nip29: smarter access control rules for moderation actions.

2025-09-18 03:22:22 +02:00 · 2024-01-18 21:06:43 -03:00
parent 2586144a5c
commit fb92dc49dd
1 changed files with 36 additions and 17 deletions
--- a/nip29/relay/relay.go
+++ b/nip29/relay/relay.go
@@ -88,7 +88,7 @@ var moderationActionFactories = map[int]func(*nostr.Event) (Action, error){
 		}
 		if len(permissions) > 0 && len(targets) > 0 {
-			return &AddPermission{Targets: targets, Permissions: permissions}, nil
+			return &AddPermission{Initiator: evt.PubKey, Targets: targets, Permissions: permissions}, nil
 		}
 		return nil, fmt.Errorf("")
@@ -185,8 +185,16 @@ type RemoveUser struct {
 func (RemoveUser) PermissionName() nip29.Permission { return nip29.PermRemoveUser }
 func (a RemoveUser) Apply(group *nip29.Group) {
-	for _, target := range a.Targets {
+	for _, tpk := range a.Targets {
-		delete(group.Members, target)
+		if target, ok := group.Members[tpk]; ok {
 			if target != nip29.EmptyRole {
 				_, hasSuperiorOrEqualPermission := target.Permissions[nip29.PermRemoveUser]
 				if hasSuperiorOrEqualPermission {
 					continue
 				}
 			}
 			delete(group.Members, tpk)
 		}
 	}
 }
@@ -206,25 +214,31 @@ func (a EditMetadata) Apply(group *nip29.Group) {
 }
 type AddPermission struct {
 	Initiator   string // the user who is adding the permissions
 	Targets     []string
 	Permissions []nip29.Permission
 }
 func (AddPermission) PermissionName() nip29.Permission { return nip29.PermAddPermission }
 func (a AddPermission) Apply(group *nip29.Group) {
-	for _, target := range a.Targets {
+	for _, tpk := range a.Targets {
-		role, ok := group.Members[target]
+		target, ok := group.Members[tpk]
 		// if it's a normal user, create a new permissions object thing for this user
 		// instead of modifying the global EmptyRole
-		if !ok || role == nip29.EmptyRole {
+		if !ok || target == nip29.EmptyRole {
-			role = &nip29.Role{Permissions: make(map[nip29.Permission]struct{})}
+			target = &nip29.Role{Permissions: make(map[nip29.Permission]struct{})}
-			group.Members[target] = role
+			group.Members[tpk] = target
 		}
-		// add all permissions listed
+		// only add permissions that the user performing this already have
-		for _, perm := range a.Permissions {
+		initiator, ok := group.Members[a.Initiator]
-			role.Permissions[perm] = struct{}{}
+		if ok {
 			for _, perm := range a.Permissions {
 				if _, has := initiator.Permissions[perm]; has {
 					target.Permissions[perm] = struct{}{}
 				}
 			}
 		}
 	}
 }
@@ -236,20 +250,25 @@ type RemovePermission struct {
 func (RemovePermission) PermissionName() nip29.Permission { return nip29.PermRemovePermission }
 func (a RemovePermission) Apply(group *nip29.Group) {
-	for _, target := range a.Targets {
+	for _, tpk := range a.Targets {
-		role, ok := group.Members[target]
+		target, ok := group.Members[tpk]
-		if !ok || role == nip29.EmptyRole {
+		if !ok || target == nip29.EmptyRole {
 			continue
 		}
 		_, hasSuperiorOrEqualPermission := target.Permissions[nip29.PermRemovePermission]
 		if hasSuperiorOrEqualPermission {
 			continue
 		}
 		// remove all permissions listed
 		for _, perm := range a.Permissions {
-			delete(role.Permissions, perm)
+			delete(target.Permissions, perm)
 		}
 		// if no more permissions are available, change this guy to be a normal user
-		if role.Name == "" && len(role.Permissions) == 0 {
+		if target.Name == "" && len(target.Permissions) == 0 {
-			group.Members[target] = nip29.EmptyRole
+			group.Members[tpk] = nip29.EmptyRole
 		}
 	}
 }