yagich/porom
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Compare commits

base: yagich:4cb390348cc7e081cf7d71aaf0adb8f01df414c1
Branches Tags
yagich:main
yagich:with-docker
...
compare: yagich:a5a71753659406067fb384248c69dacbfdfb2b0e
Branches Tags
yagich:main
yagich:with-docker

6 Commits
4cb390348c ... a5a7175365

Author SHA1 Message Date
Lera Elvoé
a5a7175365
add deleting, promoting/demoting, guesting (soft banning) users 2025-05-19 18:34:21 +03:00
Lera Elvoé
349f4d38ef
remove user id from post history table, not sure why it was there in the first place 2025-05-19 09:48:13 +03:00
Lera Elvoé
70a780909a
fix limit being hard coded to 20 2025-05-19 09:47:55 +03:00
Lera Elvoé
6181701da6
add offset pagination and permalinking to posts 2025-05-19 09:33:30 +03:00
Lera Elvoé
85b1319c79
some things 2025-05-19 09:12:59 +03:00
Lera Elvoé
5ec458702a
some cfg tweaks 2025-05-19 06:43:19 +03:00
19 changed files with 288 additions and 51 deletions
Show Stats Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@ db.*.sqlite
.vscode/
.local/
static/
secrets.lua

6
app.lua
View File

@ -1,5 +1,10 @@
local lapis = require("lapis")
local app = lapis.Application()
local constants = require("constants")
local db = require("lapis.db")
-- sqlite starts without foreign key enforcement
db.query("PRAGMA foreign_keys = ON")
local util = require("util")
@ -11,6 +16,7 @@ local function inject_methods(req)
req.ntob = function(_, v)
return util.ntob(v)
end
req.PermissionLevelString = constants.PermissionLevelString
end
app:before_filter(inject_methods)

16
apps/threads.lua
View File

@ -57,6 +57,7 @@ app:post("thread_create", "/create", function(self)
end)
app:get("thread", "/:slug", function(self)
local posts_per_page = 10
local thread = Threads:find({
slug = self.params.slug
})
@ -64,6 +65,11 @@ app:get("thread", "/:slug", function(self)
return {status = 404}
end
self.thread = thread
local post_count = Posts:count(db.clause({
thread_id = thread.id
}))
self.pages = math.ceil(post_count / posts_per_page)
self.page = tonumber(self.params.page) or 1
local posts = db.query([[
SELECT
posts.id, post_history.content, users.username, avatars.file_path AS avatar_path
@ -76,14 +82,14 @@ app:get("thread", "/:slug", function(self)
LEFT JOIN
avatars ON users.avatar_id = avatars.id
WHERE
posts.thread_id = ? and posts.id > ?
posts.thread_id = ?
ORDER BY
posts.created_at ASC
LIMIT 20
]], thread.id, tonumber(self.params.cursor or 0))
LIMIT ? OFFSET ?
]], thread.id, posts_per_page, (self.page - 1) * posts_per_page)
self.topic = Topics:find(thread.topic_id)
self.user = util.get_logged_in_user_or_transient(self)
self.posts = posts
self.next_cursor = #posts > 0 and posts[#posts].id or nil
return {render = "threads.thread"}
end)
@ -103,7 +109,7 @@ app:post("thread", "/:slug", function(self)
return {redirect_to = self:url_for("thread", {slug = thread.slug})}
end
if util.is_thread_locked(thread) and not user:is_admin() then
if util.is_thread_locked(thread) and not user:is_mod() then
return {redirect_to = self:url_for("thread", {slug = thread.slug})}
end

