image uploader tampering

lib/philomena/images.ex

@@ -297,6 +297,12 @@ defmodule Philomena.Images do
     }
   end
 
+  def update_uploader(%Image{} = image, attrs) do
+    image
+    |> Image.uploader_changeset(attrs)
+    |> Repo.update()
+  end
+
   def hide_image(%Image{} = image, user, attrs) do
     Image.hide_changeset(image, attrs, user)
     |> internal_hide_image(image)

lib/philomena/images/image.ex

@@ -230,6 +230,21 @@ defmodule Philomena.Images.Image do
     |> put_assoc(:source_changes, [])
   end
 
+  def uploader_changeset(image, attrs) do
+    user_id =
+      if attrs["username"] not in [nil, ""] do
+        Repo.get_by!(User, name: attrs["username"]).id
+      else
+        nil
+      end
+
+    image
+    |> cast(attrs, [:anonymous])
+    |> put_change(:user_id, user_id)
+    |> put_change(:ip, %Postgrex.INET{address: {127, 0, 0, 1}, netmask: 32})
+    |> put_change(:fingerprint, "ffff")
+  end
+
   def cache_changeset(image) do
     changeset = change(image)
     image = apply_changes(changeset)

lib/philomena_web/controllers/image/uploader_controller.ex

@@ -0,0 +1,30 @@
+defmodule PhilomenaWeb.Image.UploaderController do
+  use PhilomenaWeb, :controller
+
+  alias Philomena.Images.Image
+  alias Philomena.Images
+  alias Philomena.Repo
+
+  plug :verify_authorized
+  plug :load_resource, model: Image, id_name: "image_id", persisted: true
+
+  def update(conn, %{"image" => image_params}) do
+    {:ok, image} = Images.update_uploader(conn.assigns.image, image_params)
+
+    Images.reindex_image(image)
+
+    image = Repo.preload(image, user: [awards: :badge])
+    changeset = Images.change_image(image)
+
+    conn
+    |> put_view(PhilomenaWeb.ImageView)
+    |> render("_uploader.html", layout: false, image: image, changeset: changeset)
+  end
+
+  defp verify_authorized(conn, _opts) do
+    case Canada.Can.can?(conn.assigns.current_user, :show, :ip_address) do
+      true   -> conn
+      _false -> PhilomenaWeb.NotAuthorizedPlug.call(conn)
+    end
+  end
+end

lib/philomena_web/router.ex

@@ -127,6 +127,7 @@ defmodule PhilomenaWeb.Router do
       resources "/feature", Image.FeatureController, only: [:create], singleton: true
       resources "/file", Image.FileController, only: [:update], singleton: true
       resources "/scratchpad", Image.ScratchpadController, only: [:edit, :update], singleton: true
+      resources "/uploader", Image.UploaderController, only: [:update], singleton: true
 
       resources "/comment_lock", Image.CommentLockController, only: [:create, :delete], singleton: true
       resources "/description_lock", Image.DescriptionLockController, only: [:create, :delete], singleton: true

lib/philomena_web/templates/image/_image_meta.html.slime

@@ -51,14 +51,8 @@
     div
       ' Uploaded
       => pretty_time(@image.created_at)
-      span.image_uploader
-        ' by
-        => render PhilomenaWeb.UserAttributionView, "_anon_user.html", object: @image, awards: true, conn: @conn
-        = if can?(@conn, :show, :ip_address) do
-          => link_to_ip(@conn, @image.ip)
-          => link_to_fingerprint(@conn, @image.fingerprint)
-          a href="#"
-            i.fas.fa-edit
+      = render PhilomenaWeb.ImageView, "_uploader.html", assigns
+
     span.image-size
       |  
       = @image.image_width

lib/philomena_web/templates/image/_uploader.html.slime

@@ -0,0 +1,21 @@
+span.image_uploader
+  ' by
+  => render PhilomenaWeb.UserAttributionView, "_anon_user.html", object: @image, awards: true, conn: @conn
+
+  = if can?(@conn, :show, :ip_address) do
+    => link_to_ip(@conn, @image.ip)
+    => link_to_fingerprint(@conn, @image.fingerprint)
+    a#edit-uploader href="#" data-click-hide=".image_uploader" data-click-show="#uploader-form"
+      i.fas.fa-edit
+
+= if can?(@conn, :show, :ip_address) do
+  = form_for @changeset, Routes.image_uploader_path(@conn, :update, @image), [class: "block__content hidden", id: "uploader-form", data: [remote: "true", method: "put"]], fn f ->
+    => label f, :username, "Uploader"
+    => text_input f, :username, value: username(@image.user), class: "input input--short input--small"
+
+    => label f, :anonymous
+    = checkbox f, :anonymous, class: "checkbox"
+
+    = submit "Save Changes", class: "button button--small", data: [disable_with: raw("Saving…")]
+
+    div Changes IP to '127.0.0.1' and FP to 'ffff'. Empty for anonymous.

lib/philomena_web/templates/image/show.html.slime

@@ -1,4 +1,4 @@
-= render PhilomenaWeb.ImageView, "_image_meta.html", image: @image, watching: @watching, image_galleries: @image_galleries, user_galleries: @user_galleries, conn: @conn
+= render PhilomenaWeb.ImageView, "_image_meta.html", image: @image, watching: @watching, image_galleries: @image_galleries, user_galleries: @user_galleries, changeset: @image_changeset, conn: @conn
 = render PhilomenaWeb.ImageView, "_image_page.html", image: @image, conn: @conn
 
 .layout--narrow

lib/philomena_web/views/image_view.ex

@@ -142,6 +142,9 @@ defmodule PhilomenaWeb.ImageView do
     Tag.display_order(tags)
   end
 
+  def username(%{name: name}), do: name
+  def username(_user), do: nil
+
   def scope(conn), do: Philomena.ImageScope.scope(conn)
 
   def anonymous_by_default?(conn) do