teach/atsebay.t
Archived
1
0
Fork 0
Code Issues Pull Requests Releases Activity

Harden works and surveys routes

Browse Source
This commit is contained in:
nemunaire 2022-09-07 21:33:54 +02:00
parent a5105979cc
commit d787d1c350
2 changed files with 33 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
surveys.go
View File

@ -52,6 +52,7 @@ func declareAPISurveysRoutes(router *gin.RouterGroup) {
surveysRoutes := router.Group("/surveys/:sid") surveysRoutes := router.Group("/surveys/:sid")
surveysRoutes.Use(surveyHandler) surveysRoutes.Use(surveyHandler)
surveysRoutes.Use(surveyUserAccessHandler)
surveysRoutes.GET("", func(c *gin.Context) { surveysRoutes.GET("", func(c *gin.Context) {
u := c.MustGet("LoggedUser").(*User) u := c.MustGet("LoggedUser").(*User)
@ -198,6 +199,20 @@ func surveyHandler(c *gin.Context) {
} }
} }
func surveyUserAccessHandler(c *gin.Context) {
u := c.MustGet("LoggedUser").(*User)
w := c.MustGet("survey").(*Survey)
if u.IsAdmin {
c.Next()
} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
c.Next()
} else {
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Survey not found."})
return
}
}
type Survey struct { type Survey struct {
Id int64 `json:"id"` Id int64 `json:"id"`
Title string `json:"title"` Title string `json:"title"`

19
works.go
View File

@ -190,6 +190,7 @@ func declareAPIAdminWorksRoutes(router *gin.RouterGroup) {
func declareAPIAuthWorksRoutes(router *gin.RouterGroup) { func declareAPIAuthWorksRoutes(router *gin.RouterGroup) {
worksRoutes := router.Group("/works/:wid") worksRoutes := router.Group("/works/:wid")
worksRoutes.Use(workHandler) worksRoutes.Use(workHandler)
worksRoutes.Use(workUserAccessHandler)
worksRoutes.GET("", func(c *gin.Context) { worksRoutes.GET("", func(c *gin.Context) {
u := c.MustGet("LoggedUser").(*User) u := c.MustGet("LoggedUser").(*User)
@ -209,7 +210,9 @@ func declareAPIAuthWorksRoutes(router *gin.RouterGroup) {
u := c.MustGet("LoggedUser").(*User) u := c.MustGet("LoggedUser").(*User)
w := c.MustGet("work").(*Work) w := c.MustGet("work").(*Work)
if g, err := u.GetMyWorkGrade(w); err != nil && errors.Is(err, sql.ErrNoRows) { if !u.IsAdmin && !w.Corrected {
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Permission denied"})
} else if g, err := u.GetMyWorkGrade(w); err != nil && errors.Is(err, sql.ErrNoRows) {
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Aucune note n'a été attribuée pour ce travail. Avez-vous rendu ce travail ?"}) c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Aucune note n'a été attribuée pour ce travail. Avez-vous rendu ce travail ?"})
} else if err != nil { } else if err != nil {
log.Printf("Unable to GetMyWorkGrade(uid=%d;wid=%d): %s", u.Id, w.Id, err.Error()) log.Printf("Unable to GetMyWorkGrade(uid=%d;wid=%d): %s", u.Id, w.Id, err.Error())
@ -236,6 +239,20 @@ func workHandler(c *gin.Context) {
} }
} }
func workUserAccessHandler(c *gin.Context) {
u := c.MustGet("LoggedUser").(*User)
w := c.MustGet("work").(*Work)
if u.IsAdmin {
c.Next()
} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
c.Next()
} else {
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Work not found."})
return
}
}
type OneWork struct { type OneWork struct {
Kind string `json:"kind"` Kind string `json:"kind"`
Id int64 `json:"id"` Id int64 `json:"id"`