X-Git-Url: https://git.r.bdr.sh/rbdr/mobius/blobdiff_plain/0db54aa79140c6656f99a851f582c84a0de04233..23c73ccc6de4abf33553531bdd37459ed2f26f0b:/hotline/transaction_handlers.go

diff --git a/hotline/transaction_handlers.go b/hotline/transaction_handlers.go
index 9b25ef0..5a9ea5e 100644
--- a/hotline/transaction_handlers.go
+++ b/hotline/transaction_handlers.go
@@ -6,7 +6,6 @@ import (
 	"errors"
 	"fmt"
 	"gopkg.in/yaml.v3"
-	"io/ioutil"
 	"math/big"
 	"os"
 	"path"
@@ -322,14 +321,29 @@ func HandleSendInstantMsg(cc *ClientConn, t *Transaction) (res []Transaction, er
 		reply.Fields = append(reply.Fields, NewField(fieldQuotingMsg, t.GetField(fieldQuotingMsg).Data))
 	}
 
-	res = append(res, *reply)
-
 	id, _ := byteToInt(ID.Data)
 	otherClient, ok := cc.Server.Clients[uint16(id)]
 	if !ok {
 		return res, errors.New("invalid client ID")
 	}
 
+	// Check if target user has "Refuse private messages" flag
+	flagBitmap := big.NewInt(int64(binary.BigEndian.Uint16(otherClient.Flags)))
+	if flagBitmap.Bit(userFLagRefusePChat) == 1 {
+		res = append(res,
+			*NewTransaction(
+				tranServerMsg,
+				cc.ID,
+				NewField(fieldData, []byte(string(otherClient.UserName)+" does not accept private messages.")),
+				NewField(fieldUserName, otherClient.UserName),
+				NewField(fieldUserID, *otherClient.ID),
+				NewField(fieldOptions, []byte{0, 2}),
+			),
+		)
+	} else {
+		res = append(res, *reply)
+	}
+
 	// Respond with auto reply if other client has it enabled
 	if len(otherClient.AutoReply) > 0 {
 		res = append(res,
@@ -463,7 +477,7 @@ func HandleSetFileInfo(cc *ClientConn, t *Transaction) (res []Transaction, err e
 				return res, err
 			}
 			if err != nil {
-				panic(err)
+				return res, err
 			}
 		}
 	}
@@ -791,6 +805,15 @@ func HandleUpdateUser(cc *ClientConn, t *Transaction) (res []Transaction, err er
 			newAccess := accessBitmap{}
 			copy(newAccess[:], getField(fieldUserAccess, &subFields).Data[:])
 
+			// Prevent account from creating new account with greater permission
+			for i := 0; i < 64; i++ {
+				if newAccess.IsSet(i) {
+					if !cc.Authorize(i) {
+						return append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself.")), err
+					}
+				}
+			}
+
 			err := cc.Server.NewUser(login, string(getField(fieldUserName, &subFields).Data), string(getField(fieldUserPassword, &subFields).Data), newAccess)
 			if err != nil {
 				return []Transaction{}, err
@@ -820,6 +843,16 @@ func HandleNewUser(cc *ClientConn, t *Transaction) (res []Transaction, err error
 	newAccess := accessBitmap{}
 	copy(newAccess[:], t.GetField(fieldUserAccess).Data[:])
 
+	// Prevent account from creating new account with greater permission
+	for i := 0; i < 64; i++ {
+		if newAccess.IsSet(i) {
+			if !cc.Authorize(i) {
+				res = append(res, cc.NewErrReply(t, "Cannot create account with more access than yourself."))
+				return res, err
+			}
+		}
+	}
+
 	if err := cc.Server.NewUser(login, string(t.GetField(fieldUserName).Data), string(t.GetField(fieldUserPassword).Data), newAccess); err != nil {
 		return []Transaction{}, err
 	}
@@ -1005,7 +1038,7 @@ func HandleTranOldPostNews(cc *ClientConn, t *Transaction) (res []Transaction, e
 	cc.Server.FlatNews = append([]byte(newsPost), cc.Server.FlatNews...)
 
