From 2e9c292bb989ffff2c99aa2a6062962c913b3586 Mon Sep 17 00:00:00 2001 From: Vika Date: Tue, 9 Jul 2024 22:43:21 +0300 Subject: database: use Url to represent user authorities This makes the interface more consistent and resistant to misuse. --- src/database/postgres/mod.rs | 27 ++++++++++++++------------- 1 file changed, 14 insertions(+), 13 deletions(-) (limited to 'src/database/postgres/mod.rs') diff --git a/src/database/postgres/mod.rs b/src/database/postgres/mod.rs index 71c4d58..7813045 100644 --- a/src/database/postgres/mod.rs +++ b/src/database/postgres/mod.rs @@ -1,4 +1,3 @@ -#![allow(unused_variables)] use std::borrow::Cow; use std::str::FromStr; @@ -111,11 +110,11 @@ WHERE } #[tracing::instrument(skip(self))] - async fn put_post(&self, post: &'_ serde_json::Value, user: &'_ str) -> Result<()> { + async fn put_post(&self, post: &'_ serde_json::Value, user: &url::Url) -> Result<()> { tracing::debug!("New post: {}", post); sqlx::query("INSERT INTO kittybox.mf2_json (uid, mf2, owner) VALUES ($1 #>> '{properties,uid,0}', $1, $2)") .bind(post) - .bind(user) + .bind(user.authority()) .execute(&self.db) .await .map(|_| ()) @@ -247,14 +246,14 @@ WHERE } #[tracing::instrument(skip(self))] - async fn get_channels(&self, user: &'_ str) -> Result> { + async fn get_channels(&self, user: &url::Url) -> Result> { /*sqlx::query_as::<_, MicropubChannel>("SELECT name, uid FROM kittybox.channels WHERE owner = $1") .bind(user) .fetch_all(&self.db) .await .map_err(|err| err.into())*/ sqlx::query_as::<_, MicropubChannel>(r#"SELECT mf2 #>> '{properties,name,0}' as name, uid FROM kittybox.mf2_json WHERE '["h-feed"]'::jsonb @> mf2['type'] AND owner = $1"#) - .bind(user) + .bind(user.authority()) .fetch_all(&self.db) .await .map_err(|err| err.into()) @@ -264,10 +263,12 @@ WHERE async fn read_feed_with_limit( &self, url: &'_ str, - after: &'_ Option, + after: Option<&str>, limit: usize, - user: &'_ Option, + // BUG: this doesn't seem to be used?! + user: Option<&url::Url>, ) -> Result> { + unimplemented!("read_feed_with_limit is insecure and deprecated"); let mut feed = match sqlx::query_as::<_, (serde_json::Value,)>(" SELECT jsonb_set( mf2, @@ -331,7 +332,7 @@ ORDER BY mf2 #>> '{properties,published,0}' DESC url: &'_ str, cursor: Option<&'_ str>, limit: usize, - user: Option<&'_ str> + user: Option<&url::Url> ) -> Result)>> { let mut txn = self.db.begin().await?; sqlx::query("SET TRANSACTION ISOLATION LEVEL REPEATABLE READ, READ ONLY") @@ -384,7 +385,7 @@ LIMIT $2" ) .bind(url) .bind(limit as i64) - .bind(user) + .bind(user.map(url::Url::to_string)) .bind(cursor) .fetch_all(&mut *txn) .await @@ -405,9 +406,9 @@ LIMIT $2" } #[tracing::instrument(skip(self))] - async fn get_setting, 'a>(&'_ self, user: &'_ str) -> Result { + async fn get_setting, 'a>(&'_ self, user: &url::Url) -> Result { match sqlx::query_as::<_, (serde_json::Value,)>("SELECT kittybox.get_setting($1, $2)") - .bind(user) + .bind(user.authority()) .bind(S::ID) .fetch_one(&self.db) .await @@ -418,9 +419,9 @@ LIMIT $2" } #[tracing::instrument(skip(self))] - async fn set_setting + 'a, 'a>(&self, user: &'a str, value: S::Data) -> Result<()> { + async fn set_setting + 'a, 'a>(&self, user: &'a url::Url, value: S::Data) -> Result<()> { sqlx::query("SELECT kittybox.set_setting($1, $2, $3)") - .bind(user) + .bind(user.authority()) .bind(S::ID) .bind(serde_json::to_value(S::new(value)).unwrap()) .execute(&self.db) -- cgit 1.4.1