From 6fe3cb9bd7cbcdae0f3e7b5d64ac746565f20ac9 Mon Sep 17 00:00:00 2001 From: Lukas Bachschwell Date: Fri, 16 Nov 2018 13:55:28 +0100 Subject: [PATCH] Checking basic roles for updates --- Readme.md | 21 +++++++++------------ controllers/companyData.go | 15 +++++++++++++++ controllers/companyUser.go | 5 +++++ controllers/contact.go | 22 ++++++++++++++++++++++ controllers/post.go | 15 +++++++++++++++ 5 files changed, 66 insertions(+), 12 deletions(-) diff --git a/Readme.md b/Readme.md index bd4b3fb..2d1ca01 100644 --- a/Readme.md +++ b/Readme.md @@ -14,18 +14,15 @@ To regenerate docs simply run `bee generate docs` Todo till we can fork this repo -- Not found for endpoints should be Json response -- migrations for company_template -- hardcoded roles - -* ~~/register endpoint creates database, company and first admin~~ -* ~~load db connections from config~~ -* ~~user delete needs to update system~~ -* ~~company delete needs to exist and update usercompanymap~~ -* ~~last modified in update for all tables~~ -* checking some roles in all endpoints -* modifiedby (companyuserid) relation -* return error in case of not found +- ~~/register endpoint creates database, company and first admin~~ +- ~~load db connections from config~~ +- ~~user delete needs to update system~~ +- ~~company delete needs to exist and update usercompanymap~~ +- ~~last modified in update for all tables~~ +- ~~modifiedby (companyuserid) relation~~ +- ~~checking some roles in all controller endpoints~~ +- return error in case of not found +- go through all endpoints for errors ## Notes: diff --git a/controllers/companyData.go b/controllers/companyData.go index b146cda..bea8571 100644 --- a/controllers/companyData.go +++ b/controllers/companyData.go @@ -3,6 +3,7 @@ package controllers import ( "encoding/json" "errors" + "multitenantStack/constants" "multitenantStack/models" "strconv" "strings" @@ -37,9 +38,11 @@ func (c *CompanyDataController) Post() { c.Data["json"] = v } else { c.ServeJSONErrorWithError("Error", err) + return } } else { c.ServeJSONErrorWithError("Error", err) + return } c.ServeJSON() } @@ -57,6 +60,7 @@ func (c *CompanyDataController) GetOne() { v, err := models.GetCompanyDataById(o, id) if err != nil { c.ServeJSONErrorWithError("Error", err) + return } else { c.Data["json"] = v } @@ -120,6 +124,7 @@ func (c *CompanyDataController) GetAll() { l, err := models.GetAllCompanyData(o, query, fields, sortby, order, offset, limit) if err != nil { c.ServeJSONErrorWithError("Error", err) + return } else { c.Data["json"] = l } @@ -137,16 +142,24 @@ func (c *CompanyDataController) GetAll() { func (c *CompanyDataController) Put() { idStr := c.Ctx.Input.Param(":id") id, _ := strconv.Atoi(idStr) + + if currentUser.Role != constants.RoleAdmin { + c.ServeJSONError("Only Admins can edit company Data") + } + v := models.CompanyData{Id: id} if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { v.ModifiedBy = int64(currentUser.Id) if err := models.UpdateCompanyDataById(o, &v); err == nil { c.ServeJSONSuccess("Ok") + return } else { c.ServeJSONErrorWithError("Error", err) + return } } else { c.ServeJSONErrorWithError("Error", err) + return } c.ServeJSON() } @@ -163,8 +176,10 @@ func (c *CompanyDataController) Delete() { id, _ := strconv.Atoi(idStr) if err := models.DeleteCompanyData(o, id); err == nil { c.ServeJSONSuccess("Ok") + return } else { c.ServeJSONErrorWithError("Error", err) + return } c.ServeJSON() } diff --git a/controllers/companyUser.go b/controllers/companyUser.go index 65e6a4a..200718c 100644 --- a/controllers/companyUser.go +++ b/controllers/companyUser.go @@ -187,6 +187,11 @@ func (c *CompanyUserController) GetAll() { func (c *CompanyUserController) Put() { idStr := c.Ctx.Input.Param(":id") id, _ := strconv.Atoi(idStr) + + if currentUser.Role != constants.RoleAdmin && id != currentUser.Id { + c.ServeJSONError("You can only edit your own userdata!") + } + v := models.CompanyUser{Id: id} if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { v.ModifiedBy = int64(currentUser.Id) diff --git a/controllers/contact.go b/controllers/contact.go index 209c784..3e61b02 100644 --- a/controllers/contact.go +++ b/controllers/contact.go @@ -3,6 +3,7 @@ package controllers import ( "encoding/json" "errors" + "multitenantStack/constants" "multitenantStack/models" "strconv" "strings" @@ -138,16 +139,35 @@ func (c *ContactController) GetAll() { func (c *ContactController) Put() { idStr := c.Ctx.Input.Param(":id") id, _ := strconv.Atoi(idStr) + + co, err := models.GetContactById(o, id) + if err != nil { + if err.Error() == " no row found" { + c.ServeJSONError("Contact does not exist") + return + } + c.ServeJSONError("Error updating Contact") + return + } + + if currentUser.Role != constants.RoleAdmin && co.ModifiedBy != int64(currentUser.Id) { + c.ServeJSONError("You can only edit your own contacts!") + return + } + v := models.Contact{Id: id} if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { v.ModifiedBy = int64(currentUser.Id) if err := models.UpdateContactById(o, &v); err == nil { c.ServeJSONSuccess("Ok") + return } else { c.ServeJSONErrorWithError("Error", err) + return } } else { c.ServeJSONErrorWithError("Error", err) + return } c.ServeJSON() } @@ -164,8 +184,10 @@ func (c *ContactController) Delete() { id, _ := strconv.Atoi(idStr) if err := models.DeleteContact(o, id); err == nil { c.ServeJSONSuccess("Ok") + return } else { c.ServeJSONErrorWithError("Error", err) + return } c.ServeJSON() } diff --git a/controllers/post.go b/controllers/post.go index 7086d7e..0a63aa8 100644 --- a/controllers/post.go +++ b/controllers/post.go @@ -3,6 +3,7 @@ package controllers import ( "encoding/json" "errors" + "multitenantStack/constants" "multitenantStack/models" "strconv" "strings" @@ -147,6 +148,20 @@ func (c *PostController) GetAll() { func (c *PostController) Put() { idStr := c.Ctx.Input.Param(":id") id, _ := strconv.Atoi(idStr) + + p, err := models.GetPostById(o, id) + if err != nil { + if err.Error() == " no row found" { + c.ServeJSONError("Post does not exist") + return + } + c.ServeJSONError("Error updating Post") + } + + if currentUser.Role != constants.RoleAdmin && p.ModifiedBy != int64(currentUser.Id) { + c.ServeJSONError("You can only edit your own posts!") + } + v := models.Post{Id: id} if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { v.ModifiedBy = int64(currentUser.Id)