14
apps/topics.lua
View File

@ -27,7 +27,7 @@ end)
app:get("topic_create", "/create", function(self)
local user = util.get_logged_in_user(self) or util.TransientUser
if not user:is_admin() then
if not user:is_mod() then
return {status = 403}
end
@ -36,7 +36,7 @@ end)
app:post("topic_create", "/create", function(self)
local user = util.get_logged_in_user(self) or util.TransientUser
if not user:is_admin() then
if not user:is_mod() then
return {redirect_to = "all_topics"}
end
@ -62,9 +62,7 @@ app:get("topic", "/:slug", function(self)
return {status = 404}
end
self.topic = topic
self.threads_list = Threads:select(db.clause({
topic_id = topic.id
}))
self.threads_list = db.query("SELECT * FROM threads WHERE topic_id = ? ORDER BY is_stickied DESC, created_at DESC", topic.id)
local user = util.get_logged_in_user_or_transient(self)
print(topic.is_locked, type(topic.is_locked))
self.user = user
@ -74,7 +72,7 @@ app:get("topic", "/:slug", function(self)
self.thread_create_error = ThreadCreateError.GUEST
elseif user:is_guest() then
self.thread_create_error = ThreadCreateError.LOGGED_OUT
elseif util.ntob(topic.is_locked) and not user:is_admin() then
elseif util.ntob(topic.is_locked) and not user:is_mod() then
self.thread_create_error = ThreadCreateError.TOPIC_LOCKED
end
@ -83,7 +81,7 @@ end)
app:get("topic_edit", "/:slug/edit", function(self)
local user = util.get_logged_in_user_or_transient(self)
if not user:is_admin() then
if not user:is_mod() then
return {redirect_to = self:url_for("topic", {slug = self.params.slug})}
end
local topic = Topics:find({
@ -98,7 +96,7 @@ end)
app:post("topic_edit", "/:slug/edit", function(self)
local user = util.get_logged_in_user_or_transient(self)
if not user:is_admin() then
if not user:is_mod() then
return {redirect_to = self:url_for("topic", {slug = self.params.slug})}
end
local topic = Topics:find({

114
apps/users.lua
View File

@ -79,13 +79,59 @@ app:get("user", "/:username", function(self)
self.user_is_me = me.id == user.id
if user.permission == constants.PermissionLevel.GUEST then
if not (self.user_is_me or me:is_admin()) then
if not (self.user_is_me or me:is_mod()) then
return {status = 404}
end
end
return {render = "user.user"}
end)
app:post("user_delete", "/:username/delete", function(self)
local me = util.get_logged_in_user(self)
if me == nil then
self.session.flash = {error = "You must be logged in to perform this action."}
return {redirect_to = self:url_for("user_login")}
end
local target_user = Users:find({username = self.params.username})
if not me:is_mod() then
if me.id ~= target_user.id then
return {redirect_to = self:url_for("user", {username = self.params.username})}
end
if not authenticate_user(target_user, self.params.password) then
self.session.flash = {error = "The password you entered is incorrect."}
return {redirect_to = self:url_for("user_delete_confirm", {username = me.username})}
end
util.transfer_and_delete_user(target_user)
self.session.flash = {error = "Your account has been added to the deletion queue."}
return {redirect_to = self:url_for("user_signup")}
else
if target_user.permission >= me.permission then
self.session.flash = {error = "You can not delete another moderator."}
return {redirect_to = self:url_for("user", {username = me.username})}
end
end
end)
app:get("user_delete_confirm", "/:username/delete_confirm", function(self)
local me = util.get_logged_in_user(self)
if me == nil then
self.session.flash = {error = "You must be logged in to perform this action."}
return {redirect_to = self:url_for("user_login")}
end
local target_user = Users:find({username = self.params.username})
if me.id ~= target_user.id then
return {redirect_to = self:url_for("user", {username = self.params.username})}
end
if self.session.flash then
self.err = self.session.flash.error
self.session.flash = {}
end
self.user = target_user
return {render = "user.delete_confirm"}
end)
app:post("user_clear_avatar", "/:username/clear_avatar", function(self)
local me = util.get_logged_in_user(self)
if me == nil then
@ -216,6 +262,10 @@ app:post("user_login", "/login", function(self)
self.session.flash = {error = "Invalid username or password"}
return {redirect_to = self:url_for("user_login")}
end
if user.permission == constants.PermissionLevel.SYSTEM then
self.session.flash = {error = "Invalid username or password"}
return {redirect_to = self:url_for("user_login")}
end
if not authenticate_user(user, password) then
self.session.flash = {error = "Invalid username or password"}
return {redirect_to = self:url_for("user_login")}
@ -300,7 +350,7 @@ app:post("confirm_user", "/confirm_user/:user_id", function (self)
if not user then
return {status = 403}
end
if not user:is_admin() then
if not user:is_mod() then
return {status = 403}
end
local target_user = Users:find(self.params.user_id)
@ -315,4 +365,64 @@ app:post("confirm_user", "/confirm_user/:user_id", function (self)
return {redirect_to = self:url_for("user", {username = target_user.username})}
end)
app:post("mod_user", "/mod_user/:user_id", function(self)
local user = util.get_logged_in_user(self)
if not user then
return {status = 403}
end
if not user:is_admin() then
return {status = 403}
end
local target_user = Users:find(self.params.user_id)
if not target_user then
return {status = 404}
end
if target_user:is_mod() then
return {status = 404}
end
target_user:update({permission = constants.PermissionLevel.MODERATOR})
return {redirect_to = self:url_for("user", {username = target_user.username})}
end)
app:post("demod_user", "/demod_user/:user_id", function(self)
local user = util.get_logged_in_user(self)
if not user then
return {status = 403}
end
if not user:is_admin() then
return {status = 403}
end
local target_user = Users:find(self.params.user_id)
if not target_user then
return {status = 404}
end
if not target_user:is_mod() then
return {status = 404}
end
target_user:update({permission = constants.PermissionLevel.USER})
return {redirect_to = self:url_for("user", {username = target_user.username})}
end)
app:post("guest_user", "/guest_user/:user_id", function(self)
local user = util.get_logged_in_user(self)
if not user then
return {status = 403}
end
if not user:is_mod() then
return {status = 403}
end
local target_user = Users:find(self.params.user_id)
if not target_user then
return {status = 404}
end
if target_user:is_mod() then
return {status = 404}
end
target_user:update({permission = constants.PermissionLevel.GUEST})
return {redirect_to = self:url_for("user", {username = target_user.username})}
end)
return app

