Improved item deletion rights check

This commit is contained in:
konrad 2018-06-12 18:49:56 +02:00 committed by kolaente
parent 1bb7187285
commit 1b3b2ccb59
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
3 changed files with 20 additions and 1 deletions

View file

@ -192,3 +192,18 @@ func (err ErrListItemDoesNotExist) Error() string {
return fmt.Sprintf("List item does not exist. [ID: %d]", err.ID) return fmt.Sprintf("List item does not exist. [ID: %d]", err.ID)
} }
// ErrNeedToBeItemOwner represents an error, where the user is not the owner of that item (used i.e. when deleting a list)
type ErrNeedToBeItemOwner struct {
ItemID int64
UserID int64
}
// IsErrNeedToBeItemOwner checks if an error is a ErrNeedToBeItemOwner.
func IsErrNeedToBeItemOwner(err error) bool {
_, ok := err.(ErrNeedToBeItemOwner)
return ok
}
func (err ErrNeedToBeItemOwner) Error() string {
return fmt.Sprintf("You need to be item owner to do that [ItemID: %d, UserID: %d]", err.ItemID, err.UserID)
}

View file

@ -89,7 +89,7 @@ func DeleteListItemByID(itemID int64, doer *User) (err error) {
// Check if the user hat the right to delete that item // Check if the user hat the right to delete that item
if listitem.CreatedByID != doer.ID { if listitem.CreatedByID != doer.ID {
return return ErrNeedToBeItemOwner{ItemID:itemID, UserID: doer.ID}
} }
_, err = x.ID(itemID).Delete(ListItem{}) _, err = x.ID(itemID).Delete(ListItem{})

View file

@ -28,6 +28,10 @@ func DeleteListItemByIDtemByID(c echo.Context) error {
return c.JSON(http.StatusNotFound, models.Message{"List item does not exist."}) return c.JSON(http.StatusNotFound, models.Message{"List item does not exist."})
} }
if models.IsErrNeedToBeItemOwner(err) {
return c.JSON(http.StatusForbidden, models.Message{"You need to own the list item in order to be able to delete it."})
}
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."}) return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
} }