From a657d672bedb43fd3e661a2116ede3a32d10e76e Mon Sep 17 00:00:00 2001
From: Ninjdai <ninjdai@duck.com>
Date: Sun, 3 Aug 2025 23:11:15 +0200
Subject: [PATCH] check user permissions for book instance API

---
 src/routes/book_instance.rs | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/src/routes/book_instance.rs b/src/routes/book_instance.rs
index 04033d0..ef94481 100644
--- a/src/routes/book_instance.rs
+++ b/src/routes/book_instance.rs
@@ -22,7 +22,8 @@ struct BookInstanceByIdParams(u32);
     security(("jwt" = [])),
     responses(
         (status = OK, body = book_instance::Model, description = "Found book instance with corresponding ID in the database"),
-        (status = NOT_FOUND, description = "No book instance with this id exists in the database")
+        (status = NOT_FOUND, description = "No book instance with this id exists in the database"),
+        (status = FORBIDDEN, description = "You don't own the requested book instance"),
     ),
     summary = "Get a book instance by its ID",
     description = "Get a book instance from its ID",
@@ -30,9 +31,13 @@ struct BookInstanceByIdParams(u32);
 )]
 pub async fn get_book_instance_by_id(
     State(state): State<Arc<AppState>>,
+    claims: Claims,
     Path(id): Path<u32>,
 ) -> (StatusCode, Json<Option<book_instance::Model>>) {
     if let Ok(Some(res)) = BookInstance::find_by_id(id).one(state.db_conn.as_ref()).await {
+        if !user_is_book_instance_owner(claims.user_id, res.id, state.db_conn.as_ref()).await {
+            return (StatusCode::FORBIDDEN, Json(None));
+        }
         (StatusCode::OK, Json(Some(res)))
     } else {
         (StatusCode::NOT_FOUND, Json(None))
@@ -55,7 +60,7 @@ pub struct BookInstanceCreateParams {
     security(("jwt" = [])),
     responses(
         (status = OK, body = book_instance::Model, description = "Successfully created book instance"),
-        (status = FORBIDDEN, description = "You don't own the specified BAL"),
+        (status = FORBIDDEN, description = "You don't own the specified book instance"),
     ),
     summary = "Create a new book instance",
     description = "Create a new book instance",
@@ -76,7 +81,8 @@ pub async fn create_book_instance(
         bal_id: Set(instance_payload.bal_id),
         price: Set(instance_payload.price),
         status: Set(book_instance::BookStatus::Available),
-        ..Default::default()
+        id: NotSet,
+        sold_price: NotSet,
     };
 
     let b = book_instance.save(state.db_conn.as_ref()).await;
@@ -167,6 +173,7 @@ pub struct BookInstanceSaleParams {
     responses(
         (status = OK, body = book_instance::Model, description = "Successfully sold book instance"),
         (status = NOT_FOUND, description = "No book instance with specified id was found"),
+        (status = FORBIDDEN, description = "You don't own the specified book instance"),
     ),
     summary = "Sell a book instance",
     description = "Sell a book instance",
@@ -227,7 +234,7 @@ pub async fn bulk_create_book_instance(
         }
     }
 
-     let instances = instance_payload
+    let instances = instance_payload
         .into_iter()
         .map(|p| {
             book_instance::ActiveModel {