Checking basic roles for updates

This commit is contained in:
Lukas Bachschwell 2018-11-16 13:55:28 +01:00
parent e79ece15aa
commit 6fe3cb9bd7
5 changed files with 66 additions and 12 deletions

View File

@ -14,18 +14,15 @@ To regenerate docs simply run `bee generate docs`
Todo till we can fork this repo Todo till we can fork this repo
- Not found for endpoints should be Json response - ~~/register endpoint creates database, company and first admin~~
- migrations for company_template - ~~load db connections from config~~
- hardcoded roles - ~~user delete needs to update system~~
- ~~company delete needs to exist and update usercompanymap~~
* ~~/register endpoint creates database, company and first admin~~ - ~~last modified in update for all tables~~
* ~~load db connections from config~~ - ~~modifiedby (companyuserid) relation~~
* ~~user delete needs to update system~~ - ~~checking some roles in all controller endpoints~~
* ~~company delete needs to exist and update usercompanymap~~ - return error in case of not found
* ~~last modified in update for all tables~~ - go through all endpoints for errors
* checking some roles in all endpoints
* modifiedby (companyuserid) relation
* return error in case of not found
## Notes: ## Notes:

View File

@ -3,6 +3,7 @@ package controllers
import ( import (
"encoding/json" "encoding/json"
"errors" "errors"
"multitenantStack/constants"
"multitenantStack/models" "multitenantStack/models"
"strconv" "strconv"
"strings" "strings"
@ -37,9 +38,11 @@ func (c *CompanyDataController) Post() {
c.Data["json"] = v c.Data["json"] = v
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
c.ServeJSON() c.ServeJSON()
} }
@ -57,6 +60,7 @@ func (c *CompanyDataController) GetOne() {
v, err := models.GetCompanyDataById(o, id) v, err := models.GetCompanyDataById(o, id)
if err != nil { if err != nil {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} else { } else {
c.Data["json"] = v c.Data["json"] = v
} }
@ -120,6 +124,7 @@ func (c *CompanyDataController) GetAll() {
l, err := models.GetAllCompanyData(o, query, fields, sortby, order, offset, limit) l, err := models.GetAllCompanyData(o, query, fields, sortby, order, offset, limit)
if err != nil { if err != nil {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} else { } else {
c.Data["json"] = l c.Data["json"] = l
} }
@ -137,16 +142,24 @@ func (c *CompanyDataController) GetAll() {
func (c *CompanyDataController) Put() { func (c *CompanyDataController) Put() {
idStr := c.Ctx.Input.Param(":id") idStr := c.Ctx.Input.Param(":id")
id, _ := strconv.Atoi(idStr) id, _ := strconv.Atoi(idStr)
if currentUser.Role != constants.RoleAdmin {
c.ServeJSONError("Only Admins can edit company Data")
}
v := models.CompanyData{Id: id} v := models.CompanyData{Id: id}
if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
v.ModifiedBy = int64(currentUser.Id) v.ModifiedBy = int64(currentUser.Id)
if err := models.UpdateCompanyDataById(o, &v); err == nil { if err := models.UpdateCompanyDataById(o, &v); err == nil {
c.ServeJSONSuccess("Ok") c.ServeJSONSuccess("Ok")
return
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
c.ServeJSON() c.ServeJSON()
} }
@ -163,8 +176,10 @@ func (c *CompanyDataController) Delete() {
id, _ := strconv.Atoi(idStr) id, _ := strconv.Atoi(idStr)
if err := models.DeleteCompanyData(o, id); err == nil { if err := models.DeleteCompanyData(o, id); err == nil {
c.ServeJSONSuccess("Ok") c.ServeJSONSuccess("Ok")
return
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
c.ServeJSON() c.ServeJSON()
} }

View File

@ -187,6 +187,11 @@ func (c *CompanyUserController) GetAll() {
func (c *CompanyUserController) Put() { func (c *CompanyUserController) Put() {
idStr := c.Ctx.Input.Param(":id") idStr := c.Ctx.Input.Param(":id")
id, _ := strconv.Atoi(idStr) id, _ := strconv.Atoi(idStr)
if currentUser.Role != constants.RoleAdmin && id != currentUser.Id {
c.ServeJSONError("You can only edit your own userdata!")
}
v := models.CompanyUser{Id: id} v := models.CompanyUser{Id: id}
if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
v.ModifiedBy = int64(currentUser.Id) v.ModifiedBy = int64(currentUser.Id)

View File

@ -3,6 +3,7 @@ package controllers
import ( import (
"encoding/json" "encoding/json"
"errors" "errors"
"multitenantStack/constants"
"multitenantStack/models" "multitenantStack/models"
"strconv" "strconv"
"strings" "strings"
@ -138,16 +139,35 @@ func (c *ContactController) GetAll() {
func (c *ContactController) Put() { func (c *ContactController) Put() {
idStr := c.Ctx.Input.Param(":id") idStr := c.Ctx.Input.Param(":id")
id, _ := strconv.Atoi(idStr) id, _ := strconv.Atoi(idStr)
co, err := models.GetContactById(o, id)
if err != nil {
if err.Error() == "<QuerySeter> no row found" {
c.ServeJSONError("Contact does not exist")
return
}
c.ServeJSONError("Error updating Contact")
return
}
if currentUser.Role != constants.RoleAdmin && co.ModifiedBy != int64(currentUser.Id) {
c.ServeJSONError("You can only edit your own contacts!")
return
}
v := models.Contact{Id: id} v := models.Contact{Id: id}
if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
v.ModifiedBy = int64(currentUser.Id) v.ModifiedBy = int64(currentUser.Id)
if err := models.UpdateContactById(o, &v); err == nil { if err := models.UpdateContactById(o, &v); err == nil {
c.ServeJSONSuccess("Ok") c.ServeJSONSuccess("Ok")
return
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
c.ServeJSON() c.ServeJSON()
} }
@ -164,8 +184,10 @@ func (c *ContactController) Delete() {
id, _ := strconv.Atoi(idStr) id, _ := strconv.Atoi(idStr)
if err := models.DeleteContact(o, id); err == nil { if err := models.DeleteContact(o, id); err == nil {
c.ServeJSONSuccess("Ok") c.ServeJSONSuccess("Ok")
return
} else { } else {
c.ServeJSONErrorWithError("Error", err) c.ServeJSONErrorWithError("Error", err)
return
} }
c.ServeJSON() c.ServeJSON()
} }

View File

@ -3,6 +3,7 @@ package controllers
import ( import (
"encoding/json" "encoding/json"
"errors" "errors"
"multitenantStack/constants"
"multitenantStack/models" "multitenantStack/models"
"strconv" "strconv"
"strings" "strings"
@ -147,6 +148,20 @@ func (c *PostController) GetAll() {
func (c *PostController) Put() { func (c *PostController) Put() {
idStr := c.Ctx.Input.Param(":id") idStr := c.Ctx.Input.Param(":id")
id, _ := strconv.Atoi(idStr) id, _ := strconv.Atoi(idStr)
p, err := models.GetPostById(o, id)
if err != nil {
if err.Error() == "<QuerySeter> no row found" {
c.ServeJSONError("Post does not exist")
return
}
c.ServeJSONError("Error updating Post")
}
if currentUser.Role != constants.RoleAdmin && p.ModifiedBy != int64(currentUser.Id) {
c.ServeJSONError("You can only edit your own posts!")
}
v := models.Post{Id: id} v := models.Post{Id: id}
if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil { if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
v.ModifiedBy = int64(currentUser.Id) v.ModifiedBy = int64(currentUser.Id)