Added check to only let a user delete his own list

This commit is contained in:
konrad 2018-06-12 18:46:59 +02:00 committed by kolaente
parent be18247682
commit 1bb7187285
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
4 changed files with 43 additions and 4 deletions

View file

@ -143,6 +143,27 @@ func (err ErrListDoesNotExist) Error() string {
return fmt.Sprintf("List does not exist [ID: %d]", err.ID)
}
// ErrNeedToBeListOwner represents an error, where the user is not the owner of that list (used i.e. when deleting a list)
type ErrNeedToBeListOwner struct {
ListID int64
UserID int64
}
// IsErrListDoesNotExist checks if an error is a ErrListDoesNotExist.
func IsErrNeedToBeListOwner(err error) bool {
_, ok := err.(ErrNeedToBeListOwner)
return ok
}
func (err ErrNeedToBeListOwner) Error() string {
return fmt.Sprintf("You need to be list owner to do that [ListID: %d, UserID: %d]", err.ListID, err.UserID)
}
// ================
// List item errors
// ================
// ErrListItemCannotBeEmpty represents a "ErrListDoesNotExist" kind of error. Used if the list does not exist.
type ErrListItemCannotBeEmpty struct{}

View file

@ -1,13 +1,17 @@
package models
func DeleteListByID(listID int64) (err error) {
func DeleteListByID(listID int64, doer *User) (err error) {
// Check if the list exists
_, err = GetListByID(listID)
list, err := GetListByID(listID)
if err != nil {
return
}
if list.Owner.ID != doer.ID {
return ErrNeedToBeListOwner{ListID:listID, UserID:doer.ID}
}
// Delete the list
_, err = x.ID(listID).Delete(&List{})
if err != nil {

View file

@ -16,7 +16,7 @@ func DeleteListItemByIDtemByID(c echo.Context) error {
return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."})
}
// Check if the user has the right to delete that list
// Check if the user has the right to delete that list item
user, err := models.GetCurrentUser(c)
if err != nil {
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})

View file

@ -16,10 +16,24 @@ func DeleteListByID(c echo.Context) error {
return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."})
}
err = models.DeleteListByID(itemID)
// Check if the user has the right to delete that list
user, err := models.GetCurrentUser(c)
if err != nil {
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
}
err = models.DeleteListByID(itemID, &user)
if err != nil {
if models.IsErrNeedToBeListOwner(err) {
return c.JSON(http.StatusForbidden, models.Message{"You need to be the list owner to delete a list."})
}
if models.IsErrListDoesNotExist(err) {
return c.JSON(http.StatusNotFound, models.Message{"This list does not exist."})
}
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
}
return c.JSON(http.StatusOK, models.Message{"The list was deleted with success."})
}