14
config.lua
View File

@ -1,6 +1,7 @@
local config = require("lapis.config")
local secrets = require("secrets")
config("development", {
config({"development", "production"}, {
server = "nginx",
code_cache = "off",
num_workers = "1",
@ -10,3 +11,14 @@ config("development", {
secret = "SUPER SECRET",
session_name = "porom_session",
})
config("production", {
code_cache = "on",
logging = {
queries = false,
},
secret = secrets.key,
sqlite = {
database = "db.prod.sqlite"
},
})

12
constants.lua
View File

@ -3,7 +3,17 @@ local Constants = {}
Constants.PermissionLevel = {
GUEST = 0,
USER = 1,
ADMIN = 2,
MODERATOR = 2,
SYSTEM = 3,
ADMIN = 4,
}
Constants.PermissionLevelString = {
[Constants.PermissionLevel.GUEST] = "Guest",
[Constants.PermissionLevel.USER] = "User",
[Constants.PermissionLevel.MODERATOR] = "Moderator",
[Constants.PermissionLevel.SYSTEM] = "System",
[Constants.PermissionLevel.ADMIN] = "Administrator",
}
Constants.BCRYPT_ROUNDS = 10

18
create_default_admin.lua → create_default_accounts.lua
View File

@ -29,4 +29,20 @@ local function create_admin()
print("Admin account created, use \"admin\" as the login and \"" .. password .. "\" as the password. This will only be shown once.")
end
create_admin()
local function create_deleted_user()
local username = "DeletedUser"
local root_count = models.Users:count("username = ?", username)
if root_count ~= 0 then
print("deleted user already exists")
return
end
models.Users:create({
username = username,
password_hash = "",
permission = constants.PermissionLevel.SYSTEM,
})
end
create_admin()
create_deleted_user()

4
migrations.lua
View File

@ -48,4 +48,8 @@ return {
db.query("CREATE INDEX idx_topics_slug ON topics(slug)")
db.query("CREATE INDEX idx_threads_slug ON threads(slug)")
end,
[6] = function ()
schema.drop_column("post_history", "user_id")
end,
}

8
models.lua
View File

@ -12,6 +12,14 @@ function Users_mt:is_admin()
return self.permission == constants.PermissionLevel.ADMIN
end
function Users_mt:is_mod()
return self.permission >= constants.PermissionLevel.MODERATOR
end
function Users_mt:is_system()
return self.permission == constants.PermissionLevel.SYSTEM
end
function Users_mt:is_logged_in_guest()
return self:is_guest() and true
end

3
secrets.lua.example Normal file
View File

@ -0,0 +1,3 @@
return {
key = PROD_SECRET_KEY_HERE,
}

18
util.lua
View File

@ -14,6 +14,9 @@ util.TransientUser = {
is_admin = function (self)
return false
end,
is_mod = function (self)
return false
end,
is_guest = function (self)
return true
end,
@ -116,7 +119,6 @@ function util.create_post(thread_id, user_id, content)
local revision = PostHistory:create({
post_id = post.id,
user_id = user_id,
content = bb_content,
is_initial_revision = true,
})
@ -127,4 +129,16 @@ function util.create_post(thread_id, user_id, content)
return post
end
return util
function util.transfer_and_delete_user(user)
local deleted_user = Users:find({
username = "DeletedUser",
})
-- this needs to be atomic
db.query("BEGIN")
db.query('UPDATE "threads" SET "user_id" = ? WHERE "user_id" = ?', deleted_user.id, user.id)
db.query('UPDATE "posts" SET "user_id" = ? WHERE "user_id" = ?', deleted_user.id, user.id)
user:delete() -- uncomment later
db.query("COMMIT")
end
return util

