H2: auth-gate cinema/poll admin ops (TDD)

Failing tests first (6 red: unauth /new-film created a film, etc). new-film / new-showing /
offering-add|update|remove / add-poll / new-event moved from the public route list into
host/blog-write-routes behind protect-html — same gate as every blog write. /vote, /buy-ticket,
/buy stay public (voters + customers) with explicit tests pinning that.

blog suite 234/234 (+9).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
This commit is contained in:
2026-07-03 10:09:58 +00:00
parent 8e0f06aa28
commit eb54d17df9
2 changed files with 43 additions and 7 deletions

View File

@@ -3531,17 +3531,12 @@
(dream-get "/cinema" host/blog-cinema) (dream-get "/cinema" host/blog-cinema)
(dream-get "/orders" host/blog-orders) (dream-get "/orders" host/blog-orders)
(dream-get "/people" host/blog-people) (dream-get "/people" host/blog-people)
(dream-post "/new-film" host/blog-new-film) ;; customer/voter ops — deliberately PUBLIC; internal service ops — HMAC-gated (H1).
(dream-post "/new-showing" host/blog-new-showing) ;; Admin ops (new-film/new-showing/offering-*/add-poll/new-event) are in write-routes (H2).
(dream-post "/buy-ticket" host/blog-buy-ticket) (dream-post "/buy-ticket" host/blog-buy-ticket)
(dream-post "/offering-add" host/blog-offering-add)
(dream-post "/offering-update" host/blog-offering-update)
(dream-post "/offering-remove" host/blog-offering-remove)
(dream-post "/add-poll" host/blog-add-poll)
(dream-post "/vote" host/blog-vote) (dream-post "/vote" host/blog-vote)
(dream-post "/ticket" (host/blog--protect-internal host/blog-ticket)) (dream-post "/ticket" (host/blog--protect-internal host/blog-ticket))
(dream-post "/person" (host/blog--protect-internal host/blog-person)) (dream-post "/person" (host/blog--protect-internal host/blog-person))
(dream-post "/new-event" host/blog-new-event)
(dream-post "/buy" host/blog-buy) (dream-post "/buy" host/blog-buy)
(dream-post "/order" (host/blog--protect-internal host/blog-order)) (dream-post "/order" (host/blog--protect-internal host/blog-order))
(dream-get "/activities" host/blog-activities) (dream-get "/activities" host/blog-activities)
@@ -3577,6 +3572,14 @@
(list (list
(dream-post "/new" (host/blog--protect-html resolve host/blog-form-submit)) (dream-post "/new" (host/blog--protect-html resolve host/blog-form-submit))
(dream-post "/:slug/allocate" (host/blog--protect-html resolve host/blog-allocate)) (dream-post "/:slug/allocate" (host/blog--protect-html resolve host/blog-allocate))
;; H2: cinema/poll ADMIN ops — auth-gated like every other write.
(dream-post "/new-film" (host/blog--protect-html resolve host/blog-new-film))
(dream-post "/new-showing" (host/blog--protect-html resolve host/blog-new-showing))
(dream-post "/offering-add" (host/blog--protect-html resolve host/blog-offering-add))
(dream-post "/offering-update" (host/blog--protect-html resolve host/blog-offering-update))
(dream-post "/offering-remove" (host/blog--protect-html resolve host/blog-offering-remove))
(dream-post "/add-poll" (host/blog--protect-html resolve host/blog-add-poll))
(dream-post "/new-event" (host/blog--protect-html resolve host/blog-new-event))
(dream-get "/:slug/edit" (host/blog--protect-html resolve host/blog-edit-form)) (dream-get "/:slug/edit" (host/blog--protect-html resolve host/blog-edit-form))
(dream-post "/:slug/edit" (host/blog--protect-html resolve host/blog-edit-submit)) (dream-post "/:slug/edit" (host/blog--protect-html resolve host/blog-edit-submit))
(dream-post "/:slug/blocks/add" (host/blog--protect-html resolve host/blog-block-add-submit)) (dream-post "/:slug/blocks/add" (host/blog--protect-html resolve host/blog-block-add-submit))

View File

@@ -1346,6 +1346,39 @@
(starts-with? (dream-resp-body (host-bl-h1-post "/person?email=b@x.com" false)) "person:") (starts-with? (dream-resp-body (host-bl-h1-post "/person?email=b@x.com" false)) "person:")
true) true)
;; ── HARDENING H2: cinema/poll ADMIN ops require auth; customer ops stay public ────────────
;; new-film / new-showing / offering-* / add-poll / new-event live behind protect-html (like /new);
;; /vote and /buy-ticket remain public (voters + customers).
(host/blog-use-store! (persist/open))
(define host-bl-h2-app
(host/make-app (list (host/blog-write-routes host-bl-resolve) host/blog-routes)))
(define host-bl-h2-loc
(fn (method target auth body)
(or (dream-resp-header
(host-bl-h2-app (host-bl-send method target auth "application/x-www-form-urlencoded" body))
"location") "")))
(host-bl-test "H2: unauth /new-film -> login redirect"
(starts-with? (host-bl-h2-loc "POST" "/new-film" false "title=Sneaky") "/login") true)
(host-bl-test "H2: unauth /new-film creates NO film"
(contains? (host/blog-slugs) "sneaky") false)
(host-bl-test "H2: authed /new-film creates the film"
(begin (host-bl-h2-loc "POST" "/new-film" "Bearer good" "title=Legit Film")
(contains? (host/blog--out-raw "legit-film" "is-a") "film"))
true)
(host-bl-test "H2: unauth /new-showing -> login redirect"
(starts-with? (host-bl-h2-loc "POST" "/new-showing" false "film=legit-film&calendar=c1&time=t") "/login") true)
(host-bl-test "H2: unauth /add-poll -> login redirect"
(starts-with? (host-bl-h2-loc "POST" "/add-poll?post=x" false "question=Q&options=a,b") "/login") true)
(host-bl-test "H2: unauth /offering-add -> login redirect"
(starts-with? (host-bl-h2-loc "POST" "/offering-add?showing=x" false "tickettype=tt&price=1") "/login") true)
(host-bl-test "H2: unauth /new-event -> login redirect"
(starts-with? (host-bl-h2-loc "POST" "/new-event" false "title=E") "/login") true)
(host-bl-test "H2: /vote stays PUBLIC (no login redirect)"
(starts-with? (host-bl-h2-loc "POST" "/vote?poll=p&option=o" false "voter=v@x.com") "/login") false)
(host-bl-test "H2: /buy-ticket stays PUBLIC (no login redirect)"
(starts-with? (host-bl-h2-loc "POST" "/buy-ticket?showing=s&offering=o" false "email=v@x.com") "/login") false)
(define (define
host-bl-tests-run! host-bl-tests-run!
(fn () (fn ()