Checking basic roles for updates

2018-11-16 13:55:28 +01:00 · 2018-11-16 13:55:28 +01:00 · 6fe3cb9bd7
parent e79ece15aa
commit 6fe3cb9bd7
5 changed files with 66 additions and 12 deletions
--- a/Readme.md
+++ b/Readme.md
@ -14,18 +14,15 @@ To regenerate docs simply run `bee generate docs`

 Todo till we can fork this repo

- Not found for endpoints should be Json response
- migrations for company_template
- hardcoded roles
-
-* ~~/register endpoint creates database, company and first admin~~
-* ~~load db connections from config~~
-* ~~user delete needs to update system~~
-* ~~company delete needs to exist and update usercompanymap~~
-* ~~last modified in update for all tables~~
-* checking some roles in all endpoints
-* modifiedby (companyuserid) relation
-* return error in case of not found
+- ~~/register endpoint creates database, company and first admin~~
+- ~~load db connections from config~~
+- ~~user delete needs to update system~~
+- ~~company delete needs to exist and update usercompanymap~~
+- ~~last modified in update for all tables~~
+- ~~modifiedby (companyuserid) relation~~
+- ~~checking some roles in all controller endpoints~~
+- return error in case of not found
+- go through all endpoints for errors

 ## Notes:

--- a/controllers/companyData.go
+++ b/controllers/companyData.go
@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"errors"
+	"multitenantStack/constants"
 	"multitenantStack/models"
 	"strconv"
 	"strings"
@ -37,9 +38,11 @@ func (c *CompanyDataController) Post() {
 			c.Data["json"] = v
 		} else {
 			c.ServeJSONErrorWithError("Error", err)
+			return
 		}
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
@ -57,6 +60,7 @@ func (c *CompanyDataController) GetOne() {
 	v, err := models.GetCompanyDataById(o, id)
 	if err != nil {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	} else {
 		c.Data["json"] = v
 	}
@ -120,6 +124,7 @@ func (c *CompanyDataController) GetAll() {
 	l, err := models.GetAllCompanyData(o, query, fields, sortby, order, offset, limit)
 	if err != nil {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	} else {
 		c.Data["json"] = l
 	}
@ -137,16 +142,24 @@ func (c *CompanyDataController) GetAll() {
 func (c *CompanyDataController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	if currentUser.Role != constants.RoleAdmin {
+		c.ServeJSONError("Only Admins can edit company Data")
+	}
+
 	v := models.CompanyData{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)
 		if err := models.UpdateCompanyDataById(o, &v); err == nil {
 			c.ServeJSONSuccess("Ok")
+			return
 		} else {
 			c.ServeJSONErrorWithError("Error", err)
+			return
 		}
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
@ -163,8 +176,10 @@ func (c *CompanyDataController) Delete() {
 	id, _ := strconv.Atoi(idStr)
 	if err := models.DeleteCompanyData(o, id); err == nil {
 		c.ServeJSONSuccess("Ok")
+		return
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
--- a/controllers/companyUser.go
+++ b/controllers/companyUser.go
@ -187,6 +187,11 @@ func (c *CompanyUserController) GetAll() {
 func (c *CompanyUserController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	if currentUser.Role != constants.RoleAdmin && id != currentUser.Id {
+		c.ServeJSONError("You can only edit your own userdata!")
+	}
+
 	v := models.CompanyUser{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)
--- a/controllers/contact.go
+++ b/controllers/contact.go
@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"errors"
+	"multitenantStack/constants"
 	"multitenantStack/models"
 	"strconv"
 	"strings"
@ -138,16 +139,35 @@ func (c *ContactController) GetAll() {
 func (c *ContactController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	co, err := models.GetContactById(o, id)
+	if err != nil {
+		if err.Error() == "<QuerySeter> no row found" {
+			c.ServeJSONError("Contact does not exist")
+			return
+		}
+		c.ServeJSONError("Error updating Contact")
+		return
+	}
+
+	if currentUser.Role != constants.RoleAdmin && co.ModifiedBy != int64(currentUser.Id) {
+		c.ServeJSONError("You can only edit your own contacts!")
+		return
+	}
+
 	v := models.Contact{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)
 		if err := models.UpdateContactById(o, &v); err == nil {
 			c.ServeJSONSuccess("Ok")
+			return
 		} else {
 			c.ServeJSONErrorWithError("Error", err)
+			return
 		}
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
@ -164,8 +184,10 @@ func (c *ContactController) Delete() {
 	id, _ := strconv.Atoi(idStr)
 	if err := models.DeleteContact(o, id); err == nil {
 		c.ServeJSONSuccess("Ok")
+		return
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
--- a/controllers/post.go
+++ b/controllers/post.go
@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"errors"
+	"multitenantStack/constants"
 	"multitenantStack/models"
 	"strconv"
 	"strings"
@ -147,6 +148,20 @@ func (c *PostController) GetAll() {
 func (c *PostController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	p, err := models.GetPostById(o, id)
+	if err != nil {
+		if err.Error() == "<QuerySeter> no row found" {
+			c.ServeJSONError("Post does not exist")
+			return
+		}
+		c.ServeJSONError("Error updating Post")
+	}
+
+	if currentUser.Role != constants.RoleAdmin && p.ModifiedBy != int64(currentUser.Id) {
+		c.ServeJSONError("You can only edit your own posts!")
+	}
+
 	v := models.Post{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)