better permission denied pages for broadcast forms

lichess-org · Jun 17, 2024 · bd12c53 · bd12c53
1 parent 62bbbee
commit bd12c53
Show file tree

Hide file tree

Showing 4 changed files with 33 additions and 9 deletions.
diff --git a/app/controllers/RelayRound.scala b/app/controllers/RelayRound.scala
@@ -52,8 +52,17 @@ final class RelayRound(
   }
 
   def edit(id: RelayRoundId) = Auth { ctx ?=> me ?=>
-    FoundPage(env.relay.api.formNavigation(id)): (round, nav) =>
-      views.relay.form.round.edit(round, env.relay.roundForm.edit(round), nav)
+    env.relay.api
+      .byIdAndContributor(id)
+      .flatMap:
+        case None =>
+          Found(env.relay.api.formNavigation(id)): (_, nav) =>
+            Forbidden.page(views.relay.form.noAccess(nav))
+        case Some(rt) =>
+          env.relay.api
+            .formNavigation(rt)
+            .flatMap: (round, nav) =>
+              Ok.page(views.relay.form.round.edit(round, env.relay.roundForm.edit(round), nav))
   }
 
   def update(id: RelayRoundId) = AuthOrScopedBody(_.Study.Write) { ctx ?=> me ?=>

diff --git a/app/controllers/RelayTour.scala b/app/controllers/RelayTour.scala
@@ -215,10 +215,11 @@ final class RelayTour(env: Env, apiC: => Api) extends LilaController(env):
       id: RelayTourId
   )(f: (FormNavigation) => Fu[Result])(using Context, Me): Fu[Result] =
     WithTour(id): tour =>
-      env.relay.api
-        .canUpdate(tour)
-        .elseNotFound:
-          env.relay.api.formNavigation(tour).flatMap(f)
+      for
+        canUpdate <- env.relay.api.canUpdate(tour)
+        nav       <- env.relay.api.formNavigation(tour)
+        res       <- if canUpdate then f(nav) else Forbidden.page(views.relay.form.noAccess(nav))
+      yield res
 
   private[controllers] def rateLimitCreation(
       fail: => Fu[Result]

diff --git a/modules/relay/src/main/RelayApi.scala b/modules/relay/src/main/RelayApi.scala
@@ -50,9 +50,11 @@ final class RelayApi(
           relay.withTour(tour)
 
   def formNavigation(id: RelayRoundId)(using me: Me): Fu[Option[(RelayRound, ui.FormNavigation)]] =
-    byIdAndContributor(id).flatMapz: rt =>
-      formNavigation(rt.tour).map: nav =>
-        (rt.round, nav.copy(round = rt.round.id.some)).some
+    byIdWithTour(id).flatMapz(rt => formNavigation(rt).dmap(some))
+
+  def formNavigation(rt: RelayRound.WithTour)(using me: Me): Fu[(RelayRound, ui.FormNavigation)] =
+    formNavigation(rt.tour).map: nav =>
+      (rt.round, nav.copy(round = rt.round.id.some))
 
   def formNavigation(tour: RelayTour)(using me: Me): Fu[ui.FormNavigation] = for
     group  <- withTours.get(tour.id)

diff --git a/modules/relay/src/main/ui/FormUi.scala b/modules/relay/src/main/ui/FormUi.scala
@@ -62,6 +62,18 @@ final class FormUi(helpers: Helpers, ui: RelayUi, tourUi: RelayTourUi):
           )
     )
 
+  def noAccess(nav: FormNavigation)(using Context) =
+    Page("Insufficient permissions")
+      .css("bits.relay.form")
+      .wrap: body =>
+        main(cls := "page page-menu")(
+          navigationMenu(nav),
+          div(cls := "page-menu__content box box-pad")(
+            boxTop(h1("Insufficient permissions")),
+            p("You are not allowed to edit this broadcast or round.")
+          )
+        )
+
   object round:
 
     private def page(title: String, nav: FormNavigation)(using Context) =