check user permissions for owner API
This commit is contained in:
Ninjdai
parent
e078bffc25
commit
9fb527f9df
1 changed files with 14 additions and 7 deletions
|
|
@ -2,7 +2,7 @@ use std::sync::Arc;
|
||||||
|
|
||||||
use axum::{extract::{Path, State}, Json};
|
use axum::{extract::{Path, State}, Json};
|
||||||
use reqwest::{StatusCode};
|
use reqwest::{StatusCode};
|
||||||
use sea_orm::{ActiveModelTrait, ActiveValue::{NotSet, Set, Unchanged}, EntityTrait, TryIntoModel};
|
use sea_orm::{ActiveModelTrait, ActiveValue::{NotSet, Set}, ColumnTrait, EntityTrait, QueryFilter, TryIntoModel};
|
||||||
use serde::{Deserialize, Serialize};
|
use serde::{Deserialize, Serialize};
|
||||||
use utoipa::IntoParams;
|
use utoipa::IntoParams;
|
||||||
|
|
||||||
|
|
@ -22,7 +22,8 @@ struct OwnerByIdParams(u32);
|
||||||
security(("jwt" = [])),
|
security(("jwt" = [])),
|
||||||
responses(
|
responses(
|
||||||
(status = OK, body = owner::Model, description = "Found owner with corresponding ID in the database"),
|
(status = OK, body = owner::Model, description = "Found owner with corresponding ID in the database"),
|
||||||
(status = NOT_FOUND, description = "No owner with this id exists in the database")
|
(status = NOT_FOUND, description = "No owner with this id exists in the database"),
|
||||||
|
(status = FORBIDDEN, description = "You do not own the specified owner"),
|
||||||
),
|
),
|
||||||
summary = "Get an owner by its ID",
|
summary = "Get an owner by its ID",
|
||||||
description = "Get an owner from its ID",
|
description = "Get an owner from its ID",
|
||||||
|
|
@ -30,10 +31,15 @@ struct OwnerByIdParams(u32);
|
||||||
)]
|
)]
|
||||||
pub async fn get_owner_by_id(
|
pub async fn get_owner_by_id(
|
||||||
State(state): State<Arc<AppState>>,
|
State(state): State<Arc<AppState>>,
|
||||||
|
claims: Claims,
|
||||||
Path(id): Path<u32>,
|
Path(id): Path<u32>,
|
||||||
) -> (StatusCode, Json<Option<owner::Model>>) {
|
) -> (StatusCode, Json<Option<owner::Model>>) {
|
||||||
if let Ok(Some(res)) = Owner::find_by_id(id).one(state.db_conn.as_ref()).await {
|
if let Ok(Some(res)) = Owner::find_by_id(id).one(state.db_conn.as_ref()).await {
|
||||||
|
if res.user_id != claims.user_id {
|
||||||
|
(StatusCode::FORBIDDEN, Json(None))
|
||||||
|
} else {
|
||||||
(StatusCode::OK, Json(Some(res)))
|
(StatusCode::OK, Json(Some(res)))
|
||||||
|
}
|
||||||
} else {
|
} else {
|
||||||
(StatusCode::NOT_FOUND, Json(None))
|
(StatusCode::NOT_FOUND, Json(None))
|
||||||
}
|
}
|
||||||
|
|
@ -165,14 +171,15 @@ pub async fn update_owner(
|
||||||
)]
|
)]
|
||||||
pub async fn get_owners(
|
pub async fn get_owners(
|
||||||
State(state): State<Arc<AppState>>,
|
State(state): State<Arc<AppState>>,
|
||||||
) -> (StatusCode, Json<Option<Vec<owner::Model>>>) {
|
claims: Claims
|
||||||
match Owner::find().all(state.db_conn.as_ref()).await {
|
) -> (StatusCode, Json<Vec<owner::Model>>) {
|
||||||
|
match Owner::find().filter(owner::Column::UserId.eq(claims.user_id)).all(state.db_conn.as_ref()).await {
|
||||||
Err(e) => {
|
Err(e) => {
|
||||||
log::error!(target: "api", "Error while getting owner list: {:#?}", e);
|
log::error!(target: "api", "Error while getting owner list: {:#?}", e);
|
||||||
(StatusCode::INTERNAL_SERVER_ERROR, Json(None))
|
(StatusCode::INTERNAL_SERVER_ERROR, Json(vec![]))
|
||||||
}
|
}
|
||||||
Ok(owners) => {
|
Ok(owners) => {
|
||||||
(StatusCode::OK, Json(Some(owners)))
|
(StatusCode::OK, Json(owners))
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
|
||||||
Reference in a new issue