From a9d78fa4900d5a50bd42a1c706761e29d1697f4a Mon Sep 17 00:00:00 2001
From: Lucy Cifferello <12953208+elvece@users.noreply.github.com>
Date: Mon, 15 Apr 2024 19:20:25 -0400
Subject: [PATCH] move insert auth admin to pkg check

---
 src/Handler/Admin.hs | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/src/Handler/Admin.hs b/src/Handler/Admin.hs
index ec50027..c992e04 100644
--- a/src/Handler/Admin.hs
+++ b/src/Handler/Admin.hs
@@ -162,10 +162,13 @@ postCheckPkgAuthR pkgId = do
         Just name -> do
             if ((length whitelist > 0 && (pkgId `elem` whitelist)) || length whitelist <= 0)
                 then do
-                    (authorized, _) <- checkAdminAllowedPkgs pkgId name
-                    if authorized
+                    (authorized, newPkg) <- checkAdminAllowedPkgs pkgId name
+                    if authorized && not newPkg
                         then sendResponseText status200 "User authorized to upload this package."
-                        else sendResponseText status401 "User not authorized to upload this package."
+                    else if authorized && newPkg
+                        -- if pkg is whitelisted and a new upload, add as authorized for this admin user
+                        then runDB $ insert_ (AdminPkgs (AdminKey name) (PkgRecordKey pkgId))
+                    else sendResponseText status401 "User not authorized to upload this package."
                 else sendResponseText status500 "Package does not belong on this registry."
 
 postPkgUploadR :: Handler ()
@@ -198,15 +201,11 @@ postPkgUploadR = do
                         "Impossible: an unauthenticated user has managed to upload a pacakge to this registry."
                     pure ()
                 Just name -> do
-                    (authorized, newPkg) <- checkAdminAllowedPkgs packageManifestId name
+                    (authorized, _) <- checkAdminAllowedPkgs packageManifestId name
                     if authorized
                         then do
                             now <- liftIO getCurrentTime
                             runDB $ insert_ (Upload (AdminKey name) (PkgRecordKey packageManifestId) packageManifestVersion now)
-                            -- if pkg is whitelisted and a new upload, add as authorized for this admin user
-                            if (newPkg) 
-                                then runDB $ insert_ (AdminPkgs (AdminKey name) (PkgRecordKey packageManifestId))
-                                else pure ()
                         else sendResponseText status401 "User not authorized to upload this package."
         else sendResponseText status500 "Package does not belong on this registry."
     where