Allow access to work/:wid to users

works.go

@@ -72,10 +72,16 @@ func init() {
 
 		return formatApiResponse(NewWork(new.Title, new.Promo, new.Group, new.Shown, new.SubmissionURL, new.StartAvailability, new.EndAvailability))
 	}, adminRestricted))
-	router.GET("/api/works/:wid", apiHandler(workHandler(
-		func(w Work, _ []byte) HTTPResponse {
-			return APIResponse{w}
-		}), adminRestricted))
+	router.GET("/api/works/:wid", apiAuthHandler(workAuthHandler(
+		func(w Work, u *User, _ []byte) HTTPResponse {
+			if u.IsAdmin {
+				return APIResponse{w}
+			} else if w.Shown && w.StartAvailability.Before(time.Now()) && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
+				return APIResponse{w}
+			} else {
+				return APIErrorResponse{status: http.StatusForbidden, err: fmt.Errorf("Permission denied")}
+			}
+		}), loggedUser))
 	router.PUT("/api/works/:wid", apiHandler(workHandler(func(current Work, body []byte) HTTPResponse {
 		var new Work
 		if err := json.Unmarshal(body, &new); err != nil {