GeneralBots/botserver
2
1
Fork 0
Code Activity Actions
botserver/src/basic/keywords/social/delete_post.rs
Rodrigo Rodriguez (Pragmatismo) c67aaa677a feat(security): Complete security infrastructure implementation 
SECURITY MODULES ADDED:
- security/auth.rs: Full RBAC with roles (Anonymous, User, Moderator, Admin, SuperAdmin, Service, Bot, BotOwner, BotOperator, BotViewer) and permissions
- security/cors.rs: Hardened CORS (no wildcard in production, env-based config)
- security/panic_handler.rs: Panic catching middleware with safe 500 responses
- security/path_guard.rs: Path traversal protection, null byte prevention
- security/request_id.rs: UUID request tracking with correlation IDs
- security/error_sanitizer.rs: Sensitive data redaction from responses
- security/zitadel_auth.rs: Zitadel token introspection and role mapping
- security/sql_guard.rs: SQL injection prevention with table whitelist
- security/command_guard.rs: Command injection prevention
- security/secrets.rs: Zeroizing secret management
- security/validation.rs: Input validation utilities
- security/rate_limiter.rs: Rate limiting with governor crate
- security/headers.rs: Security headers (CSP, HSTS, X-Frame-Options)

MAIN.RS UPDATES:
- Replaced tower_http::cors::Any with hardened create_cors_layer()
- Added panic handler middleware
- Added request ID tracking middleware
- Set global panic hook

SECURITY STATUS:
- 0 unwrap() in production code
- 0 panic! in production code
- 0 unsafe blocks
- cargo audit: PASS (no vulnerabilities)
- Estimated completion: ~98%

Remaining: Wire auth middleware to handlers, audit logs for sensitive data
2025-12-28 19:29:18 -03:00

55 lines
1.8 KiB
Rust
Raw Blame History

use crate::shared::models::UserSession;
use crate::shared::state::AppState;
use diesel::prelude::*;
use log::{debug, trace};
use rhai::{Dynamic, Engine};
use std::sync::Arc;
pub fn delete_post_keyword(state: Arc<AppState>, user: UserSession, engine: &mut Engine) {
let state_clone = Arc::clone(&state);
let user_clone = user;
engine
.register_custom_syntax(
["DELETE", "POST", "$expr$"],
false,
move |context, inputs| {
let post_id = context.eval_expression_tree(&inputs[0])?.to_string();
let post_id = post_id.trim_matches('"');
trace!("DELETE POST: {}", post_id);
let mut conn = state_clone
.conn
.get()
.map_err(|e| format!("DB error: {}", e))?;
let result =
delete_social_post(&mut conn, user_clone.bot_id, post_id).map_err(|e| {
Box::new(rhai::EvalAltResult::ErrorRuntime(
format!("DELETE POST failed: {}", e).into(),
rhai::Position::NONE,
))
})?;
Ok(Dynamic::from(result))
},
)
.expect("valid syntax registration");
debug!("Registered DELETE POST keyword");
}
fn delete_social_post(
conn: &mut diesel::PgConnection,
bot_id: uuid::Uuid,
post_id: &str,
) -> Result<bool, String> {
let result = diesel::sql_query("DELETE FROM social_posts WHERE bot_id = $1 AND id = $2")
.bind::<diesel::sql_types::Uuid, _>(bot_id)
.bind::<diesel::sql_types::Text, _>(post_id)
.execute(conn)
.map_err(|e| format!("Failed to delete post: {}", e))?;
Ok(result > 0)
}
View git blame Copy permalink