require permission to delete quotes

2026-05-06 02:24:05 +02:00
parent e7c0523841
commit 84dde9cc4b
1 changed files with 13 additions and 3 deletions
--- a/src/web/pages/quotes/id.rs
+++ b/src/web/pages/quotes/id.rs
@@ -3,6 +3,7 @@ use axum::{
    http::HeaderMap,
    response::{IntoResponse, Redirect, Response},
 };
+use http::StatusCode;
 use maud::{PreEscaped, html};
 use uuid::Uuid;

@@ -14,6 +15,7 @@ use crate::{
    users::{
        User,
        auth::{UserAuthRequired, UserAuthenticate},
+        permissions::Permission,
    },
    web::{
        components::{nav::nav, quote::quote},
@@ -33,6 +35,9 @@ pub async fn page(
        None => return Ok(Redirect::to(&format!("/login?r={}", req.uri().path())).into_response()),
    };
    let q = Quote::get_by_id(&mut conn, id).await;
+    let can_delete = u
+        .has_permission(&mut conn, Permission::DeleteQuotes)
+        .await?;

    Ok(base(
        "Add Quote | Mnemosyne",
@@ -53,9 +58,11 @@ pub async fn page(
                            span class="scale-[.75]" {(PreEscaped(icons::PEN))}
                            "Edit"
                        }
-                        a href=(format!("/quotes/{id}/delete")) class="px-2 py-1 cursor-pointer border rounded flex flex-row gap-1 bg-pink-400/10 border-pink-400/25 hover:bg-pink-400/20 hover:border-pink-400/45" {
-                            span class="scale-[.75]" {(PreEscaped(icons::TRASH))}
-                            "Delete"
+                        @if can_delete {
+                            a href=(format!("/quotes/{id}/delete")) class="px-2 py-1 cursor-pointer border rounded flex flex-row gap-1 bg-pink-400/10 border-pink-400/25 hover:bg-pink-400/20 hover:border-pink-400/45" {
+                                span class="scale-[.75]" {(PreEscaped(icons::TRASH))}
+                                "Delete"
+                            }
                        }
                    }
                } @else {
@@ -126,6 +133,9 @@ pub async fn delete(
 ) -> Result<Response, CompositeError> {
    let mut tx = state.pool.begin().await?;
    let u = User::authenticate(&mut *tx, &headers).await?.required()?;
+    if !u.has_permission(&mut tx, Permission::DeleteQuotes).await? {
+        return Ok((StatusCode::FORBIDDEN, "No permission.").into_response());
+    }

    let q = Quote::get_by_id(&mut *tx, id).await?;
    LogEntry::new(&mut *tx, u, LogAction::DeleteQuote { quote: q.clone() }).await?;