fix: close web access to foreign groups and sessions

2026-04-23 20:09:22 +03:00
parent ecc2236937
commit 1c4cfb71c0
14 changed files with 352 additions and 49 deletions
@@ -2,8 +2,10 @@
@using GmRelay.Web.Services
@using GmRelay.Shared.Domain
@using Microsoft.AspNetCore.Authorization
+@using Microsoft.AspNetCore.Components.Authorization
@attribute [Authorize]
-@inject SessionService SessionService
+@inject AuthorizedSessionService SessionService
+@inject AuthenticationStateProvider AuthStateProvider
@inject NavigationManager Navigation

 <PageTitle>Редактирование сессии — GM-Relay</PageTitle>
@@ -73,19 +75,28 @@
    [Parameter] public Guid SessionId { get; set; }
    private WebSession? session;
    private SessionEditModel model = new();
-    private bool isSubmitting = false;
+    private bool isSubmitting;
    private string? errorMessage;

    protected override async Task OnInitializedAsync()
    {
-        session = await SessionService.GetSessionAsync(SessionId);
-        if (session != null)
+        var authState = await AuthStateProvider.GetAuthenticationStateAsync();
+        if (!authState.User.TryGetTelegramId(out var telegramId))
        {
-            model.Title = session.Title;
-            // Convert UTC to Moscow for the picker
-            model.ScheduledAtLocal = session.ScheduledAt.ToMoscow();
-            model.JoinLink = session.JoinLink;
+            Navigation.NavigateTo("/access-denied");
+            return;
        }
+
+        session = await SessionService.GetSessionForGmAsync(SessionId, telegramId);
+        if (session is null)
+        {
+            Navigation.NavigateTo("/access-denied");
+            return;
+        }
+
+        model.Title = session.Title;
+        model.ScheduledAtLocal = session.ScheduledAt.ToMoscow();
+        model.JoinLink = session.JoinLink;
    }

    private async Task HandleSubmit()
@@ -95,13 +106,22 @@

        try
        {
-            // The value from <input type="datetime-local"> is considered as "unspecified" or local to browser.
-            // We treat it as Moscow time (UTC+3) and convert to UTC.
+            var authState = await AuthStateProvider.GetAuthenticationStateAsync();
+            if (!authState.User.TryGetTelegramId(out var telegramId))
+            {
+                Navigation.NavigateTo("/access-denied");
+                return;
+            }
+
            var utcTime = new DateTimeOffset(model.ScheduledAtLocal, TimeSpan.FromHours(3)).ToUniversalTime().UtcDateTime;

-            await SessionService.UpdateSessionAsync(SessionId, model.Title, utcTime, model.JoinLink);
+            await SessionService.UpdateSessionForGmAsync(SessionId, telegramId, model.Title, utcTime, model.JoinLink);
            Navigation.NavigateTo($"/group/{session!.GroupId}");
        }
+        catch (SessionAccessDeniedException)
+        {
+            Navigation.NavigateTo("/access-denied");
+        }
        catch (Exception ex)
        {
            errorMessage = "Не удалось сохранить изменения: " + ex.Message;