about summary refs log tree commit diff
path: root/src/database/postgres
diff options
context:
space:
mode:
authorVika <vika@fireburn.ru>2024-07-09 22:43:21 +0300
committerVika <vika@fireburn.ru>2024-07-09 22:44:01 +0300
commit2e9c292bb989ffff2c99aa2a6062962c913b3586 (patch)
tree9c148d9e8fcbd7756ab8d27ae110075beea8e615 /src/database/postgres
parent644e19aa08b2629d4b69281e14d702f0b9673687 (diff)
downloadkittybox-2e9c292bb989ffff2c99aa2a6062962c913b3586.tar.zst
database: use Url to represent user authorities
This makes the interface more consistent and resistant to misuse.
Diffstat (limited to 'src/database/postgres')
-rw-r--r--src/database/postgres/mod.rs27
1 files changed, 14 insertions, 13 deletions
diff --git a/src/database/postgres/mod.rs b/src/database/postgres/mod.rs
index 71c4d58..7813045 100644
--- a/src/database/postgres/mod.rs
+++ b/src/database/postgres/mod.rs
@@ -1,4 +1,3 @@
-#![allow(unused_variables)]
 use std::borrow::Cow;
 use std::str::FromStr;
 
@@ -111,11 +110,11 @@ WHERE
     }
 
     #[tracing::instrument(skip(self))]
-    async fn put_post(&self, post: &'_ serde_json::Value, user: &'_ str) -> Result<()> {
+    async fn put_post(&self, post: &'_ serde_json::Value, user: &url::Url) -> Result<()> {
         tracing::debug!("New post: {}", post);
         sqlx::query("INSERT INTO kittybox.mf2_json (uid, mf2, owner) VALUES ($1 #>> '{properties,uid,0}', $1, $2)")
             .bind(post)
-            .bind(user)
+            .bind(user.authority())
             .execute(&self.db)
             .await
             .map(|_| ())
@@ -247,14 +246,14 @@ WHERE
     }
 
     #[tracing::instrument(skip(self))]
-    async fn get_channels(&self, user: &'_ str) -> Result<Vec<MicropubChannel>> {
+    async fn get_channels(&self, user: &url::Url) -> Result<Vec<MicropubChannel>> {
         /*sqlx::query_as::<_, MicropubChannel>("SELECT name, uid FROM kittybox.channels WHERE owner = $1")
             .bind(user)
             .fetch_all(&self.db)
             .await
             .map_err(|err| err.into())*/
         sqlx::query_as::<_, MicropubChannel>(r#"SELECT mf2 #>> '{properties,name,0}' as name, uid FROM kittybox.mf2_json WHERE '["h-feed"]'::jsonb @> mf2['type'] AND owner = $1"#)
-            .bind(user)
+            .bind(user.authority())
             .fetch_all(&self.db)
             .await
             .map_err(|err| err.into())
@@ -264,10 +263,12 @@ WHERE
     async fn read_feed_with_limit(
         &self,
         url: &'_ str,
-        after: &'_ Option<String>,
+        after: Option<&str>,
         limit: usize,
-        user: &'_ Option<String>,
+        // BUG: this doesn't seem to be used?!
+        user: Option<&url::Url>,
     ) -> Result<Option<serde_json::Value>> {
+        unimplemented!("read_feed_with_limit is insecure and deprecated");
         let mut feed = match sqlx::query_as::<_, (serde_json::Value,)>("
 SELECT jsonb_set(
     mf2,
@@ -331,7 +332,7 @@ ORDER BY mf2 #>> '{properties,published,0}' DESC
         url: &'_ str,
         cursor: Option<&'_ str>,
         limit: usize,
-        user: Option<&'_ str>
+        user: Option<&url::Url>
     ) -> Result<Option<(serde_json::Value, Option<String>)>> {
         let mut txn = self.db.begin().await?;
         sqlx::query("SET TRANSACTION ISOLATION LEVEL REPEATABLE READ, READ ONLY")
@@ -384,7 +385,7 @@ LIMIT $2"
         )
             .bind(url)
             .bind(limit as i64)
-            .bind(user)
+            .bind(user.map(url::Url::to_string))
             .bind(cursor)
             .fetch_all(&mut *txn)
             .await
@@ -405,9 +406,9 @@ LIMIT $2"
     }
 
     #[tracing::instrument(skip(self))]
-    async fn get_setting<S: Setting<'a>, 'a>(&'_ self, user: &'_ str) -> Result<S> {
+    async fn get_setting<S: Setting<'a>, 'a>(&'_ self, user: &url::Url) -> Result<S> {
         match sqlx::query_as::<_, (serde_json::Value,)>("SELECT kittybox.get_setting($1, $2)")
-            .bind(user)
+            .bind(user.authority())
             .bind(S::ID)
             .fetch_one(&self.db)
             .await
@@ -418,9 +419,9 @@ LIMIT $2"
     }
 
     #[tracing::instrument(skip(self))]
-    async fn set_setting<S: Setting<'a> + 'a, 'a>(&self, user: &'a str, value: S::Data) -> Result<()> {
+    async fn set_setting<S: Setting<'a> + 'a, 'a>(&self, user: &'a url::Url, value: S::Data) -> Result<()> {
         sqlx::query("SELECT kittybox.set_setting($1, $2, $3)")
-            .bind(user)
+            .bind(user.authority())
             .bind(S::ID)
             .bind(serde_json::to_value(S::new(value)).unwrap())
             .execute(&self.db)