80 lines
2.4 KiB
TypeScript
80 lines
2.4 KiB
TypeScript
export async function onRequestGet(context: RequestContext) {
|
|
const { searchParams } = new URL(context.request.url);
|
|
const before = parseInt(searchParams.get("before") || `${Date.now()}`);
|
|
const entryType = searchParams.get("type");
|
|
const showClosed = searchParams.get("showClosed") === "true";
|
|
const tables: { [k: string]: string } = {
|
|
appeal: "appeals",
|
|
gma: "game_appeals",
|
|
report: "reports",
|
|
};
|
|
const types: { [k: string]: string } = {
|
|
appeal: "appeal",
|
|
gma: "gameappeal",
|
|
report: "report",
|
|
};
|
|
const permissions: { [k: string]: number[] } = {
|
|
appeal: [1 << 0, 1 << 1],
|
|
gma: [1 << 5],
|
|
report: [1 << 5],
|
|
};
|
|
const { current_user: currentUser } = context.data;
|
|
|
|
if (!entryType || !types[entryType])
|
|
return new Response('{"error":"Invalid filter type"}', {
|
|
headers: {
|
|
"content-type": "application/json",
|
|
},
|
|
status: 400,
|
|
});
|
|
|
|
if (!permissions[entryType].find((p) => currentUser.permissions & p))
|
|
return new Response('{"error":"You cannot use this filter"}', {
|
|
headers: {
|
|
"content-type": "application/json",
|
|
},
|
|
status: 403,
|
|
});
|
|
|
|
if (isNaN(before) || before > Date.now())
|
|
return new Response('{"error":"Invalid `before` parameter"}', {
|
|
headers: {
|
|
"content-type": "application/json",
|
|
},
|
|
status: 400,
|
|
});
|
|
|
|
const prefix = types[entryType];
|
|
const table = tables[entryType];
|
|
const items = [];
|
|
const { results }: { results?: { created_at: number; id: string }[] } =
|
|
/*
|
|
This is normally VERY BAD and can lead to injection attacks
|
|
However, there is no other way to do this, as using bindings for table names is unsupported apparently
|
|
To avoid any potential injection attacks we enforce a list of specific values and permissions for table names
|
|
*/
|
|
await context.env.D1.prepare(
|
|
`SELECT id
|
|
FROM ${table}
|
|
WHERE created_at < ? ${entryType === "gma" ? "" : "AND open = ?"}
|
|
ORDER BY created_at DESC LIMIT 25;`,
|
|
)
|
|
.bind(before, Number(!showClosed))
|
|
.all();
|
|
|
|
if (results)
|
|
for (const { id } of results) {
|
|
const item = await context.env.DATA.get(`${prefix}_${id}`, {
|
|
type: "json",
|
|
});
|
|
|
|
if (item) items.push({ ...item, id });
|
|
}
|
|
|
|
return new Response(JSON.stringify(items.filter((v) => v !== null)), {
|
|
headers: {
|
|
"content-type": "application/json",
|
|
},
|
|
});
|
|
}
|