Add access restrictions to server routes (#19)

src/MyWebLog/Handlers/Page.fs

@@ -8,14 +8,13 @@ open MyWebLog.ViewModels
 
 // GET /admin/pages
 // GET /admin/pages/page/{pageNbr}
-let all pageNbr : HttpHandler = fun next ctx -> task {
-    let  webLog = ctx.WebLog
-    let! pages  = ctx.Data.Page.findPageOfPages webLog.id pageNbr
+let all pageNbr : HttpHandler = requireAccess Author >=> fun next ctx -> task {
+    let! pages = ctx.Data.Page.findPageOfPages ctx.WebLog.id pageNbr
     return!
         Hash.FromAnonymousObject {|
             page_title = "Pages"
             csrf       = ctx.CsrfTokenSet
-            pages      = pages |> List.map (DisplayPage.fromPageMinimal webLog)
+            pages      = pages |> List.map (DisplayPage.fromPageMinimal ctx.WebLog)
             page_nbr   = pageNbr
             prev_page  = if pageNbr = 2 then "" else $"/page/{pageNbr - 1}"
             next_page  = $"/page/{pageNbr + 1}"
@@ -24,17 +23,17 @@ let all pageNbr : HttpHandler = fun next ctx -> task {
 }
 
 // GET /admin/page/{id}/edit
-let edit pgId : HttpHandler = fun next ctx -> task {
+let edit pgId : HttpHandler = requireAccess Author >=> fun next ctx -> task {
     let! result = task {
         match pgId with
-        | "new" -> return Some ("Add a New Page", { Page.empty with id = PageId "new" })
+        | "new" -> return Some ("Add a New Page", { Page.empty with id = PageId "new"; authorId = ctx.UserId })
         | _ ->
             match! ctx.Data.Page.findFullById (PageId pgId) ctx.WebLog.id with
             | Some page -> return Some ("Edit Page", page)
             | None -> return None
     }
     match result with
-    | Some (title, page) ->
+    | Some (title, page) when canEdit page.authorId ctx ->
         let  model     = EditPageModel.fromPage page
         let! templates = templatesForTheme ctx "page"
         return!
@@ -47,13 +46,13 @@ let edit pgId : HttpHandler = fun next ctx -> task {
                 templates  = templates
             |}
             |> viewForTheme "admin" "page-edit" next ctx
+    | Some _ -> return! Error.notAuthorized next ctx
     | None -> return! Error.notFound next ctx
 }
 
 // POST /admin/page/{id}/delete
-let delete pgId : HttpHandler = fun next ctx -> task {
-    let webLog = ctx.WebLog
-    match! ctx.Data.Page.delete (PageId pgId) webLog.id with
+let delete pgId : HttpHandler = requireAccess WebLogAdmin >=> fun next ctx -> task {
+    match! ctx.Data.Page.delete (PageId pgId) ctx.WebLog.id with
     | true ->
         do! PageListCache.update ctx
         do! addMessage ctx { UserMessage.success with message = "Page deleted successfully" }
@@ -62,9 +61,9 @@ let delete pgId : HttpHandler = fun next ctx -> task {
 }
 
 // GET /admin/page/{id}/permalinks
-let editPermalinks pgId : HttpHandler = fun next ctx -> task {
+let editPermalinks pgId : HttpHandler = requireAccess Author >=> fun next ctx -> task {
     match! ctx.Data.Page.findFullById (PageId pgId) ctx.WebLog.id with
-    | Some pg ->
+    | Some pg when canEdit pg.authorId ctx ->
         return!
             Hash.FromAnonymousObject {|
                 page_title = "Manage Prior Permalinks"
@@ -72,41 +71,45 @@ let editPermalinks pgId : HttpHandler = fun next ctx -> task {
                 model      = ManagePermalinksModel.fromPage pg
             |}
             |> viewForTheme "admin" "permalinks" next ctx
+    | Some _ -> return! Error.notAuthorized next ctx
     | None -> return! Error.notFound next ctx
 }
 
