Sanitize html (#3708)

[lemmy.git] / crates / api / src / local_user / ban_person.rs

diff --git a/crates/api/src/local_user/ban_person.rs b/crates/api/src/local_user/ban_person.rs
index b0686949a12c686f69e620e0886f5cf91cd59c2e..77e8e805680d56becda7ac62c628474c20b74b71 100644 (file)
--- a/crates/api/src/local_user/ban_person.rs
+++ b/crates/api/src/local_user/ban_person.rs
@@ -3,8 +3,7 @@ use actix_web::web::Data;
 use lemmy_api_common::{
   context::LemmyContext,
   person::{BanPerson, BanPersonResponse},
-  utils::{get_local_user_view_from_jwt, is_admin, remove_user_data},
-  websocket::UserOperation,
+  utils::{is_admin, local_user_view_from_jwt, remove_user_data, sanitize_html_opt},
 };
 use lemmy_db_schema::{
   source::{
@@ -13,32 +12,32 @@ use lemmy_db_schema::{
   },
   traits::Crud,
 };
-use lemmy_db_views_actor::structs::PersonViewSafe;
-use lemmy_utils::{error::LemmyError, utils::time::naive_from_unix, ConnectionId};
+use lemmy_db_views_actor::structs::PersonView;
+use lemmy_utils::{
+  error::{LemmyError, LemmyErrorExt, LemmyErrorType},
+  utils::{time::naive_from_unix, validation::is_valid_body_field},
+};
 
 #[async_trait::async_trait(?Send)]
 impl Perform for BanPerson {
   type Response = BanPersonResponse;
 
-  #[tracing::instrument(skip(context, websocket_id))]
-  async fn perform(
-    &self,
-    context: &Data<LemmyContext>,
-    websocket_id: Option<ConnectionId>,
-  ) -> Result<BanPersonResponse, LemmyError> {
+  #[tracing::instrument(skip(context))]
+  async fn perform(&self, context: &Data<LemmyContext>) -> Result<BanPersonResponse, LemmyError> {
     let data: &BanPerson = self;
-    let local_user_view =
-      get_local_user_view_from_jwt(&data.auth, context.pool(), context.secret()).await?;
+    let local_user_view = local_user_view_from_jwt(&data.auth, context).await?;
 
     // Make sure user is an admin
     is_admin(&local_user_view)?;
 
+    is_valid_body_field(&data.reason, false)?;
+
     let ban = data.ban;
     let banned_person_id = data.person_id;
     let expires = data.expires.map(naive_from_unix);
 
     let person = Person::update(
-      context.pool(),
+      &mut context.pool(),
       banned_person_id,
       &PersonUpdateForm::builder()
         .banned(Some(ban))
@@ -46,14 +45,14 @@ impl Perform for BanPerson {
         .build(),
     )
     .await
-    .map_err(|e| LemmyError::from_error_message(e, "couldnt_update_user"))?;
+    .with_lemmy_type(LemmyErrorType::CouldntUpdateUser)?;
 
     // Remove their data if that's desired
     let remove_data = data.remove_data.unwrap_or(false);
     if remove_data {
       remove_user_data(
         person.id,
-        context.pool(),
+        &mut context.pool(),
         context.settings(),
         context.client(),
       )
@@ -64,26 +63,19 @@ impl Perform for BanPerson {
     let form = ModBanForm {
       mod_person_id: local_user_view.person.id,
       other_person_id: data.person_id,
-      reason: data.reason.clone(),
+      reason: sanitize_html_opt(&data.reason),
       banned: Some(data.ban),
       expires,
     };
 
-    ModBan::create(context.pool(), &form).await?;
+    ModBan::create(&mut context.pool(), &form).await?;
 
     let person_id = data.person_id;
-    let person_view = PersonViewSafe::read(context.pool(), person_id).await?;
+    let person_view = PersonView::read(&mut context.pool(), person_id).await?;
 
-    let res = BanPersonResponse {
+    Ok(BanPersonResponse {
       person_view,
       banned: data.ban,
-    };
-
-    context
-      .chat_server()
-      .send_all_message(UserOperation::BanPerson, &res, websocket_id)
-      .await?;
-
-    Ok(res)
+    })
   }
 }