fix apps

routes/staff/assets/ensurepanelauth.go

@@ -5,57 +5,35 @@ import (
 	"errors"
 	"net/http"
 	"popplio/state"
-	"strings"
 )
 
-const (
-	CapViewApps   = "ViewApps"
-	CapManageApps = "ManageApps"
-)
-
-func EnsurePanelAuth(ctx context.Context, r *http.Request) (uid string, caps []string, err error) {
+func EnsurePanelAuth(ctx context.Context, r *http.Request) (uid string, err error) {
 	ssToken := r.Header.Get("X-Staff-Auth-Token")
-	loginToken := r.Header.Get("Authorization")
-	userCapabilities := r.Header.Get("X-User-Capabilities")
+	userId := r.Header.Get("X-User-ID")
 
 	if ssToken == "" {
-		return "", nil, errors.New("missing staff auth token normally sent by Arcadia")
+		return "", errors.New("missing staff auth token normally sent by Arcadia")
 	}
 
-	if loginToken == "" {
-		return "", nil, errors.New("missing authorization header")
+	if ssToken == "" {
+		return "", errors.New("missing authorization header")
 	}
 
-	_, err = state.Pool.Exec(ctx, "DELETE FROM staffpanel__authchain WHERE created_at < NOW() - INTERVAL '30 minutes'")
-
-	if err != nil {
-		return "", nil, err
+	if userId == "" {
+		return "", errors.New("missing user id header")
 	}
 
 	var count int64
 
-	err = state.Pool.QueryRow(ctx, "SELECT COUNT(*) FROM staffpanel__authchain WHERE token = $1", loginToken).Scan(&count)
+	err = state.Pool.QueryRow(ctx, "SELECT COUNT(*) FROM staffpanel__authchain WHERE popplio_token = $1 AND user_id = $2", ssToken, userId).Scan(&count)
 
 	if err != nil {
-		return "", nil, err
+		return "", err
 	}
 
 	if count == 0 {
-		return "", nil, errors.New("identityExpired")
-	}
-
-	var userId string
-	var popplioToken string
-
-	err = state.Pool.QueryRow(ctx, "SELECT user_id, popplio_token FROM staffpanel__authchain WHERE token = $1 AND state = 'active'", loginToken).Scan(&userId, &popplioToken)
-
-	if err != nil {
-		return "", nil, err
-	}
-
-	if popplioToken != ssToken {
-		return "", nil, errors.New("invalid staff auth token")
+		return "", errors.New("identityExpired")
 	}
 
-	return userId, strings.Split(userCapabilities, ","), nil
+	return userId, nil
 }

routes/staff/endpoints/get_app_list/route.go

@@ -6,7 +6,8 @@ import (
 	"popplio/routes/staff/assets"
 	"popplio/state"
 	"popplio/types"
-	"slices"
+	"popplio/validators/kittycat/ext"
+	"popplio/validators/kittycat/perms"
 	"strings"
 
 	docs "github.com/infinitybotlist/eureka/doclib"
@@ -41,8 +42,7 @@ func Docs() *docs.Doc {
 
 func Route(d uapi.RouteData, r *http.Request) uapi.HttpResponse {
 	var err error
-	var caps []string
-	d.Auth.ID, caps, err = assets.EnsurePanelAuth(d.Context, r)
+	d.Auth.ID, err = assets.EnsurePanelAuth(d.Context, r)
 
 	if err != nil {
 		return uapi.HttpResponse{
@@ -51,8 +51,19 @@ func Route(d uapi.RouteData, r *http.Request) uapi.HttpResponse {
 		}
 	}
 
+	permList, err := ext.GetUserStaffPerms(d.Context, d.Auth.ID)
+
+	if err != nil {
+		return uapi.HttpResponse{
+			Status: http.StatusFailedDependency,
+			Json:   types.ApiError{Message: err.Error()},
+		}
+	}
+
+	resolvedPerms := permList.Resolve()
+
 	// Check if the user has the permission to view apps
-	if !slices.Contains(caps, assets.CapViewApps) {
+	if !perms.HasPerm(resolvedPerms, "apps.view") {
 		return uapi.HttpResponse{
 			Status: http.StatusForbidden,
 			Json: types.ApiError{

routes/staff/endpoints/manage_app/route.go

@@ -9,7 +9,8 @@ import (
 	"popplio/routes/staff/assets"
 	"popplio/state"
 	"popplio/types"
-	"slices"
+	"popplio/validators/kittycat/ext"
+	"popplio/validators/kittycat/perms"
 	"strings"
 
 	docs "github.com/infinitybotlist/eureka/doclib"
@@ -53,8 +54,7 @@ func Docs() *docs.Doc {
 
 func Route(d uapi.RouteData, r *http.Request) uapi.HttpResponse {
 	var err error
-	var caps []string
-	d.Auth.ID, caps, err = assets.EnsurePanelAuth(d.Context, r)
+	d.Auth.ID, err = assets.EnsurePanelAuth(d.Context, r)
 
 	if err != nil {
 		return uapi.HttpResponse{
@@ -63,12 +63,23 @@ func Route(d uapi.RouteData, r *http.Request) uapi.HttpResponse {
 		}
 	}
 
-	// Check if the user has the permission to manage apps
-	if !slices.Contains(caps, assets.CapManageApps) {
+	permList, err := ext.GetUserStaffPerms(d.Context, d.Auth.ID)
+
+	if err != nil {
+		return uapi.HttpResponse{
+			Status: http.StatusFailedDependency,
+			Json:   types.ApiError{Message: err.Error()},
+		}
+	}
+
+	resolvedPerms := permList.Resolve()
+
+	// Check if the user has the permission to view apps
+	if !perms.HasPerm(resolvedPerms, "apps.view") {
 		return uapi.HttpResponse{
 			Status: http.StatusForbidden,
 			Json: types.ApiError{
-				Message: "You do not have permission to manage apps.",
+				Message: "You do not have permission to view apps.",
 			},
 		}
 	}

routes/users/endpoints/get_user/route.go

@@ -188,6 +188,18 @@ func Route(d uapi.RouteData, r *http.Request) uapi.HttpResponse {
 		return uapi.DefaultResponse(http.StatusInternalServerError)
 	}
 
+	// Fetch staff status
+	var positions int
+
+	err = state.Pool.QueryRow(d.Context, "SELECT cardinality(positions) FROM staff_members WHERE user_id = $1", user.ID).Scan(&positions)
+
+	if !errors.Is(err, pgx.ErrNoRows) && err != nil {
+		state.Logger.Error("Error while getting staff status", zap.Error(err), zap.String("userID", user.ID))
+		return uapi.DefaultResponse(http.StatusInternalServerError)
+	}
+
+	user.Staff = positions > 0
+
 	return uapi.HttpResponse{
 		Json: user,
 	}

types/user.go

@@ -27,6 +27,7 @@ type User struct {
 	About                 pgtype.Text             `db:"about" json:"about"`
 	VoteBanned            bool                    `db:"vote_banned" json:"vote_banned"`
 	Banned                bool                    `db:"banned" json:"banned"`
+	Staff                 bool                    `db:"-" json:"staff" ci:"internal"`      // Must be handled internally
 	UserTeams             []Team                  `db:"-" json:"user_teams" ci:"internal"` // Must be handled internally
 	UserBots              []IndexBot              `db:"-" json:"user_bots" ci:"internal"`  // Must be handled internally
 	UserPacks             []IndexBotPack          `db:"-" json:"user_packs" ci:"internal"` // Must be handled internally