Frontend: Don't allow viewing private channel logs without access

frontend.pm

@@ -297,6 +297,18 @@ sub sendBadRequest {
 	$aClient->send($response);
 }
 
+sub sendUnauthorized {
+	my $aClient = $_[0];
+	my $aMessage = $_[1];
+
+	my $content = "<h1>401 Unauthorized</h1><h6>irclogger_web</h6>Error: $aMessage";
+	my $response = getBaseResponse(401, "Unauthorized");
+	$response.="Content-Type: text/html, charset=utf-8\r\n";
+	$response.="Content-Length: ".length($content)."\r\n\r\n";
+	$response.=$content;
+	$aClient->send($response);
+}
+
 sub sendForbidden {
 	my $aClient = $_[0];
 	my $aMessage = $_[1];
@@ -429,7 +441,7 @@ sub sendResponse {
 	my $aRequest = $_[1];
 	my $aConnection = $_[2];
 
-	if($aRequest->{"version"} ne "HTTP/1.1") {
+	if($aRequest->{"version"} ne "HTTP/1.0" && $aRequest->{"version"} ne "HTTP/1.1") {
 		sendNotImplemented($aClient);
 		return;
 	}

frontend_routes.pm

@@ -26,6 +26,35 @@ use feature qw(switch);
 use strict;
 use warnings;
 
+sub verifyChannelAccess {
+	my $aRequest = $_[0];
+	my $aClient = $_[1];
+	my $aConnection = $_[2];
+	my $aChannelID = $_[3];
+
+	if(!defined($aRequest->{"cookies"}{"session"}) || !frontend_session::isValidSession($aRequest->{"cookies"}{"session"})) {
+		frontend::sendUnauthorized($aClient, "You need to log in to view this resource");
+		return 0;
+	}
+	my $session = $frontend_session::sessions{$aRequest->{"cookies"}{"session"}};
+	my $query = $aConnection->prepare(qq(select id, privileges from users where name=?;));
+	$query->execute($session->{"username"});
+	my @row = $query->fetchrow_array();
+	my $userID = $row[0];
+	my $privileges = $row[1];
+	if($privileges>0) {
+		return 1;
+	}
+	$query = $aConnection->prepare(qq(select user_id from accessors where channel_id=$aChannelID and user_id=$userID;));
+	$query->execute($session->{"username"});
+	@row = $query->fetchrow_array();
+	if(scalar(@row)==0) {
+		frontend::sendForbidden($aClient, "You don't have access to this channel logs");
+		return 0;
+	}
+	return 1;
+}
+
 sub handlePath {
 	my $aClient = $_[0];
 	my $aPath = $_[1];
@@ -337,7 +366,7 @@ sub handlePath {
 			return 1;
 		}
 
-		my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
+		my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
 		$query->execute($channelID);
 		my @row = $query->fetchrow_array();
 		if(scalar(@row)==0) {
@@ -345,7 +374,12 @@ sub handlePath {
 			return 1;
 		}
 		my $channelName = $row[0];
-		my $serverName = $row[1];
+		$channelName =~ s/%23/#/;
+		my $channelPublic = $row[1];
+		if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) {
+			return 1;
+		}
+		my $serverName = $row[2];
 		my $logsPath = "logs/".$serverName."/".$channelName;
 
 		my $result = opendir(my $folder, $logsPath);
@@ -375,7 +409,7 @@ sub handlePath {
 			return 1;
 		}
 
-		my $query = $aConnection->prepare(qq(select channels.name, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
+		my $query = $aConnection->prepare(qq(select channels.name, channels.public, servers.name from channels inner join servers on channels.server_id=servers.id where channels.id=?;));
 		$query->execute($channelID);
 		my @row = $query->fetchrow_array();
 		if(scalar(@row)==0) {
@@ -383,7 +417,12 @@ sub handlePath {
 			return 1;
 		}
 		my $channelName = $row[0];
-		my $serverName = $row[1];
+		$channelName =~ s/%23/#/;
+		my $channelPublic = $row[1];
+		if(!$channelPublic && !verifyChannelAccess($aRequest, $aClient, $aConnection, $channelID)) {
+			return 1;
+		}
+		my $serverName = $row[2];
 		my $logFilePath = "logs/".$serverName."/".$channelName."/".$logFile;
 
 		my $result = open(my $file, "<", $logFilePath);