21
views/threads/thread.etlua
View File

@ -1,8 +1,11 @@
<h1><%= thread.title %></h1>
<p>Posted under <a href="<%= url_for("topic", {slug = topic.slug}) %>"><%= topic.name %></a>
<% for _, post in ipairs(posts) do %>
<div>
<img src="<%= post.avatar_path or "/avatars/default.webp" %>">
<div><%= post.username %></div>
<div id="post-<%= post.id %>">
<img src="<%= post.avatar_path or "/avatars/default.webp" %>"><br>
<a href="<%= url_for("user", {username = post.username}) %>"><%= post.username %></a>
<div><p><%- post.content %></p></div>
<a href="#post-<%= post.id %>">permalink</a>
</div>
<% end %>
@ -13,8 +16,12 @@
<input type="submit" value="Reply">
</form>
<% end %>
<% if next_cursor then %>
<a href="<%= url_for('thread', {slug = thread.slug}, {cursor = next_cursor}) %>">
Older posts →
</a>
<span>
<% for i = 1, math.max(pages, 1) do %>
<% if i == page then %>
<%= tostring(i)%>
<% else %>
<a href="?page=<%= i %>"><%= tostring(i)%></a>
<% end %>
<% end %>
</span>

12
views/topics/topic.etlua
View File

@ -2,19 +2,27 @@
<h2><%= topic.description %></h2>
<% if #threads_list == 0 then %>
<p>There are no threads in this topic.</p>
<% else %>
<ul>
<% for _, thread in ipairs(threads_list) do %>
<li>
<a href="<%= url_for("thread", {slug = thread.slug}) %>"><%= thread.title %></a><% if ntob(thread.is_stickied) then %> - pinned<% end %>
</li>
<% end %>
</ul>
<% end %>
<% if thread_create_error == ThreadCreateError.OK then %>
<a href=<%= url_for("thread_create", nil, {topic_id = topic.id}) %>>New thread</a>
<% elseif thread_create_error == ThreadCreateError.GUEST then %>
<p>Your account is still pending confirmation by an administrator. You are not able to create a new thread or post at this time.</p>
<p>Your account is still pending confirmation by a moderator. You are not able to create a new thread or post at this time.</p>
<% elseif thread_create_error == ThreadCreateError.LOGGED_OUT then %>
<p>Only logged in users can create threads. <a href="<%= url_for("user_signup") %>">Sign up</a> or <a href="<%= url_for("user_login")%>">log in</a> to create a thread.</p>
<% else %>
<p>This topic is locked.</p>
<% end %>
<% if user:is_admin() then %>
<% if user:is_mod() then %>
<br>
<a href="<%= url_for("topic_edit", {slug = topic.slug}) %>">Edit topic</a>
<form method="post" action="<%= url_for("topic_edit", {slug = topic.slug}) %>">

2
views/topics/topics.etlua
View File

@ -11,6 +11,6 @@
<% end %>
<% end %>
</ul>
<% if user:is_admin() then %>
<% if user:is_mod() then %>
<a href="<%= url_for("topic_create") %>">Create new topic</a>
<% end %>

12
views/user/delete_confirm.etlua Normal file
View File

@ -0,0 +1,12 @@
<h1>Are you sure you want to delete your account, <%= user.username %>?</h1>
<p>This cannot be undone. This will not delete your posts, only anonymize them.</p>
<p>If you are sure, please type your password below.</p>
<% if err then %>
<h2><%= err %></h2>
<% end %>
<form method="post" action="<%= url_for("user_delete", {username = user.username}) %>">
<input type="password" name="password" id="password" autocomplete="current-password" placeholder="Password" required><br>
<input type="submit" value="Delete my account (NO UNDO)">
</form>

