Style and security

2026-04-30 23:32:19 +00:00 · 2026-03-05 04:50:36 +01:00
parent d8d0da4704
commit 44fcd02d9a
30 changed files with 3407 additions and 321 deletions
@@ -3,6 +3,7 @@ package main
 import (
 	"fmt"
 	"log"
+	"os"
 	"time"

 	"gorm.io/driver/sqlite"
@@ -11,6 +12,10 @@ import (
 )

 func initDB() (*gorm.DB, error) {
+	if err := os.MkdirAll("data", 0750); err != nil {
+		return nil, fmt.Errorf("failed to create data directory: %w", err)
+	}
+
 	newLogger := logger.New(
 		log.New(log.Writer(), "\r\n", log.LstdFlags),
 		logger.Config{
@@ -20,15 +25,21 @@ func initDB() (*gorm.DB, error) {
 		},
 	)

-	db, err := gorm.Open(sqlite.Open("bot.db"), &gorm.Config{
+	db, err := gorm.Open(sqlite.Open("data/bot.db?_journal_mode=WAL&_busy_timeout=5000&_foreign_keys=on"), &gorm.Config{
 		Logger: newLogger,
 	})
 	if err != nil {
 		return nil, fmt.Errorf("failed to connect to database: %w", err)
 	}

+	sqlDB, err := db.DB()
+	if err != nil {
+		return nil, fmt.Errorf("failed to get underlying sql.DB: %w", err)
+	}
+	sqlDB.SetMaxOpenConns(1)
+
 	// AutoMigrate the models
-	err = db.AutoMigrate(&BotModel{}, &ConfigModel{}, &Message{}, &User{}, &Role{})
+	err = db.AutoMigrate(&BotModel{}, &ConfigModel{}, &Message{}, &User{}, &Role{}, &Scope{})
 	if err != nil {
 		return nil, fmt.Errorf("failed to migrate database schema: %w", err)
 	}
@@ -48,9 +59,59 @@ func initDB() (*gorm.DB, error) {
 		return nil, err
 	}

+	if err := createDefaultScopes(db); err != nil {
+		return nil, fmt.Errorf("createDefaultScopes: %w", err)
+	}
+
 	return db, nil
 }

+func createDefaultScopes(db *gorm.DB) error {
+	all := []string{
+		ScopeStatsViewOwn, ScopeStatsViewAny,
+		ScopeHistoryClearOwn, ScopeHistoryClearAny,
+		ScopeHistoryClearHardOwn, ScopeHistoryClearHardAny,
+		ScopeModelSet, ScopeUserPromote,
+	}
+	for _, name := range all {
+		if err := db.FirstOrCreate(&Scope{}, Scope{Name: name}).Error; err != nil {
+			return fmt.Errorf("failed to create scope %s: %w", name, err)
+		}
+	}
+
+	userScopes := []string{
+		ScopeStatsViewOwn,
+		ScopeHistoryClearOwn,
+		ScopeHistoryClearHardOwn,
+	}
+	elevatedScopes := []string{
+		ScopeStatsViewOwn, ScopeStatsViewAny,
+		ScopeHistoryClearOwn, ScopeHistoryClearAny,
+		ScopeHistoryClearHardOwn, ScopeHistoryClearHardAny,
+		ScopeModelSet, ScopeUserPromote,
+	}
+	assignments := map[string][]string{
+		"user":  userScopes,
+		"admin": elevatedScopes,
+		// owner gets the same scopes as admin; owner uniqueness is enforced by the IsOwner flag
+		"owner": elevatedScopes,
+	}
+	for roleName, scopes := range assignments {
+		var role Role
+		if err := db.Where("name = ?", roleName).First(&role).Error; err != nil {
+			return fmt.Errorf("role %s not found: %w", roleName, err)
+		}
+		var scopeModels []Scope
+		if err := db.Where("name IN ?", scopes).Find(&scopeModels).Error; err != nil {
+			return fmt.Errorf("failed to find scopes for %s: %w", roleName, err)
+		}
+		if err := db.Model(&role).Association("Scopes").Replace(scopeModels); err != nil {
+			return fmt.Errorf("failed to assign scopes to %s: %w", roleName, err)
+		}
+	}
+	return nil
+}
+
 func createDefaultRoles(db *gorm.DB) error {
 	roles := []string{"user", "admin", "owner"}
 	for _, roleName := range roles {