From 1bb71872850e565804c2789aa4ab8210d48d64d8 Mon Sep 17 00:00:00 2001 From: konrad Date: Tue, 12 Jun 2018 18:46:59 +0200 Subject: [PATCH] Added check to only let a user delete his own list --- models/error.go | 21 +++++++++++++++++++++ models/list_delete.go | 8 ++++++-- routes/api/v1/item_delete.go | 2 +- routes/api/v1/list_delete.go | 16 +++++++++++++++- 4 files changed, 43 insertions(+), 4 deletions(-) diff --git a/models/error.go b/models/error.go index d46396ee..2cd00232 100644 --- a/models/error.go +++ b/models/error.go @@ -143,6 +143,27 @@ func (err ErrListDoesNotExist) Error() string { return fmt.Sprintf("List does not exist [ID: %d]", err.ID) } +// ErrNeedToBeListOwner represents an error, where the user is not the owner of that list (used i.e. when deleting a list) +type ErrNeedToBeListOwner struct { + ListID int64 + UserID int64 +} + +// IsErrListDoesNotExist checks if an error is a ErrListDoesNotExist. +func IsErrNeedToBeListOwner(err error) bool { + _, ok := err.(ErrNeedToBeListOwner) + return ok +} + +func (err ErrNeedToBeListOwner) Error() string { + return fmt.Sprintf("You need to be list owner to do that [ListID: %d, UserID: %d]", err.ListID, err.UserID) +} + + +// ================ +// List item errors +// ================ + // ErrListItemCannotBeEmpty represents a "ErrListDoesNotExist" kind of error. Used if the list does not exist. type ErrListItemCannotBeEmpty struct{} diff --git a/models/list_delete.go b/models/list_delete.go index 6ab341aa..2664a738 100644 --- a/models/list_delete.go +++ b/models/list_delete.go @@ -1,13 +1,17 @@ package models -func DeleteListByID(listID int64) (err error) { +func DeleteListByID(listID int64, doer *User) (err error) { // Check if the list exists - _, err = GetListByID(listID) + list, err := GetListByID(listID) if err != nil { return } + if list.Owner.ID != doer.ID { + return ErrNeedToBeListOwner{ListID:listID, UserID:doer.ID} + } + // Delete the list _, err = x.ID(listID).Delete(&List{}) if err != nil { diff --git a/routes/api/v1/item_delete.go b/routes/api/v1/item_delete.go index f1044c72..2aa8ee73 100644 --- a/routes/api/v1/item_delete.go +++ b/routes/api/v1/item_delete.go @@ -16,7 +16,7 @@ func DeleteListItemByIDtemByID(c echo.Context) error { return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."}) } - // Check if the user has the right to delete that list + // Check if the user has the right to delete that list item user, err := models.GetCurrentUser(c) if err != nil { return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."}) diff --git a/routes/api/v1/list_delete.go b/routes/api/v1/list_delete.go index e44647d0..f2e66e59 100644 --- a/routes/api/v1/list_delete.go +++ b/routes/api/v1/list_delete.go @@ -16,10 +16,24 @@ func DeleteListByID(c echo.Context) error { return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."}) } - err = models.DeleteListByID(itemID) + // Check if the user has the right to delete that list + user, err := models.GetCurrentUser(c) if err != nil { return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."}) } + err = models.DeleteListByID(itemID, &user) + if err != nil { + if models.IsErrNeedToBeListOwner(err) { + return c.JSON(http.StatusForbidden, models.Message{"You need to be the list owner to delete a list."}) + } + + if models.IsErrListDoesNotExist(err) { + return c.JSON(http.StatusNotFound, models.Message{"This list does not exist."}) + } + + return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."}) + } + return c.JSON(http.StatusOK, models.Message{"The list was deleted with success."}) } \ No newline at end of file