Implemented CanUpdate method

This commit is contained in:
konrad 2018-07-12 23:07:03 +02:00 committed by kolaente
parent e3b996c383
commit 6fd2a97574
No known key found for this signature in database
GPG key ID: F40E70337AB24C9B
10 changed files with 54 additions and 70 deletions

View file

@ -5,6 +5,6 @@ type CRUDable interface {
Create(*User, int64) error
ReadOne(int64) error
ReadAll(*User) (interface{}, error)
Update(int64, *User) error
Update(int64) error
Delete(int64) error
}

View file

@ -20,25 +20,15 @@ func CreateOrUpdateList(list *List) (err error) {
}
// Update implements the update method of CRUDable
func (l *List) Update(id int64, doer *User) (err error) {
func (l *List) Update(id int64) (err error) {
l.ID = id
// Check if it exists
oldList, err := GetListByID(l.ID)
_, err = GetListByID(l.ID)
if err != nil {
return
}
// Check rights
user, _, err := GetUserByID(doer.ID)
if err != nil {
return
}
if !oldList.IsAdmin(&user) {
return ErrNeedToBeListAdmin{ListID: id, UserID: user.ID}
}
return CreateOrUpdateList(l)
}

View file

@ -92,10 +92,3 @@ func GetListItemByID(listItemID int64) (listItem ListItem, err error) {
return
}
// CanDelete checks if the user can delete an item
func (i *ListItem) CanDelete(doer *User) (bool) {
// A user can delete an item if he has write acces to its list
list, _ := GetListByID(i.ListID)
return list.CanWrite(doer)
}

View file

@ -5,30 +5,24 @@ func (i *ListItem) Create(doer *User, lID int64) (err error) {
i.ListID = lID
i.ID = 0
return createOrUpdateListItem(i, doer, lID)
return createOrUpdateListItem(i, doer)
}
// Update updates a list item
func (i *ListItem) Update(ID int64, doer *User) (err error) {
func (i *ListItem) Update(ID int64) (err error) {
i.ID = ID
// Get the full item
fullItem, err := GetListItemByID(ID)
// Check if the item exists
_, err = GetListItemByID(ID)
if err != nil {
return
}
return createOrUpdateListItem(i, doer, fullItem.ListID)
return createOrUpdateListItem(i, &User{})
}
// Helper function for creation or updating of new lists as both methods share most of their logic
func createOrUpdateListItem(i *ListItem, doer *User, lID int64) (err error) {
// Check rights
user, err := listItemPreCheck(i, doer, lID)
if err != nil {
return
}
func createOrUpdateListItem(i *ListItem, doer *User) (err error) {
// Check if we have at least a text
if i.Text == "" {
@ -39,6 +33,11 @@ func createOrUpdateListItem(i *ListItem, doer *User, lID int64) (err error) {
if i.ID != 0 {
_, err = x.ID(i.ID).Update(i)
} else {
user, _, err := GetUserByID(doer.ID)
if err != nil {
return err
}
i.CreatedByID = user.ID
i.CreatedBy = user
_, err = x.Insert(i)
@ -46,25 +45,3 @@ func createOrUpdateListItem(i *ListItem, doer *User, lID int64) (err error) {
return
}
// This helper function checks if the user has the right to edit a list item.
// It is used in Create/Update/Delete.
func listItemPreCheck(i *ListItem, doer *User, lID int64) (user User, err error) {
// Check rights
user, _, err = GetUserByID(doer.ID)
if err != nil {
return
}
// Get the list to check if the user has the right to write to that list
list, err := GetListByID(lID) // TODO: Get the list with one query by item ID
if err != nil {
return
}
if !list.CanWrite(&user) {
return user, ErrNeedToBeListWriter{ListID: i.ListID, UserID: user.ID}
}
return
}

View file

@ -0,0 +1,18 @@
package models
// CanDelete checks if the user can delete an item
func (i *ListItem) CanDelete(doer *User) bool {
// A user can delete an item if he has write acces to its list
list, _ := GetListByID(i.ListID)
return list.CanWrite(doer)
}
// CanUpdate determines if a user has the right to update a list item
func (i *ListItem) CanUpdate(doer *User, id int64) bool {
// Get the item
lI, _ := GetListItemByID(id)
// A user can update an item if he has write acces to its list
list, _ := GetListByID(lI.ListID)
return list.CanWrite(doer)
}

View file

@ -81,6 +81,12 @@ func (l *List) CanRead(user *User) bool {
}
// CanDelete checks if the user can delete a list
func (l *List) CanDelete(doer *User) (bool) {
func (l *List) CanDelete(doer *User) bool {
return l.IsAdmin(doer)
}
// CanUpdate checks if the user can update a list
func (l *List) CanUpdate(doer *User, id int64) bool {
list, _ := GetListByID(id)
return list.CanWrite(doer)
}

View file

@ -20,10 +20,10 @@ func (n *Namespace) Create(doer *User, _ int64) (err error) {
}
// Update implements the update method via the interface
func (n *Namespace) Update(id int64, doer *User) (err error) {
func (n *Namespace) Update(id int64) (err error) {
// Check if we have at least a name
if n.Name == "" {
return ErrNamespaceNameCannotBeEmpty{NamespaceID: id, UserID: doer.ID}
return ErrNamespaceNameCannotBeEmpty{NamespaceID: id}
}
n.ID = id
@ -35,22 +35,12 @@ func (n *Namespace) Update(id int64, doer *User) (err error) {
// Check if the (new) owner exists
if currentNamespace.OwnerID != n.OwnerID {
n.Owner, _, err = GetUserByID(doer.ID)
n.Owner, _, err = GetUserByID(n.OwnerID)
if err != nil {
return
}
}
// Check rights
user, _, err := GetUserByID(doer.ID)
if err != nil {
return
}
if !currentNamespace.IsAdmin(&user) {
return ErrNeedToBeNamespaceAdmin{NamespaceID: id, UserID: doer.ID}
}
// Do the actual update
_, err = x.ID(currentNamespace.ID).Update(n)
return

View file

@ -81,3 +81,9 @@ func (n *Namespace) CanRead(user *User) bool {
return exists
}
// CanUpdate checks if the user can update the namespace
func (n *Namespace) CanUpdate(user *User, id int64) bool {
nn, _ := GetNamespaceByID(id)
return nn.IsAdmin(user)
}

View file

@ -6,4 +6,5 @@ type Rights interface {
CanWrite(*User) bool
CanRead(*User) bool
CanDelete(*User) bool
CanUpdate(*User, int64) bool
}

View file

@ -24,9 +24,12 @@ func (c *WebHandler) UpdateWeb(ctx echo.Context) error {
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Could not determine the current user.")
}
if !c.CObject.CanUpdate(&currentUser, id) {
return echo.NewHTTPError(http.StatusForbidden)
}
// Do the update
err = c.CObject.Update(id, &currentUser)
err = c.CObject.Update(id)
if err != nil {
if models.IsErrNeedToBeListAdmin(err) {
return echo.NewHTTPError(http.StatusForbidden, "You need to be list admin to do that.")