
status => atom_to_binary(C#calendar.status, utf8),
|
||||
reason => C#calendar.reason
|
||||
}.
|
||||
|
||||
event_to_json(E) ->
|
||||
#{
|
||||
id => E#event.id,
|
||||
title => E#event.title,
|
||||
status => atom_to_binary(E#event.status, utf8)
|
||||
status => atom_to_binary(E#event.status, utf8),
|
||||
reason => E#event.reason
|
||||
}.
|
||||
|
||||
review_to_json(R) ->
|
||||
#{
|
||||
id => R#review.id,
|
||||
status => atom_to_binary(R#review.status, utf8)
|
||||
status => atom_to_binary(R#review.status, utf8),
|
||||
reason => R#review.reason
|
||||
}.
|
||||
|
||||
user_to_json(U) ->
|
||||
#{
|
||||
id => U#user.id,
|
||||
email => U#user.email,
|
||||
status => atom_to_binary(U#user.status, utf8)
|
||||
status => atom_to_binary(U#user.status, utf8),
|
||||
reason => U#user.reason
|
||||
}.
|
||||
|
||||
send_json(Req, Status, Data) ->
|
||||
|
||||
@@ -12,7 +12,7 @@ init(Req, _Opts) ->
|
||||
end.
|
||||
|
||||
get_report(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
case auth_admin(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
@@ -31,17 +31,18 @@ get_report(Req) ->
|
||||
end.
|
||||
|
||||
update_report(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
case auth_admin(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
ReportId = cowboy_req:binding(id, Req1),
|
||||
{ok, Body, Req2} = cowboy_req:read_body(Req1),
|
||||
try jsx:decode(Body, [return_maps]) of
|
||||
#{<<"status">> := NewStatus} ->
|
||||
#{<<"status">> := NewStatus, <<"reason">> := Reason} ->
|
||||
StatusAtom = binary_to_atom(NewStatus, utf8),
|
||||
case core_report:update_status(ReportId, StatusAtom, AdminId) of
|
||||
{ok, Report} ->
|
||||
log_audit(AdminId, <<"update_report_status">>, <<"report">>, ReportId, Reason),
|
||||
send_json(Req2, 200, report_to_json(Report));
|
||||
{error, not_found} ->
|
||||
send_error(Req2, 404, <<"Report not found">>);
|
||||
@@ -49,7 +50,7 @@ update_report(Req) ->
|
||||
send_error(Req2, 500, <<"Internal server error">>)
|
||||
end;
|
||||
_ ->
|
||||
send_error(Req2, 400, <<"Missing status field">>)
|
||||
send_error(Req2, 400, <<"Missing status or reason">>)
|
||||
catch
|
||||
_:_ -> send_error(Req2, 400, <<"Invalid JSON">>)
|
||||
end;
|
||||
@@ -60,6 +61,26 @@ update_report(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
{error, Code, Message, Req1} ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
log_audit(AdminId, Action, EntityType, EntityId, Reason) ->
|
||||
case core_admin:get_by_id(AdminId) of
|
||||
{ok, Admin} ->
|
||||
core_admin_audit:log(AdminId, Admin#admin.email, Admin#admin.role,
|
||||
Action, EntityType, EntityId,
|
||||
<<"127.0.0.1">>, Reason);
|
||||
_ -> ok
|
||||
end.
|
||||
|
||||
report_to_json(R) ->
|
||||
#{
|
||||
id => R#report.id,
|
||||
|
||||
@@ -8,11 +8,11 @@ init(Req, _Opts) ->
|
||||
case cowboy_req:method(Req) of
|
||||
<<"GET">> -> list_reports(Req);
|
||||
<<"PUT">> -> update_report(Req);
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
_ -> send_error(Req, 405, <<"Method not allowed">>)
|
||||
end.
|
||||
|
||||
list_reports(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
case auth_admin(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
@@ -26,16 +26,18 @@ list_reports(Req) ->
|
||||
end.
|
||||
|
||||
update_report(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
case auth_admin(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true ->
|
||||
ReportId = cowboy_req:binding(id, Req1),
|
||||
{ok, Body, Req2} = cowboy_req:read_body(Req1),
|
||||
try jsx:decode(Body, [return_maps]) of
|
||||
#{<<"status">> := NewStatus} ->
|
||||
case core_report:update_status(ReportId, NewStatus, AdminId) of
|
||||
#{<<"status">> := NewStatus, <<"reason">> := Reason} ->
|
||||
StatusAtom = binary_to_atom(NewStatus, utf8),
|
||||
case core_report:update_status(ReportId, StatusAtom, AdminId) of
|
||||
{ok, Report} ->
|
||||
log_audit(AdminId, <<"update_report_status">>, <<"report">>, ReportId, Reason),
|
||||
send_json(Req2, 200, report_to_json(Report));
|
||||
{error, not_found} ->
|
||||
send_error(Req2, 404, <<"Report not found">>);
|
||||
@@ -43,7 +45,7 @@ update_report(Req) ->
|
||||
send_error(Req2, 500, <<"Internal server error">>)
|
||||
end;
|
||||
_ ->
|
||||
send_error(Req2, 400, <<"Missing status field">>)
|
||||
send_error(Req2, 400, <<"Missing status or reason">>)
|
||||
catch
|
||||
_:_ -> send_error(Req2, 400, <<"Invalid JSON">>)
|
||||
end;
|
||||
@@ -54,6 +56,26 @@ update_report(Req) ->
|
||||
send_error(Req1, Code, Message)
|
||||
end.
|
||||
|
||||
auth_admin(Req) ->
|
||||
case handler_auth:authenticate(Req) of
|
||||
{ok, AdminId, Req1} ->
|
||||
case admin_utils:is_admin(AdminId) of
|
||||
true -> {ok, AdminId, Req1};
|
||||
false -> {error, 403, <<"Admin access required">>, Req1}
|
||||
end;
|
||||
{error, Code, Message, Req1} ->
|
||||
{error, Code, Message, Req1}
|
||||
end.
|
||||
|
||||
log_audit(AdminId, Action, EntityType, EntityId, Reason) ->
|
||||
case core_admin:get_by_id(AdminId) of
|
||||
{ok, Admin} ->
|
||||
core_admin_audit:log(AdminId, Admin#admin.email, Admin#admin.role,
|
||||
Action, EntityType, EntityId,
|
||||
<<"127.0.0.1">>, Reason);
|
||||
_ -> ok
|
||||
end.
|
||||
|
||||
report_to_json(R) ->
|
||||
#{
|
||||
id => R#report.id,
|
||||
|
||||
Reference in New Issue
Block a user