local-it/vikunja-api
0
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Implemented CanUpdate method

Browse source
This commit is contained in:
konrad 2018-07-12 23:07:03 +02:00 committed by kolaente
parent e3b996c383
commit 6fd2a97574
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
10 changed files with 54 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
models/crudable.go
View file

@ -5,6 +5,6 @@ type CRUDable interface {
Create(*User, int64) error Create(*User, int64) error
ReadOne(int64) error ReadOne(int64) error
ReadAll(*User) (interface{}, error) ReadAll(*User) (interface{}, error)
Update(int64, *User) error Update(int64) error
Delete(int64) error Delete(int64) error
} }

14
models/list_create_update.go
View file

@ -20,25 +20,15 @@ func CreateOrUpdateList(list *List) (err error) {
} }
// Update implements the update method of CRUDable // Update implements the update method of CRUDable
func (l *List) Update(id int64, doer *User) (err error) { func (l *List) Update(id int64) (err error) {
l.ID = id l.ID = id
// Check if it exists // Check if it exists
oldList, err := GetListByID(l.ID) _, err = GetListByID(l.ID)
if err != nil { if err != nil {
return return
} }
// Check rights
user, _, err := GetUserByID(doer.ID)
if err != nil {
return
}
if !oldList.IsAdmin(&user) {
return ErrNeedToBeListAdmin{ListID: id, UserID: user.ID}
}
return CreateOrUpdateList(l) return CreateOrUpdateList(l)
} }

7
models/list_items.go
View file

@ -92,10 +92,3 @@ func GetListItemByID(listItemID int64) (listItem ListItem, err error) {
return return
} }
// CanDelete checks if the user can delete an item
func (i *ListItem) CanDelete(doer *User) (bool) {
// A user can delete an item if he has write acces to its list
list, _ := GetListByID(i.ListID)
return list.CanWrite(doer)
}

45
models/list_items_create_update.go
View file

@ -5,30 +5,24 @@ func (i *ListItem) Create(doer *User, lID int64) (err error) {
i.ListID = lID i.ListID = lID
i.ID = 0 i.ID = 0
return createOrUpdateListItem(i, doer, lID) return createOrUpdateListItem(i, doer)
} }
// Update updates a list item // Update updates a list item
func (i *ListItem) Update(ID int64, doer *User) (err error) { func (i *ListItem) Update(ID int64) (err error) {
i.ID = ID i.ID = ID
// Get the full item // Check if the item exists
fullItem, err := GetListItemByID(ID) _, err = GetListItemByID(ID)
if err != nil { if err != nil {
return return
} }
return createOrUpdateListItem(i, doer, fullItem.ListID) return createOrUpdateListItem(i, &User{})
} }
// Helper function for creation or updating of new lists as both methods share most of their logic // Helper function for creation or updating of new lists as both methods share most of their logic
func createOrUpdateListItem(i *ListItem, doer *User, lID int64) (err error) { func createOrUpdateListItem(i *ListItem, doer *User) (err error) {
// Check rights
user, err := listItemPreCheck(i, doer, lID)
if err != nil {
return
}
// Check if we have at least a text // Check if we have at least a text
if i.Text == "" { if i.Text == "" {
@ -39,6 +33,11 @@ func createOrUpdateListItem(i *ListItem, doer *User, lID int64) (err error) {
if i.ID != 0 { if i.ID != 0 {
_, err = x.ID(i.ID).Update(i) _, err = x.ID(i.ID).Update(i)
} else { } else {
user, _, err := GetUserByID(doer.ID)
if err != nil {
return err
}
i.CreatedByID = user.ID i.CreatedByID = user.ID
i.CreatedBy = user i.CreatedBy = user
_, err = x.Insert(i) _, err = x.Insert(i)
@ -46,25 +45,3 @@ func createOrUpdateListItem(i *ListItem, doer *User, lID int64) (err error) {
return return
} }
// This helper function checks if the user has the right to edit a list item.
// It is used in Create/Update/Delete.
func listItemPreCheck(i *ListItem, doer *User, lID int64) (user User, err error) {
// Check rights
user, _, err = GetUserByID(doer.ID)
if err != nil {
return
}
// Get the list to check if the user has the right to write to that list
list, err := GetListByID(lID) // TODO: Get the list with one query by item ID
if err != nil {
return
}
if !list.CanWrite(&user) {
return user, ErrNeedToBeListWriter{ListID: i.ListID, UserID: user.ID}
}
return
}