 	// update news on disk
-	if err := ioutil.WriteFile(cc.Server.ConfigDir+"MessageBoard.txt", cc.Server.FlatNews, 0644); err != nil {
+	if err := cc.Server.FS.WriteFile(filepath.Join(cc.Server.ConfigDir, "MessageBoard.txt"), cc.Server.FlatNews, 0644); err != nil {
 		return res, err
 	}
 
@@ -1244,18 +1277,15 @@ func HandleGetNewsArtData(cc *ClientConn, t *Transaction) (res []Transaction, er
 	return res, err
 }
 
+// HandleDelNewsItem deletes an existing threaded news folder or category from the server.
+// Fields used in the request:
+// 325	News path
+// Fields used in the reply:
+// None
 func HandleDelNewsItem(cc *ClientConn, t *Transaction) (res []Transaction, err error) {
-	// Has multiple access flags: News Delete Folder (37) or News Delete Category (35)
-	// TODO: Implement
-
 	pathStrs := ReadNewsPath(t.GetField(fieldNewsPath).Data)
 
-	// TODO: determine if path is a Folder (Bundle) or Category and check for permission
-
-	cc.logger.Infof("DelNewsItem %v", pathStrs)
-
 	cats := cc.Server.ThreadedNews.Categories
-
 	delName := pathStrs[len(pathStrs)-1]
 	if len(pathStrs) > 1 {
 		for _, fp := range pathStrs[0 : len(pathStrs)-1] {
@@ -1263,17 +1293,23 @@ func HandleDelNewsItem(cc *ClientConn, t *Transaction) (res []Transaction, err e
 		}
 	}
 
+	if bytes.Equal(cats[delName].Type, []byte{0, 3}) {
+		if !cc.Authorize(accessNewsDeleteCat) {
+			return append(res, cc.NewErrReply(t, "You are not allowed to delete news categories.")), nil
+		}
+	} else {
+		if !cc.Authorize(accessNewsDeleteFldr) {
+			return append(res, cc.NewErrReply(t, "You are not allowed to delete news folders.")), nil
+		}
+	}
+
 	delete(cats, delName)
 
-	err = cc.Server.writeThreadedNews()
-	if err != nil {
+	if err := cc.Server.writeThreadedNews(); err != nil {
 		return res, err
 	}
 
-	// Reply params: none
-	res = append(res, cc.NewReply(t))
-
-	return res, err
+	return append(res, cc.NewReply(t)), nil
 }
 
 func HandleDelNewsArt(cc *ClientConn, t *Transaction) (res []Transaction, err error) {
@@ -1702,15 +1738,33 @@ func HandleInviteNewChat(cc *ClientConn, t *Transaction) (res []Transaction, err
 	targetID := t.GetField(fieldUserID).Data
 	newChatID := cc.Server.NewPrivateChat(cc)
 
-	res = append(res,
-		*NewTransaction(
-			tranInviteToChat,
-			&targetID,
-			NewField(fieldChatID, newChatID),
-			NewField(fieldUserName, cc.UserName),
-			NewField(fieldUserID, *cc.ID),
-		),
-	)
+	// Check if target user has "Refuse private chat" flag
+	binary.BigEndian.Uint16(targetID)
+	targetClient := cc.Server.Clients[binary.BigEndian.Uint16(targetID)]
+
+	flagBitmap := big.NewInt(int64(binary.BigEndian.Uint16(targetClient.Flags)))
+	if flagBitmap.Bit(userFLagRefusePChat) == 1 {
+		res = append(res,
+			*NewTransaction(
+				tranServerMsg,
+				cc.ID,
+				NewField(fieldData, []byte(string(targetClient.UserName)+" does not accept private chats.")),
+				NewField(fieldUserName, targetClient.UserName),
+				NewField(fieldUserID, *targetClient.ID),
+				NewField(fieldOptions, []byte{0, 2}),
+			),
+		)
+	} else {
+		res = append(res,
+			*NewTransaction(
+				tranInviteToChat,
+				&targetID,
+				NewField(fieldChatID, newChatID),
+				NewField(fieldUserName, cc.UserName),
+				NewField(fieldUserID, *cc.ID),
+			),
+		)
+	}
 
 	res = append(res,
 		cc.NewReply(t,
@@ -1918,6 +1972,12 @@ func HandleMakeAlias(cc *ClientConn, t *Transaction) (res []Transaction, err err
 	return res, err
 }
 
+// HandleDownloadBanner handles requests for a new banner from the server
+// Fields used in the request:
+// None
+// Fields used in the reply:
+// 107	fieldRefNum			Used later for transfer
+// 108	fieldTransferSize	Size of data to be downloaded
 func HandleDownloadBanner(cc *ClientConn, t *Transaction) (res []Transaction, err error) {
 	fi, err := cc.Server.FS.Stat(filepath.Join(cc.Server.ConfigDir, cc.Server.Config.BannerFile))
 	if err != nil {