From f27b4a03e956906f85376c9d0101335e546dffb1 Mon Sep 17 00:00:00 2001
From: FoxxMD <FoxxMD@users.noreply.github.com>
Date: Thu, 19 Aug 2021 11:12:41 -0400
Subject: [PATCH] Fix access bug and allow specifying invite code

* Fix any authenticated user being able to access dashboard (condition flipped)
* User can specify invite code so urls are friendly and can be recreated on instance restart
---
 src/Web/Client/index.ts         |  7 ++++---
 src/Web/assets/views/helper.ejs | 18 ++++--------------
 2 files changed, 8 insertions(+), 17 deletions(-)

diff --git a/src/Web/Client/index.ts b/src/Web/Client/index.ts
index 7bc0348..c1729ab 100644
--- a/src/Web/Client/index.ts
+++ b/src/Web/Client/index.ts
@@ -411,6 +411,7 @@ const webClient = async (options: OperatorConfig) => {
             redirect: redir,
             instance,
             subreddit,
+            code,
         } = req.body as any;
 
         const cid = ci || clientId;
@@ -427,7 +428,7 @@ const webClient = async (options: OperatorConfig) => {
             return res.status(400).send('redirectUrl is required');
         }
 
-        const inviteId = randomId();
+        const inviteId = code || randomId();
         invites.set(inviteId, {
             permissions,
             clientId: (ci || clientId).trim(),
@@ -581,8 +582,8 @@ const webClient = async (options: OperatorConfig) => {
         const user = req.user as Express.User;
 
         const isOperator = instance.operators.includes(user.name);
-        const canAccessBot = isOperator || intersect(user.subreddits, instance.subreddits).length === 0;
-        if (user.isOperator && !canAccessBot) {
+        const canAccessBot = isOperator || intersect(user.subreddits, instance.subreddits).length > 0;
+        if (!user.isOperator && !canAccessBot) {
             return res.status(404).render('error', {error: msg});
         }
 
diff --git a/src/Web/assets/views/helper.ejs b/src/Web/assets/views/helper.ejs
index f278f3e..9f18157 100644
--- a/src/Web/assets/views/helper.ejs
+++ b/src/Web/assets/views/helper.ejs
@@ -171,6 +171,8 @@
                     <div class="text-lg text-semibold my-3">4. <a id="doAuth" href="">Create Authorization Invite</a>
                     </div>
                     <div class="ml-5 mb-4">
+                        <input id="inviteCode" style="min-width:500px;"
+                               class="text-black placeholder-gray-500 rounded mt-2 mb-3 p-2" placeholder="Invite code value to use. Leave blank to generate a random one."/>
                         <div class="space-y-3">
                             <div>A unique link will be generated that you (or someone) will use to authorize a Reddit account with this application.</div>
                             <div id="inviteLink"></div>
@@ -189,24 +191,11 @@
 
     document.querySelector('#doAuth').addEventListener('click', e => {
         e.preventDefault()
-        const currParams = new URLSearchParams(document.location.search);
-
-        const params = new URLSearchParams();
-        params.append('redirect', document.querySelector('#redirectUri').value);
-        params.append('clientId', document.querySelector('#clientId').value);
-        params.append('clientSecret', document.querySelector('#clientSecret').value);
-
         const permissions = {};
 
         document.querySelectorAll('.permissionToggle').forEach((el) => {
             permissions[el.id] = el.checked;
-            params.append(el.id, el.checked ? 1 : 0);
         });
-
-        if (currParams.has('token')) {
-            params.append('token', currParams.get('token'));
-        }
-
         fetch(`${document.location.origin}/auth/create`, {
             method: 'POST',
             headers: {
@@ -216,8 +205,8 @@
                 redirect: document.querySelector('#redirectUri').value,
                 clientId: document.querySelector('#clientId').value,
                 clientSecret: document.querySelector('#clientSecret').value,
+                code: document.querySelector("#inviteCode").value === '' ? undefined : document.querySelector("#inviteCode").value,
                 permissions,
-                token: currParams.get('token'),
             })
         }).then((resp) => {
             if(!resp.ok) {
@@ -227,6 +216,7 @@
                 });
             } else {
                 document.querySelector("#errorWrapper").classList.add('hidden');
+                document.querySelector("#inviteCode").value = '';
                 resp.text().then(t => {
                     document.querySelector("#inviteLink").innerHTML = `Invite Link: <a class="font-semibold" href="${document.location.origin}/auth/invite?invite=${t}">${document.location.origin}/auth/invite?invite=${t}</a>`;
                 });