Checking basic roles for updates

Readme.md

@@ -14,18 +14,15 @@ To regenerate docs simply run `bee generate docs`
 
 Todo till we can fork this repo
 
-- Not found for endpoints should be Json response
+- ~~/register endpoint creates database, company and first admin~~
-- migrations for company_template
+- ~~load db connections from config~~
-- hardcoded roles
+- ~~user delete needs to update system~~
-
+- ~~company delete needs to exist and update usercompanymap~~
-* ~~/register endpoint creates database, company and first admin~~
+- ~~last modified in update for all tables~~
-* ~~load db connections from config~~
+- ~~modifiedby (companyuserid) relation~~
-* ~~user delete needs to update system~~
+- ~~checking some roles in all controller endpoints~~
-* ~~company delete needs to exist and update usercompanymap~~
+- return error in case of not found
-* ~~last modified in update for all tables~~
+- go through all endpoints for errors
-* checking some roles in all endpoints
-* modifiedby (companyuserid) relation
-* return error in case of not found
 
 ## Notes:
 

controllers/companyData.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"errors"
+	"multitenantStack/constants"
 	"multitenantStack/models"
 	"strconv"
 	"strings"
@@ -37,9 +38,11 @@ func (c *CompanyDataController) Post() {
 			c.Data["json"] = v
 		} else {
 			c.ServeJSONErrorWithError("Error", err)
+			return
 		}
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
@@ -57,6 +60,7 @@ func (c *CompanyDataController) GetOne() {
 	v, err := models.GetCompanyDataById(o, id)
 	if err != nil {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	} else {
 		c.Data["json"] = v
 	}
@@ -120,6 +124,7 @@ func (c *CompanyDataController) GetAll() {
 	l, err := models.GetAllCompanyData(o, query, fields, sortby, order, offset, limit)
 	if err != nil {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	} else {
 		c.Data["json"] = l
 	}
@@ -137,16 +142,24 @@ func (c *CompanyDataController) GetAll() {
 func (c *CompanyDataController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	if currentUser.Role != constants.RoleAdmin {
+		c.ServeJSONError("Only Admins can edit company Data")
+	}
+
 	v := models.CompanyData{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)
 		if err := models.UpdateCompanyDataById(o, &v); err == nil {
 			c.ServeJSONSuccess("Ok")
+			return
 		} else {
 			c.ServeJSONErrorWithError("Error", err)
+			return
 		}
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
@@ -163,8 +176,10 @@ func (c *CompanyDataController) Delete() {
 	id, _ := strconv.Atoi(idStr)
 	if err := models.DeleteCompanyData(o, id); err == nil {
 		c.ServeJSONSuccess("Ok")
+		return
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }

controllers/companyUser.go

@@ -187,6 +187,11 @@ func (c *CompanyUserController) GetAll() {
 func (c *CompanyUserController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	if currentUser.Role != constants.RoleAdmin && id != currentUser.Id {
+		c.ServeJSONError("You can only edit your own userdata!")
+	}
+
 	v := models.CompanyUser{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)

controllers/contact.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"errors"
+	"multitenantStack/constants"
 	"multitenantStack/models"
 	"strconv"
 	"strings"
@@ -138,16 +139,35 @@ func (c *ContactController) GetAll() {
 func (c *ContactController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	co, err := models.GetContactById(o, id)
+	if err != nil {
+		if err.Error() == "<QuerySeter> no row found" {
+			c.ServeJSONError("Contact does not exist")
+			return
+		}
+		c.ServeJSONError("Error updating Contact")
+		return
+	}
+
+	if currentUser.Role != constants.RoleAdmin && co.ModifiedBy != int64(currentUser.Id) {
+		c.ServeJSONError("You can only edit your own contacts!")
+		return
+	}
+
 	v := models.Contact{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)
 		if err := models.UpdateContactById(o, &v); err == nil {
 			c.ServeJSONSuccess("Ok")
+			return
 		} else {
 			c.ServeJSONErrorWithError("Error", err)
+			return
 		}
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }
@@ -164,8 +184,10 @@ func (c *ContactController) Delete() {
 	id, _ := strconv.Atoi(idStr)
 	if err := models.DeleteContact(o, id); err == nil {
 		c.ServeJSONSuccess("Ok")
+		return
 	} else {
 		c.ServeJSONErrorWithError("Error", err)
+		return
 	}
 	c.ServeJSON()
 }

controllers/post.go

@@ -3,6 +3,7 @@ package controllers
 import (
 	"encoding/json"
 	"errors"
+	"multitenantStack/constants"
 	"multitenantStack/models"
 	"strconv"
 	"strings"
@@ -147,6 +148,20 @@ func (c *PostController) GetAll() {
 func (c *PostController) Put() {
 	idStr := c.Ctx.Input.Param(":id")
 	id, _ := strconv.Atoi(idStr)
+
+	p, err := models.GetPostById(o, id)
+	if err != nil {
+		if err.Error() == "<QuerySeter> no row found" {
+			c.ServeJSONError("Post does not exist")
+			return
+		}
+		c.ServeJSONError("Error updating Post")
+	}
+
+	if currentUser.Role != constants.RoleAdmin && p.ModifiedBy != int64(currentUser.Id) {
+		c.ServeJSONError("You can only edit your own posts!")
+	}
+
 	v := models.Post{Id: id}
 	if err := json.Unmarshal(c.Ctx.Input.RequestBody, &v); err == nil {
 		v.ModifiedBy = int64(currentUser.Id)