core: add permission check for domain management routes

packages/hydrooj/src/handler/domain.ts

@@ -131,6 +131,7 @@ class DomainDashboardHandler extends ManageHandler {
 }
 
 class DomainUserHandler extends ManageHandler {
+    @requireSudo
     async get({ domainId }) {
         const rudocs = {};
         const [dudocs, roles] = await Promise.all([
@@ -156,6 +157,7 @@ class DomainUserHandler extends ManageHandler {
         };
     }
 
+    @requireSudo
     @post('uid', Types.Int)
     @post('role', Types.Name)
     async postSetUser(domainId: string, uid: number, role: string) {
@@ -166,6 +168,7 @@ class DomainUserHandler extends ManageHandler {
         this.back();
     }
 
+    @requireSudo
     @param('uid', Types.NumericArray)
     @param('role', Types.Name)
     async postSetUsers(domainId: string, uid: number[], role: string) {
@@ -178,6 +181,7 @@ class DomainUserHandler extends ManageHandler {
 }
 
 class DomainPermissionHandler extends ManageHandler {
+    @requireSudo
     async get({ domainId }) {
         const roles = await domain.getRoles(domainId);
         this.response.template = 'domain_permission.html';
@@ -186,6 +190,7 @@ class DomainPermissionHandler extends ManageHandler {
         };
     }
 
+    @requireSudo
     async post({ domainId }) {
         const roles = {};
         delete this.request.body.csrfToken;
@@ -202,6 +207,7 @@ class DomainPermissionHandler extends ManageHandler {
 }
 
 class DomainRoleHandler extends ManageHandler {
+    @requireSudo
     async get({ domainId }) {
         const roles = await domain.getRoles(domainId, true);
         this.response.template = 'domain_role.html';
@@ -218,6 +224,7 @@ class DomainRoleHandler extends ManageHandler {
         this.back();
     }
 
+    @requireSudo
     @param('roles', Types.Array)
     async postDelete(domainId: string, roles: string[]) {
         if (Set.intersection(roles, ['root', 'default', 'guest']).size > 0) {
@@ -243,6 +250,7 @@ class DomainJoinApplicationsHandler extends ManageHandler {
         this.response.template = 'domain_join_applications.html';
     }
 
+    @requireSudo
     @post('method', Types.Range([domain.JOIN_METHOD_NONE, domain.JOIN_METHOD_ALL, domain.JOIN_METHOD_CODE]))
     @post('role', Types.Name, true)
     @post('expire', Types.Int, true)

packages/hydrooj/src/handler/training.ts

@@ -3,13 +3,12 @@ import { FilterQuery, ObjectID } from 'mongodb';
 import { ProblemNotFoundError, ValidationError } from '../error';
 import { Tdoc, TrainingDoc } from '../interface';
 import paginate from '../lib/paginate';
-import { PERM, PRIV } from '../model/builtin';
-import * as builtin from '../model/builtin';
+import { PERM, PRIV, STATUS } from '../model/builtin';
+import DomainModel from '../model/domain';
 import problem from '../model/problem';
 import * as system from '../model/system';
 import * as training from '../model/training';
 import user from '../model/user';
-import { DomainModel } from '../plugin-api';
 import * as bus from '../service/bus';
 import { Handler, param, Types } from '../service/server';
 
@@ -126,7 +125,7 @@ class TrainingDetailHandler extends Handler {
             if (!+pid) continue;
             const psdoc = psdict[pid];
             if (psdoc.status) {
-                if (psdoc.status === builtin.STATUS.STATUS_ACCEPTED) donePids.add(+pid);
+                if (psdoc.status === STATUS.STATUS_ACCEPTED) donePids.add(+pid);
                 else progPids.add(+pid);
             }
         }