 // POST /admin/page/permalinks
-let savePermalinks : HttpHandler = fun next ctx -> task {
-    let  webLog = ctx.WebLog
-    let! model  = ctx.BindFormAsync<ManagePermalinksModel> ()
-    let  links  = model.prior |> Array.map Permalink |> List.ofArray
-    match! ctx.Data.Page.updatePriorPermalinks (PageId model.id) webLog.id links with
-    | true ->
-        do! addMessage ctx { UserMessage.success with message = "Page permalinks saved successfully" }
-        return! redirectToGet $"admin/page/{model.id}/permalinks" next ctx
-    | false -> return! Error.notFound next ctx
+let savePermalinks : HttpHandler = requireAccess Author >=> fun next ctx -> task {
+    let! model = ctx.BindFormAsync<ManagePermalinksModel> ()
+    let  pageId = PageId model.id
+    match! ctx.Data.Page.findById pageId ctx.WebLog.id with
+    | Some pg when canEdit pg.authorId ctx ->
+        let  links = model.prior |> Array.map Permalink |> List.ofArray
+        match! ctx.Data.Page.updatePriorPermalinks pageId ctx.WebLog.id links with
+        | true ->
+            do! addMessage ctx { UserMessage.success with message = "Page permalinks saved successfully" }
+            return! redirectToGet $"admin/page/{model.id}/permalinks" next ctx
+        | false -> return! Error.notFound next ctx
+    | Some _ -> return! Error.notAuthorized next ctx
+    | None -> return! Error.notFound next ctx
 }
 
 // GET /admin/page/{id}/revisions
-let editRevisions pgId : HttpHandler = fun next ctx -> task {
-    let webLog = ctx.WebLog
-    match! ctx.Data.Page.findFullById (PageId pgId) webLog.id with
-    | Some pg ->
+let editRevisions pgId : HttpHandler = requireAccess Author >=> fun next ctx -> task {
+    match! ctx.Data.Page.findFullById (PageId pgId) ctx.WebLog.id with
+    | Some pg when canEdit pg.authorId ctx ->
         return!
             Hash.FromAnonymousObject {|
                 page_title = "Manage Page Revisions"
                 csrf       = ctx.CsrfTokenSet
-                model      = ManageRevisionsModel.fromPage webLog pg
+                model      = ManageRevisionsModel.fromPage ctx.WebLog pg
             |}
             |> viewForTheme "admin" "revisions" next ctx
+    | Some _ -> return! Error.notAuthorized next ctx
     | None -> return! Error.notFound next ctx
 }
 
 // GET /admin/page/{id}/revisions/purge
-let purgeRevisions pgId : HttpHandler = fun next ctx -> task {
-    let webLog = ctx.WebLog
-    let data   = ctx.Data
-    match! data.Page.findFullById (PageId pgId) webLog.id with
+let purgeRevisions pgId : HttpHandler = requireAccess Author >=> fun next ctx -> task {
+    let data = ctx.Data
+    match! data.Page.findFullById (PageId pgId) ctx.WebLog.id with
     | Some pg ->
         do! data.Page.update { pg with revisions = [ List.head pg.revisions ] }
         do! addMessage ctx { UserMessage.success with message = "Prior revisions purged successfully" }
@@ -126,14 +129,15 @@ let private findPageRevision pgId revDate (ctx : HttpContext) = task {
 }
 
 // GET /admin/page/{id}/revision/{revision-date}/preview
-let previewRevision (pgId, revDate) : HttpHandler = fun next ctx -> task {
+let previewRevision (pgId, revDate) : HttpHandler = requireAccess Author >=> fun next ctx -> task {
     match! findPageRevision pgId revDate ctx with
-    | Some _, Some rev ->
+    | Some pg, Some rev when canEdit pg.authorId ctx ->
         return!
             Hash.FromAnonymousObject {|
                 content = $"""<div class="mwl-revision-preview mb-3">{MarkupText.toHtml rev.text}</div>"""
             |}
             |> bareForTheme "admin" "" next ctx
+    | Some _, Some _ -> return! Error.notAuthorized next ctx
     | None, _
     | _, None -> return! Error.notFound next ctx
 }
@@ -141,9 +145,9 @@ let previewRevision (pgId, revDate) : HttpHandler = fun next ctx -> task {
 open System
 
