Refactor user access check to questions

This commit is contained in:
nemunaire 2022-12-02 11:47:14 +01:00
parent ad0d12e67a
commit 9fd73ce235
1 changed files with 25 additions and 10 deletions

View File

@ -60,6 +60,7 @@ func declareAPIAuthQuestionsRoutes(router *gin.RouterGroup) {
questionsRoutes := router.Group("/questions/:qid") questionsRoutes := router.Group("/questions/:qid")
questionsRoutes.Use(questionHandler) questionsRoutes.Use(questionHandler)
questionsRoutes.Use(questionUserAccessHandler)
questionsRoutes.GET("", func(c *gin.Context) { questionsRoutes.GET("", func(c *gin.Context) {
c.JSON(http.StatusOK, c.MustGet("question").(*Question)) c.JSON(http.StatusOK, c.MustGet("question").(*Question))
@ -97,6 +98,7 @@ func declareAPIAdminQuestionsRoutes(router *gin.RouterGroup) {
questionsRoutes := router.Group("/questions/:qid") questionsRoutes := router.Group("/questions/:qid")
questionsRoutes.Use(questionHandler) questionsRoutes.Use(questionHandler)
questionsRoutes.Use(questionUserAccessHandler)
questionsRoutes.PUT("", func(c *gin.Context) { questionsRoutes.PUT("", func(c *gin.Context) {
current := c.MustGet("question").(*Question) current := c.MustGet("question").(*Question)
@ -137,6 +139,7 @@ func declareAPIAdminQuestionsRoutes(router *gin.RouterGroup) {
func declareAPIAdminUserQuestionsRoutes(router *gin.RouterGroup) { func declareAPIAdminUserQuestionsRoutes(router *gin.RouterGroup) {
questionsRoutes := router.Group("/questions/:qid") questionsRoutes := router.Group("/questions/:qid")
questionsRoutes.Use(questionHandler) questionsRoutes.Use(questionHandler)
questionsRoutes.Use(questionUserAccessHandler)
questionsRoutes.GET("", func(c *gin.Context) { questionsRoutes.GET("", func(c *gin.Context) {
question := c.MustGet("question").(*Question) question := c.MustGet("question").(*Question)
@ -154,8 +157,6 @@ func declareAPIAdminUserQuestionsRoutes(router *gin.RouterGroup) {
} }
func questionHandler(c *gin.Context) { func questionHandler(c *gin.Context) {
u := c.MustGet("LoggedUser").(*User)
var survey *Survey var survey *Survey
if s, ok := c.Get("survey"); ok { if s, ok := c.Get("survey"); ok {
survey = s.(*Survey) survey = s.(*Survey)
@ -175,7 +176,29 @@ func questionHandler(c *gin.Context) {
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Question not found"}) c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Question not found"})
return return
} }
} else {
question, err = survey.GetQuestion(qid)
if err != nil {
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Question not found"})
return
}
}
c.Set("question", question)
c.Next()
}
func questionUserAccessHandler(c *gin.Context) {
var survey *Survey
if s, ok := c.Get("survey"); ok {
survey = s.(*Survey)
}
u := c.MustGet("LoggedUser").(*User)
question := c.MustGet("question").(*Question)
if survey == nil {
s, err := getSurvey(int(question.IdSurvey)) s, err := getSurvey(int(question.IdSurvey))
if err != nil { if err != nil {
log.Println("Unable to getSurvey:", err) log.Println("Unable to getSurvey:", err)
@ -184,12 +207,6 @@ func questionHandler(c *gin.Context) {
} }
survey = s survey = s
} else {
question, err = survey.GetQuestion(qid)
if err != nil {
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Question not found"})
return
}
} }
if !u.IsAdmin && (!survey.checkUserAccessToSurvey(u) || (survey.Direct != nil && *survey.Direct != question.Id)) { if !u.IsAdmin && (!survey.checkUserAccessToSurvey(u) || (survey.Direct != nil && *survey.Direct != question.Id)) {
@ -201,8 +218,6 @@ func questionHandler(c *gin.Context) {
return return
} }
c.Set("question", question)
c.Next() c.Next()
} }