18
views/user/settings.etlua
View File

@ -1,18 +1,20 @@
<h1>User settings</h1>
<% if flash_msg then %>
<h2><%= flash_msg %></h2>
<h2><%= flash_msg %></h2>
<% end %>
<form method="post" action="<%= url_for("user_set_avatar", {username = user.username}) %>" enctype="multipart/form-data">
<img src="<%= avatar_url(user) %>"><br>
<input type="file" name="avatar" accept="image/*"><br>
<input type="submit" value="Update avatar">
<img src="<%= avatar_url(user) %>"><br>
<input type="file" name="avatar" accept="image/*"><br>
<input type="submit" value="Update avatar">
<% if not user:is_default_avatar() then %>
<input type="submit" value="Clear avatar" formaction="<%= url_for("user_clear_avatar", {username = user.username}) %>">
<input type="submit" value="Clear avatar" formaction="<%= url_for("user_clear_avatar", {username = user.username}) %>">
<% end %>
<br>
</form>
<form method="post" action="">
<label for="status">Status</label>
<input type="text" id="status" name="status" value="<%= user.status %>" maxlength="10"><br>
<input type="submit" value="Save">
<label for="status">Status</label>
<input type="text" id="status" name="status" value="<%= user.status %>" maxlength="30"><br>
<input type="submit" value="Save">
</form>
<br>
<a href="<%= url_for("user_delete_confirm", {username = user.username}) %>">Delete account</a>

2
views/user/signup.etlua
View File

@ -12,4 +12,4 @@
<input type="password" id="password2" name="password2" pattern="(?=.*[a-z])(?=.*[A-Z])(?=.*\d)(?=.*[\W_])(?!.*\s).{10,}" title="10+ chars with: 1 uppercase, 1 lowercase, 1 number, 1 special char, and no spaces" required autocomplete="new-password"><br>
<input type="submit" value="Sign up">
</form>
<p>After you sign up, an administrator will need to confirm your account before you will be allowed to post.</p>
<p>After you sign up, a moderator will need to confirm your account before you will be allowed to post.</p>

44
views/user/user.etlua
View File

@ -1,21 +1,41 @@
<% if just_logged_in then %>
<h1>Logged in successfully.</h1>
<h1>Logged in successfully.</h1>
<% end %>
<img src="<%= avatar_url(user) %>">
<h1><%= user.username %></h1>
<h2><%= PermissionLevelString[user.permission] %></h2>
<% if user:is_guest() and user_is_me then %>
<h2>You are a guest. An administrator needs to approve your account before you will be able to post.</h2>
<h2>You are a guest. An Moderator needs to approve your account before you will be able to post.</h2>
<% end %>
<% if user_is_me then %>
<form method="post" action="<%= url_for("user_logout", {user_id = me.id}) %>">
<input type="submit" value="Log out">
</form>
<a href="<%= url_for("user_settings", {username = user.username}) %>">Settings</a>
<form method="post" action="<%= url_for("user_logout", {user_id = me.id}) %>">
<input type="submit" value="Log out">
</form>
<% end %>
<% if me:is_admin() and user:is_guest() then %>
<p>This user is a guest. They signed up on <%= os.date("%c", user.created_at) %>.</p>
<form method="post" action="<%= url_for("confirm_user", {user_id = user.id}) %>">
<input type="submit" value="Confirm user">
</form>
<% elseif me:is_admin() then %>
<p>This user signed up on <%= os.date("%c", user.created_at) %> and was confirmed on <%= os.date("%c", user.confirmed_on) %>.</p>
<% if me:is_mod() and not user:is_system() then %>
<h1>Moderator controls</h2>
<% if user:is_guest() then %>
<p>This user is a guest. They signed up on <%= os.date("%c", user.created_at) %>.</p>
<form method="post" action="<%= url_for("confirm_user", {user_id = user.id}) %>">
<input type="submit" value="Confirm user">
</form>
<% else %> <% --[[ user is not guest ]] %>
<p>This user signed up on <%= os.date("%c", user.created_at) %> and was confirmed on <%= os.date("%c", user.confirmed_on) %>.</p>
<% if user.id ~= me.id and user.permission < me.permission then %>
<form method="post" action="<%= url_for("guest_user", {user_id = user.id}) %>">
<input type="submit" value="Demote user to guest (soft ban)">
</form>
<% end %>
<% if me:is_admin() and not user:is_mod() then %>
<form method="post" action="<%= url_for("mod_user", {user_id = user.id}) %>">
<input type="submit" value="Promote user to moderator">
</form>
<% elseif me:is_admin() then %>
<form method="post" action="<%= url_for("demod_user", {user_id = user.id}) %>">
<input type="submit" value="Demote user to regular user">
</form>
<% end %>
<% end %>
<% end %>