 // POST /admin/page/{id}/revision/{revision-date}/restore
-let restoreRevision (pgId, revDate) : HttpHandler = fun next ctx -> task {
+let restoreRevision (pgId, revDate) : HttpHandler = requireAccess Author >=> fun next ctx -> task {
     match! findPageRevision pgId revDate ctx with
-    | Some pg, Some rev ->
+    | Some pg, Some rev when canEdit pg.authorId ctx ->
         do! ctx.Data.Page.update
                 { pg with
                     revisions = { rev with asOf = DateTime.UtcNow }
@@ -151,17 +155,19 @@ let restoreRevision (pgId, revDate) : HttpHandler = fun next ctx -> task {
                 }
         do! addMessage ctx { UserMessage.success with message = "Revision restored successfully" }
         return! redirectToGet $"admin/page/{pgId}/revisions" next ctx
+    | Some _, Some _ -> return! Error.notAuthorized next ctx
     | None, _
     | _, None -> return! Error.notFound next ctx
 }
 
 // POST /admin/page/{id}/revision/{revision-date}/delete
-let deleteRevision (pgId, revDate) : HttpHandler = fun next ctx -> task {
+let deleteRevision (pgId, revDate) : HttpHandler = requireAccess Author >=> fun next ctx -> task {
     match! findPageRevision pgId revDate ctx with
-    | Some pg, Some rev ->
+    | Some pg, Some rev when canEdit pg.authorId ctx ->
         do! ctx.Data.Page.update { pg with revisions = pg.revisions |> List.filter (fun r -> r.asOf <> rev.asOf) }
         do! addMessage ctx { UserMessage.success with message = "Revision deleted successfully" }
         return! bareForTheme "admin" "" next ctx (Hash.FromAnonymousObject {| content = "" |})
+    | Some _, Some _ -> return! Error.notAuthorized next ctx
     | None, _
     | _, None -> return! Error.notFound next ctx
 }
@@ -169,25 +175,24 @@ let deleteRevision (pgId, revDate) : HttpHandler = fun next ctx -> task {
 #nowarn "3511"
 
 // POST /admin/page/save
-let save : HttpHandler = fun next ctx -> task {
-    let! model  = ctx.BindFormAsync<EditPageModel> ()
-    let  webLog = ctx.WebLog
-    let  data   = ctx.Data
-    let  now    = DateTime.UtcNow
-    let! pg     = task {
+let save : HttpHandler = requireAccess Author >=> fun next ctx -> task {
+    let! model = ctx.BindFormAsync<EditPageModel> ()
+    let  data  = ctx.Data
+    let  now   = DateTime.UtcNow
+    let! pg    = task {
         match model.pageId with
         | "new" ->
             return Some
                 { Page.empty with
                     id          = PageId.create ()
-                    webLogId    = webLog.id
+                    webLogId    = ctx.WebLog.id
                     authorId    = ctx.UserId
                     publishedOn = now
                 }
-        | pgId -> return! data.Page.findFullById (PageId pgId) webLog.id
+        | pgId -> return! data.Page.findFullById (PageId pgId) ctx.WebLog.id
     }
     match pg with
-    | Some page ->
+    | Some page when canEdit page.authorId ctx ->
         let updateList = page.showInPageList <> model.isShownInPageList
         let revision   = { asOf = now; text = MarkupText.parse $"{model.source}: {model.text}" }
         // Detect a permalink change, and add the prior one to the prior list
@@ -217,5 +222,6 @@ let save : HttpHandler = fun next ctx -> task {
         if updateList then do! PageListCache.update ctx
         do! addMessage ctx { UserMessage.success with message = "Page saved successfully" }
         return! redirectToGet $"admin/page/{PageId.toString page.id}/edit" next ctx
+    | Some _ -> return! Error.notAuthorized next ctx
     | None -> return! Error.notFound next ctx
 }