local-it/vikunja-api
0
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Added check to only let a user delete his own list

Browse source
This commit is contained in:
konrad 2018-06-12 18:46:59 +02:00 committed by kolaente
parent be18247682
commit 1bb7187285
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
4 changed files with 43 additions and 4 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

21
models/error.go
View file

@ -143,6 +143,27 @@ func (err ErrListDoesNotExist) Error() string {
return fmt.Sprintf("List does not exist [ID: %d]", err.ID) return fmt.Sprintf("List does not exist [ID: %d]", err.ID)
} }
// ErrNeedToBeListOwner represents an error, where the user is not the owner of that list (used i.e. when deleting a list)
type ErrNeedToBeListOwner struct {
ListID int64
UserID int64
}
// IsErrListDoesNotExist checks if an error is a ErrListDoesNotExist.
func IsErrNeedToBeListOwner(err error) bool {
_, ok := err.(ErrNeedToBeListOwner)
return ok
}
func (err ErrNeedToBeListOwner) Error() string {
return fmt.Sprintf("You need to be list owner to do that [ListID: %d, UserID: %d]", err.ListID, err.UserID)
}
// ================
// List item errors
// ================
// ErrListItemCannotBeEmpty represents a "ErrListDoesNotExist" kind of error. Used if the list does not exist. // ErrListItemCannotBeEmpty represents a "ErrListDoesNotExist" kind of error. Used if the list does not exist.
type ErrListItemCannotBeEmpty struct{} type ErrListItemCannotBeEmpty struct{}

8
models/list_delete.go
View file

@ -1,13 +1,17 @@
package models package models
func DeleteListByID(listID int64) (err error) { func DeleteListByID(listID int64, doer *User) (err error) {
// Check if the list exists // Check if the list exists
_, err = GetListByID(listID) list, err := GetListByID(listID)
if err != nil { if err != nil {
return return
} }
if list.Owner.ID != doer.ID {
return ErrNeedToBeListOwner{ListID:listID, UserID:doer.ID}
}
// Delete the list // Delete the list
_, err = x.ID(listID).Delete(&List{}) _, err = x.ID(listID).Delete(&List{})
if err != nil { if err != nil {

2
routes/api/v1/item_delete.go
View file

@ -16,7 +16,7 @@ func DeleteListItemByIDtemByID(c echo.Context) error {
return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."}) return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."})
} }
// Check if the user has the right to delete that list // Check if the user has the right to delete that list item
user, err := models.GetCurrentUser(c) user, err := models.GetCurrentUser(c)
if err != nil { if err != nil {
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."}) return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})

16
routes/api/v1/list_delete.go
View file

@ -16,10 +16,24 @@ func DeleteListByID(c echo.Context) error {
return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."}) return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."})
} }
err = models.DeleteListByID(itemID) // Check if the user has the right to delete that list
user, err := models.GetCurrentUser(c)
if err != nil { if err != nil {
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."}) return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
} }
err = models.DeleteListByID(itemID, &user)
if err != nil {
if models.IsErrNeedToBeListOwner(err) {
return c.JSON(http.StatusForbidden, models.Message{"You need to be the list owner to delete a list."})
}
if models.IsErrListDoesNotExist(err) {
return c.JSON(http.StatusNotFound, models.Message{"This list does not exist."})
}
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
}
return c.JSON(http.StatusOK, models.Message{"The list was deleted with success."}) return c.JSON(http.StatusOK, models.Message{"The list was deleted with success."})
} }