From 97e932cbae27ccfbe26187f3d3719e6293ef10c2 Mon Sep 17 00:00:00 2001
From: Mark Veidemanis <m@zm.is>
Date: Thu, 2 Feb 2023 19:08:10 +0000
Subject: [PATCH] Add more fine-grained permissions to rules

---
 core/lib/rules.py                           | 15 +++++++++++++++
 core/migrations/0023_alter_perms_options.py | 17 +++++++++++++++++
 core/models.py                              |  2 ++
 3 files changed, 34 insertions(+)
 create mode 100644 core/migrations/0023_alter_perms_options.py

diff --git a/core/lib/rules.py b/core/lib/rules.py
index 7ad0300..2789033 100644
--- a/core/lib/rules.py
+++ b/core/lib/rules.py
@@ -23,6 +23,7 @@ SECONDS_PER_UNIT = {"s": 1, "m": 60, "h": 3600, "d": 86400, "w": 604800}
 MAX_WINDOW = 2592000
 MAX_AMOUNT_NTFY = 10
 MAX_AMOUNT_WEBHOOK = 1000
+HIGH_FREQUENCY_MIN_SEC = 60
 
 
 class RuleParseError(Exception):
@@ -454,6 +455,20 @@ class NotificationRuleData(object):
         service = self.cleaned_data.get("service")
 
         on_demand = interval == 0
+
+        # Not on demand and interval is too low
+        if not on_demand and interval <= HIGH_FREQUENCY_MIN_SEC:
+            if not self.user.has_perm("core.rules_high_frequency"):
+                raise RuleParseError(
+                    "User does not have permission to use high frequency rules", "data"
+                )
+
+        if not on_demand:
+            if not self.user.has_perm("core.rules_scheduled"):
+                raise RuleParseError(
+                    "User does not have permission to use scheduled rules", "data"
+                )
+
         if on_demand and window is not None:
             # Interval is on demand and window is specified
             # We can't have a window with on-demand rules
diff --git a/core/migrations/0023_alter_perms_options.py b/core/migrations/0023_alter_perms_options.py
new file mode 100644
index 0000000..bf52357
--- /dev/null
+++ b/core/migrations/0023_alter_perms_options.py
@@ -0,0 +1,17 @@
+# Generated by Django 4.1.5 on 2023-02-02 19:07
+
+from django.db import migrations
+
+
+class Migration(migrations.Migration):
+
+    dependencies = [
+        ('core', '0022_notificationrule_send_empty_and_more'),
+    ]
+
+    operations = [
+        migrations.AlterModelOptions(
+            name='perms',
+            options={'permissions': (('post_irc', 'Can post to IRC'), ('post_discord', 'Can post to Discord'), ('use_insights', 'Can use the Insights page'), ('use_rules', 'Can use the Rules page'), ('rules_scheduled', 'Can use the scheduled rules'), ('rules_high_frequency', 'Can use the high frequency rules'), ('index_internal', 'Can use the internal index'), ('index_meta', 'Can use the meta index'), ('index_restricted', 'Can use the restricted index'), ('restricted_sources', 'Can access restricted sources'))},
+        ),
+    ]
diff --git a/core/models.py b/core/models.py
index a878437..85a4b54 100644
--- a/core/models.py
+++ b/core/models.py
@@ -165,6 +165,8 @@ class Perms(models.Model):
             ("post_discord", "Can post to Discord"),
             ("use_insights", "Can use the Insights page"),
             ("use_rules", "Can use the Rules page"),
+            ("rules_scheduled", "Can use the scheduled rules"),
+            ("rules_high_frequency", "Can use the high frequency rules"),
             ("index_internal", "Can use the internal index"),
             ("index_meta", "Can use the meta index"),
             ("index_restricted", "Can use the restricted index"),