admin: Require to be identitied to change the history

admin/api/exercice.go

@@ -35,9 +35,12 @@ func declareExercicesRoutes(router *gin.RouterGroup) {
 	apiExercicesRoutes.GET("/stats.json", getExerciceStats)
 
 	apiExercicesRoutes.GET("/history.json", getExerciceHistory)
-	apiExercicesRoutes.PUT("/history.json", appendExerciceHistory)
-	apiExercicesRoutes.PATCH("/history.json", updateExerciceHistory)
-	apiExercicesRoutes.DELETE("/history.json", delExerciceHistory)
+
+	apiHistoryRoutes := apiExercicesRoutes.Group("/history.json")
+	apiHistoryRoutes.Use(AssigneeCookieHandler)
+	apiHistoryRoutes.PUT("", appendExerciceHistory)
+	apiHistoryRoutes.PATCH("", updateExerciceHistory)
+	apiHistoryRoutes.DELETE("", delExerciceHistory)
 
 	apiExercicesRoutes.GET("/hints", listExerciceHints)
 	apiExercicesRoutes.POST("/hints", createExerciceHint)
@@ -469,6 +472,30 @@ func getExercicesStats(c *gin.Context) {
 	c.JSON(http.StatusOK, ret)
 }
 
+func AssigneeCookieHandler(c *gin.Context) {
+	myassignee, err := c.Cookie("myassignee")
+	if err != nil {
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": "You must be authenticated to perform this action."})
+		return
+	}
+
+	aid, err := strconv.ParseInt(myassignee, 10, 32)
+	if err != nil {
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": "You must be authenticated to perform this action: invalid assignee identifier."})
+		return
+	}
+
+	assignee, err := fic.GetAssignee(aid)
+	if err != nil {
+		c.AbortWithStatusJSON(http.StatusBadRequest, gin.H{"errmsg": "You must be authenticated to perform this action: assignee not found."})
+		return
+	}
+
+	c.Set("assignee", assignee)
+
+	c.Next()
+}
+
 type uploadedExerciceHistory struct {
 	IdTeam    int64 `json:"team_id"`
 	Kind      string
@@ -479,6 +506,7 @@ type uploadedExerciceHistory struct {
 
 func appendExerciceHistory(c *gin.Context) {
 	exercice := c.MustGet("exercice").(*fic.Exercice)
+	myassignee := c.MustGet("assignee").(*fic.ClaimAssignee)
 
 	var uh uploadedExerciceHistory
 	err := c.ShouldBindJSON(&uh)
@@ -493,12 +521,14 @@ func appendExerciceHistory(c *gin.Context) {
 		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during history moditication."})
 		return
 	}
+	log.Printf("AUDIT: %s performs an history append: %s for team %d, exercice %d and optional %v", myassignee.Name, uh.Kind, uh.IdTeam, exercice.Id, uh.Secondary)
 
 	c.JSON(http.StatusOK, uh)
 }
 
 func updateExerciceHistory(c *gin.Context) {
 	exercice := c.MustGet("exercice").(*fic.Exercice)
+	myassignee := c.MustGet("assignee").(*fic.ClaimAssignee)
 
 	var uh uploadedExerciceHistory
 	err := c.ShouldBindJSON(&uh)
@@ -513,12 +543,14 @@ func updateExerciceHistory(c *gin.Context) {
 		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during history update."})
 		return
 	}
+	log.Printf("AUDIT: %s performs an history update: %s for team %d, exercice %d and optional %v, with coeff %f", myassignee.Name, uh.Kind, uh.IdTeam, exercice.Id, uh.Secondary, uh.Coeff)
 
 	c.JSON(http.StatusOK, uh)
 }
 
 func delExerciceHistory(c *gin.Context) {
 	exercice := c.MustGet("exercice").(*fic.Exercice)
+	myassignee := c.MustGet("assignee").(*fic.ClaimAssignee)
 
 	var uh uploadedExerciceHistory
 	err := c.ShouldBindJSON(&uh)
@@ -533,6 +565,7 @@ func delExerciceHistory(c *gin.Context) {
 		c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during history deletion."})
 		return
 	}
+	log.Printf("AUDIT: %s performs an history deletion: %s for team %d, exercice %d and optional %v", myassignee.Name, uh.Kind, uh.IdTeam, exercice.Id, uh.Secondary)
 
 	c.JSON(http.StatusOK, true)
 }