Refactor permissions checks to avoid questions/works leaks between promotions/groups/start-availability

Thanks-To François Dautrême <francois.dautreme@epita.fr>

surveys.go

@@ -62,19 +62,14 @@ func declareAPISurveysRoutes(router *gin.RouterGroup) {
 			return
 		}
 
-		s := c.MustGet("survey").(*Survey)
-
-		if (s.Promo == u.Promo && (s.Group == "" || strings.Contains(u.Groups, ","+s.Group+",") && s.Shown)) || u.IsAdmin {
-			c.JSON(http.StatusOK, s)
-		} else {
-			c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not accessible"})
-		}
+		c.JSON(http.StatusOK, c.MustGet("survey").(*Survey))
 	})
 }
 
 func declareAPIAuthSurveysRoutes(router *gin.RouterGroup) {
 	surveysRoutes := router.Group("/surveys/:sid")
 	surveysRoutes.Use(surveyHandler)
+	surveysRoutes.Use(surveyUserAccessHandler)
 
 	surveysRoutes.GET("/score", func(c *gin.Context) {
 		loggedUser := c.MustGet("LoggedUser").(*User)
@@ -219,18 +214,20 @@ func surveyHandler(c *gin.Context) {
 	}
 }
 
+func (s *Survey) checkUserAccessToSurvey(u *User) bool {
+	return u.IsAdmin || (u.Promo == s.Promo && s.Shown && (s.Group == "" || strings.Contains(u.Groups, ","+s.Group+",")))
+}
+
 func surveyUserAccessHandler(c *gin.Context) {
 	u := c.MustGet("LoggedUser").(*User)
-	w := c.MustGet("survey").(*Survey)
+	s := c.MustGet("survey").(*Survey)
 
-	if u.IsAdmin {
-		c.Next()
-	} else if w.Shown && (w.Group == "" || strings.Contains(u.Groups, ","+w.Group+",")) {
-		c.Next()
-	} else {
+	if !s.checkUserAccessToSurvey(u) {
 		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Survey not found."})
 		return
 	}
+
+	c.Next()
 }
 
 type Survey struct {