18
models/list_items_rights.go Normal file
View file

@ -0,0 +1,18 @@
package models
// CanDelete checks if the user can delete an item
func (i *ListItem) CanDelete(doer *User) bool {
// A user can delete an item if he has write acces to its list
list, _ := GetListByID(i.ListID)
return list.CanWrite(doer)
}
// CanUpdate determines if a user has the right to update a list item
func (i *ListItem) CanUpdate(doer *User, id int64) bool {
// Get the item
lI, _ := GetListItemByID(id)
// A user can update an item if he has write acces to its list
list, _ := GetListByID(lI.ListID)
return list.CanWrite(doer)
}

8
models/list_rights.go
View file

@ -81,6 +81,12 @@ func (l *List) CanRead(user *User) bool {
} }
// CanDelete checks if the user can delete a list // CanDelete checks if the user can delete a list
func (l *List) CanDelete(doer *User) (bool) { func (l *List) CanDelete(doer *User) bool {
return l.IsAdmin(doer) return l.IsAdmin(doer)
} }
// CanUpdate checks if the user can update a list
func (l *List) CanUpdate(doer *User, id int64) bool {
list, _ := GetListByID(id)
return list.CanWrite(doer)
}

16
models/namespaces_add_update.go
View file

@ -20,10 +20,10 @@ func (n *Namespace) Create(doer *User, _ int64) (err error) {
} }
// Update implements the update method via the interface // Update implements the update method via the interface
func (n *Namespace) Update(id int64, doer *User) (err error) { func (n *Namespace) Update(id int64) (err error) {
// Check if we have at least a name // Check if we have at least a name
if n.Name == "" { if n.Name == "" {
return ErrNamespaceNameCannotBeEmpty{NamespaceID: id, UserID: doer.ID} return ErrNamespaceNameCannotBeEmpty{NamespaceID: id}
} }
n.ID = id n.ID = id
@ -35,22 +35,12 @@ func (n *Namespace) Update(id int64, doer *User) (err error) {
// Check if the (new) owner exists // Check if the (new) owner exists
if currentNamespace.OwnerID != n.OwnerID { if currentNamespace.OwnerID != n.OwnerID {
n.Owner, _, err = GetUserByID(doer.ID) n.Owner, _, err = GetUserByID(n.OwnerID)
if err != nil { if err != nil {
return return
} }
} }
// Check rights
user, _, err := GetUserByID(doer.ID)
if err != nil {
return
}
if !currentNamespace.IsAdmin(&user) {
return ErrNeedToBeNamespaceAdmin{NamespaceID: id, UserID: doer.ID}
}
// Do the actual update // Do the actual update
_, err = x.ID(currentNamespace.ID).Update(n) _, err = x.ID(currentNamespace.ID).Update(n)
return return

6
models/namespaces_rights.go
View file

@ -81,3 +81,9 @@ func (n *Namespace) CanRead(user *User) bool {
return exists return exists
} }
// CanUpdate checks if the user can update the namespace
func (n *Namespace) CanUpdate(user *User, id int64) bool {
nn, _ := GetNamespaceByID(id)
return nn.IsAdmin(user)
}

1
models/rights.go
View file

@ -6,4 +6,5 @@ type Rights interface {
CanWrite(*User) bool CanWrite(*User) bool
CanRead(*User) bool CanRead(*User) bool
CanDelete(*User) bool CanDelete(*User) bool
CanUpdate(*User, int64) bool
} }

5
routes/crud/update.go
View file

@ -24,9 +24,12 @@ func (c *WebHandler) UpdateWeb(ctx echo.Context) error {
if err != nil { if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Could not determine the current user.") return echo.NewHTTPError(http.StatusInternalServerError, "Could not determine the current user.")
} }
if !c.CObject.CanUpdate(&currentUser, id) {
return echo.NewHTTPError(http.StatusForbidden)
}
// Do the update // Do the update
err = c.CObject.Update(id, &currentUser) err = c.CObject.Update(id)
if err != nil { if err != nil {
if models.IsErrNeedToBeListAdmin(err) { if models.IsErrNeedToBeListAdmin(err) {
return echo.NewHTTPError(http.StatusForbidden, "You need to be list admin to do that.") return echo.NewHTTPError(http.StatusForbidden, "You need to be list admin to do that.")