1 files changed, 42 insertions, 12 deletions

diff --git a/captain/requtils.f90 b/captain/requtils.f90
index 41eacc6..620170a 100644
--- a/captain/requtils.f90
+++ b/captain/requtils.f90
@@ -71,6 +71,24 @@ contains
         end if
         
     end function notfound_code
+    
+    pure function notpermitted_code(req)
+    use http, only: HTTP_UNAUTHORIZED => HTTP_CODE_UNAUTHORIZED
+    use server_response, only: request, GEMINI_UNAUTHORIZED => GEMINI_CODE_BAD_REQUEST
+    implicit none
+    
+        class(request), intent(in)::req
+        integer::notpermitted_code
+    
+        if(req%protocol == 'gemini') then
+            ! You might think we'd use Gemini certificates, but fuck certificates...
+            ! Just fail with a bad request.
+            notpermitted_code = GEMINI_UNAUTHORIZED
+        else
+            notpermitted_code = HTTP_UNAUTHORIZED 
+        end if
+        
+    end function notpermitted_code
 
     subroutine basic_mimetype(actual_filename, mimetype) 
     use utilities, only: get_one_line_output_shell_command
@@ -239,19 +257,30 @@ contains
         call req%path_component(1, category)
         call req%path_starting_with_component(2, filename)
         
-        resp%body_filename => get_special_full_filename(trim(category), trim(filename))
-    
-        inquire(file=resp%body_filename, exist=exists)
-        if(.not. exists) then
-        
-            resp%code = notfound_code(req)
-            call write_log("File did not exist: "//resp%body_filename, LOG_NORMAL)
+        if((req%auth_level < global_permissions%get("view-raw-instructions") .and. trim(category) == "instructions") .or. &
+           (req%auth_level < global_permissions%get("access-releases") .and. trim(category) == "releases")  .or. &
+           (req%auth_level < global_permissions%get("access-logs") .and. trim(category) == "results")) &
+        then
             
+            resp%code = notpermitted_code(req)
+        
         else
+        
+            resp%body_filename => get_special_full_filename(trim(category), trim(filename))
+    
+            inquire(file=resp%body_filename, exist=exists)
+            if(.not. exists) then
             
-            resp%code = success_code(req)
-            call basic_mimetype(resp%body_filename, resp%body_mimetype)
+                resp%code = notfound_code(req)
+                call write_log("File did not exist: "//resp%body_filename, LOG_NORMAL)
+                
+            else
+                
+                resp%code = success_code(req)
+                call basic_mimetype(resp%body_filename, resp%body_mimetype)
 
+            end if
+            
         end if
     
     end function request_static
@@ -652,6 +681,7 @@ contains
     use captain_db
     use server_response
     use remote_launch
+    use config, only: global_permissions
     implicit none
     
         type(request), intent(in)::req
@@ -668,15 +698,15 @@ contains
         command = req%query_string(1:i-1)
         argument = req%query_string(i+1:len_trim(req%query_string))
         
-        if(trim(command) == "launch") then
+        if(trim(command) == "launch" .and. req%auth_level >= global_permissions%get("launch-job")) then
             call launch_instructions_on_player(instruction_name, argument)
             
-        else if(trim(command) == "assign") then
+        else if(trim(command) == "assign" .and. req%auth_level >= global_permissions%get("assign-instructions")) then
             i = get_instruction_id(trim(instruction_name))
             j = get_player_id(trim(argument))
             call add_player_for_instruction(i, j)
             
-        else if(trim(command) == "remove") then
+        else if(trim(command) == "remove" .and. req%auth_level >= global_permissions%get("assign-instructions")) then
             i = get_instruction_id(trim(instruction_name))
             j = get_player_id(trim(argument))
             call remove_player_for_instruction(i, j)