VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
ZDDC/zddc/internal/handler/profileprojects.go
ZDDC cb46c2ef8c feat(zddc-server): user profile page replaces /.admin/ 
Replaces the super-admin-only /.admin/ surface with a public-by-default
/.profile/ page that layers admin tools server-side based on the
caller's effective access:

- Universal (everyone, anonymous included): identity card, effective
  access summary, theme picker, localStorage utilities (export / import
  / clear, landing-presets viewer).
- Subtree admins additionally see: editable .zddc files list (linking
  to the existing form-based editor) and a "Create new project folder"
  form.
- Super-admins additionally see: server config, log viewer, whoami
  headers (the old /.admin/ JSON endpoints, repointed under /.profile/).

Project creation is gated on CanEditZddc(newDir) — the same strict-
ancestor rule that already governs .zddc writes — so no new authority
concept is introduced. ValidateProjectName mirrors the existing
reserved-prefix policy (no leading '.' or '_', no path separators).

/.admin/* is hard-cut: no redirect shim. Old URLs fall through to the
existing dot-prefix guard and 404. Custom CSS file rename: prefer
<root>/.profile.css, fall back to legacy <root>/.admin.css.

Per-resource 404 leakage gates preserved on whoami / config / logs /
zddc / projects so non-admin callers cannot detect the existence of
admin-only sub-resources.

Tree-wide gofmt -w applied as a side-effect.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-29 16:32:02 -05:00

134 lines
4.3 KiB
Go
Raw Blame History

package handler
import (
"encoding/json"
"net/http"
"os"
"path/filepath"
"codeberg.org/VARASYS/ZDDC/zddc/internal/config"
"codeberg.org/VARASYS/ZDDC/zddc/internal/zddc"
)
// projectCreateRequest is the wire shape for POST /.profile/projects.
//
// All fields except parent and name are optional. The ACL/admins/title
// fields are bundled into a starter .zddc only if at least one is supplied;
// otherwise the new directory is left empty and inherits ACL from its
// ancestors.
type projectCreateRequest struct {
Parent string `json:"parent"`
Name string `json:"name"`
Title string `json:"title,omitempty"`
ACL *zddc.ACLRules `json:"acl,omitempty"`
Admins []string `json:"admins,omitempty"`
}
// projectCreateResponse is the success payload.
type projectCreateResponse struct {
Path string `json:"path"`
URL string `json:"url"`
}
// serveProfileProjectsCreate handles POST /.profile/projects.
//
// Authorization is delegated to CanEditZddc on the prospective new
// directory: the caller must have authority that would let them write a
// .zddc at that location (super-admin via root admins, or a strict-ancestor
// admin grant). Non-authorized callers receive 404 to keep this endpoint's
// existence hidden alongside the rest of the admin surface.
func serveProfileProjectsCreate(cfg config.Config, w http.ResponseWriter, r *http.Request) {
// Admin gate first so non-admins see 404 regardless of method, matching
// the rest of /.profile/'s existence-leakage policy.
email := EmailFromContext(r)
if !hasAnyAdminScope(cfg.Root, email) {
http.NotFound(w, r)
return
}
if r.Method != http.MethodPost {
w.Header().Set("Allow", "POST")
http.Error(w, "Method Not Allowed", http.StatusMethodNotAllowed)
return
}
defer r.Body.Close()
dec := json.NewDecoder(r.Body)
dec.DisallowUnknownFields()
var req projectCreateRequest
if err := dec.Decode(&req); err != nil {
http.Error(w, "Bad Request: "+err.Error(), http.StatusBadRequest)
return
}
if err := zddc.ValidateProjectName(req.Name); err != nil {
writeFieldError(w, http.StatusBadRequest, "name", err.Error())
return
}
parentAbs, err := resolvePath(cfg.Root, req.Parent)
if err != nil {
http.NotFound(w, r)
return
}
if pi, err := os.Stat(parentAbs); err != nil || !pi.IsDir() {
http.Error(w, "Parent directory not found", http.StatusBadRequest)
return
}
newDir := filepath.Join(parentAbs, req.Name)
if !zddc.CanEditZddc(cfg.Root, newDir, email) {
http.NotFound(w, r)
return
}
if _, err := os.Stat(newDir); err == nil {
http.Error(w, "Conflict: directory already exists", http.StatusConflict)
return
}
// If the body supplies any .zddc fields, validate them BEFORE we mkdir
// so a validation failure leaves no on-disk trace.
wantsZddc := req.Title != "" || (req.ACL != nil && (len(req.ACL.Allow) > 0 || len(req.ACL.Deny) > 0)) || len(req.Admins) > 0
var zf zddc.ZddcFile
if wantsZddc {
zf.Title = req.Title
if req.ACL != nil {
zf.ACL = *req.ACL
}
zf.Admins = req.Admins
if errs := zddc.ValidateFile(zf); len(errs) > 0 {
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.WriteHeader(http.StatusBadRequest)
_ = json.NewEncoder(w).Encode(writeError{Errors: errs})
return
}
}
if err := os.MkdirAll(newDir, 0o755); err != nil {
http.Error(w, "Internal Server Error: "+err.Error(), http.StatusInternalServerError)
return
}
if wantsZddc {
if err := zddc.WriteFile(newDir, zf); err != nil {
// Best-effort rollback: remove the empty dir we just created.
_ = os.Remove(newDir)
http.Error(w, "Internal Server Error: "+err.Error(), http.StatusInternalServerError)
return
}
}
urlPath := urlPathOf(cfg.Root, newDir)
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.WriteHeader(http.StatusCreated)
_ = json.NewEncoder(w).Encode(projectCreateResponse{
Path: urlPath,
URL: urlPath + "/",
})
}
// writeFieldError emits a single-error writeError JSON body — used when
// validation fails for a top-level scalar field like `name`.
func writeFieldError(w http.ResponseWriter, status int, field, message string) {
w.Header().Set("Content-Type", "application/json; charset=utf-8")
w.WriteHeader(status)
_ = json.NewEncoder(w).Encode(writeError{Errors: []zddc.FieldError{{Field: field, Message: message}}})
}
Reference in a new issue View git blame Copy permalink