From f4612fd542ed0c8f68f84e2003f9b85be7a7edb1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Ferdinand=20M=C3=BCtsch?= <ferdinand@muetsch.io>
Date: Fri, 11 Jun 2021 16:02:28 +0200
Subject: [PATCH] fix: badge endpoint permission fixes (resolve #205) fix:
 reference past x days intervals from now instead of start of day

---
 README.md                         |  3 +--
 routes/compat/shields/v1/badge.go | 17 +++++++++++++++--
 utils/summary.go                  | 11 ++++++-----
 version.txt                       |  2 +-
 4 files changed, 23 insertions(+), 10 deletions(-)

diff --git a/README.md b/README.md
index 60a75bf..9995b80 100644
--- a/README.md
+++ b/README.md
@@ -4,14 +4,13 @@
 
 <p align="center">
   <img src="https://badges.fw-web.space/github/license/muety/wakapi">
-  <a href="https://saythanks.io/to/n1try"><img src="https://badges.fw-web.space/badge/SayThanks.io-%E2%98%BC-1EAEDB.svg"></a>
   <a href="https://liberapay.com/muety/"><img src="https://badges.fw-web.space/liberapay/receives/muety.svg?logo=liberapay"></a>
   <img src="https://badges.fw-web.space/endpoint?url=https://wakapi.dev/api/compat/shields/v1/n1try/interval:any/project:wakapi&color=blue&label=wakapi">
+  <img src="https://badges.fw-web.space/github/languages/code-size/muety/wakapi">
 </p>
 
 <p align="center">
   <a href="https://goreportcard.com/report/github.com/muety/wakapi"><img src="https://goreportcard.com/badge/github.com/muety/wakapi"></a>
-  <img src="https://badges.fw-web.space/github/languages/code-size/muety/wakapi">
   <a href="https://sonarcloud.io/dashboard?id=muety_wakapi"><img src="https://sonarcloud.io/api/project_badges/measure?project=muety_wakapi&metric=sqale_index"></a>
   <a href="https://sonarcloud.io/dashboard?id=muety_wakapi"><img src="https://sonarcloud.io/api/project_badges/measure?project=muety_wakapi&metric=ncloc"></a>
 </p>
diff --git a/routes/compat/shields/v1/badge.go b/routes/compat/shields/v1/badge.go
index f85f489..06c49e0 100644
--- a/routes/compat/shields/v1/badge.go
+++ b/routes/compat/shields/v1/badge.go
@@ -16,7 +16,7 @@ import (
 
 const (
 	intervalPattern     = `interval:([a-z0-9_]+)`
-	entityFilterPattern = `(project|os|editor|language|machine):([_a-zA-Z0-9-]+)`
+	entityFilterPattern = `(project|os|editor|language|machine):([_a-zA-Z0-9-\s]+)`
 )
 
 type BadgeHandler struct {
@@ -75,7 +75,7 @@ func (h *BadgeHandler) Get(w http.ResponseWriter, r *http.Request) {
 	}
 
 	_, rangeFrom, rangeTo := utils.ResolveIntervalTZ(interval, user.TZ())
-	minStart := utils.StartOfDay(rangeTo.Add(-24 * time.Hour * time.Duration(user.ShareDataMaxDays)))
+	minStart := rangeTo.Add(-24 * time.Hour * time.Duration(user.ShareDataMaxDays))
 	// negative value means no limit
 	if rangeFrom.Before(minStart) && user.ShareDataMaxDays >= 0 {
 		w.WriteHeader(http.StatusForbidden)
@@ -83,22 +83,35 @@ func (h *BadgeHandler) Get(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	var permitEntity bool
 	var filters *models.Filters
 	switch filterEntity {
 	case "project":
+		permitEntity = user.ShareProjects
 		filters = models.NewFiltersWith(models.SummaryProject, filterKey)
 	case "os":
+		permitEntity = user.ShareOSs
 		filters = models.NewFiltersWith(models.SummaryOS, filterKey)
 	case "editor":
+		permitEntity = user.ShareEditors
 		filters = models.NewFiltersWith(models.SummaryEditor, filterKey)
 	case "language":
+		permitEntity = user.ShareLanguages
 		filters = models.NewFiltersWith(models.SummaryLanguage, filterKey)
 	case "machine":
+		permitEntity = user.ShareMachines
 		filters = models.NewFiltersWith(models.SummaryMachine, filterKey)
 	default:
+		permitEntity = true
 		filters = &models.Filters{}
 	}
 
+	if !permitEntity {
+		w.WriteHeader(http.StatusForbidden)
+		w.Write([]byte("user did not opt in to share entity-specific data"))
+		return
+	}
+
 	cacheKey := fmt.Sprintf("%s_%v_%s_%s", user.ID, *interval, filterEntity, filterKey)
 	if cacheResult, ok := h.cache.Get(cacheKey); ok {
 		utils.RespondJSON(w, r, http.StatusOK, cacheResult.(*v1.BadgeData))
diff --git a/utils/summary.go b/utils/summary.go
index 7374ac0..4a78e2c 100644
--- a/utils/summary.go
+++ b/utils/summary.go
@@ -30,7 +30,8 @@ func ResolveIntervalRawTZ(interval string, tz *time.Location) (err error, from,
 }
 
 func ResolveIntervalTZ(interval *models.IntervalKey, tz *time.Location) (err error, from, to time.Time) {
-	to = time.Now().In(tz)
+	now := time.Now().In(tz)
+	to = now
 
 	switch interval {
 	case models.IntervalToday:
@@ -51,16 +52,16 @@ func ResolveIntervalTZ(interval *models.IntervalKey, tz *time.Location) (err err
 	case models.IntervalThisYear:
 		from = StartOfThisYear(tz)
 	case models.IntervalPast7Days:
-		from = StartOfToday(tz).AddDate(0, 0, -7)
+		from = now.AddDate(0, 0, -7)
 	case models.IntervalPast7DaysYesterday:
 		from = StartOfToday(tz).AddDate(0, 0, -1).AddDate(0, 0, -7)
 		to = StartOfToday(tz).AddDate(0, 0, -1)
 	case models.IntervalPast14Days:
-		from = StartOfToday(tz).AddDate(0, 0, -14)
+		from = now.AddDate(0, 0, -14)
 	case models.IntervalPast30Days:
-		from = StartOfToday(tz).AddDate(0, 0, -30)
+		from = now.AddDate(0, 0, -30)
 	case models.IntervalPast12Months:
-		from = StartOfToday(tz).AddDate(0, -12, 0)
+		from = now.AddDate(0, -12, 0)
 	case models.IntervalAny:
 		from = time.Time{}
 	default:
diff --git a/version.txt b/version.txt
index 3bae520..d620158 100644
--- a/version.txt
+++ b/version.txt
@@ -1 +1 @@
-1.27.3
+1.27.4