diff --git a/musicus_server/src/routes/auth.rs b/musicus_server/src/routes/auth.rs index 66a83a0..e951f3d 100644 --- a/musicus_server/src/routes/auth.rs +++ b/musicus_server/src/routes/auth.rs @@ -167,30 +167,19 @@ pub fn authenticate(conn: &DbConn, token: &str) -> Result { database::get_user(conn, &username)?.ok_or(anyhow!("User doesn't exist: {}", &username)) } -/// Check whether a token allows the user to create a new item. -pub fn may_create(conn: &DbConn, token: &str) -> Result { - let user = authenticate(conn, token)?; - - let result = if user.is_banned { false } else { false }; - - Ok(result) +/// Check whether the user is allowed to create a new item. +pub fn may_create(user: &User) -> bool { + !user.is_banned } -/// Check whether a token allows the user to edit an item created by him or somebody else. -pub fn may_edit(conn: &DbConn, token: &str, created_by: &str) -> Result { - let user = authenticate(conn, token)?; +/// Check whether the user is allowed to edit an item created by him or somebody else. +pub fn may_edit(user: &User, created_by: &str) -> bool { + !user.is_banned && (user.username == created_by || user.is_editor) +} - let result = if user.is_banned { - false - } else if user.username == created_by { - true - } else if user.is_editor { - true - } else { - false - }; - - Ok(result) +/// Check whether the user is allowed to delete an item. +pub fn may_delete(user: &User) -> bool { + !user.is_banned && user.is_editor } /// Return a hash for a password that can be stored in the database. diff --git a/musicus_server/src/routes/persons.rs b/musicus_server/src/routes/persons.rs index 96eb5c1..fcc6ae6 100644 --- a/musicus_server/src/routes/persons.rs +++ b/musicus_server/src/routes/persons.rs @@ -1,4 +1,4 @@ -use super::{authenticate, ServerError}; +use super::{authenticate, may_create, may_delete, may_edit, ServerError}; use crate::database; use crate::database::{DbPool, PersonInsertion}; use actix_web::{delete, get, post, put, web, HttpResponse}; @@ -31,10 +31,12 @@ pub async fn post_person( web::block(move || { let conn = db.into_inner().get()?; let user = authenticate(&conn, auth.token()).or(Err(ServerError::Unauthorized))?; - - database::insert_person(&conn, id, &data.into_inner(), &user.username)?; - - Ok(()) + if may_create(&user) { + database::insert_person(&conn, id, &data.into_inner(), &user.username)?; + Ok(()) + } else { + Err(ServerError::Forbidden) + } }) .await?; @@ -56,13 +58,12 @@ pub async fn put_person( let id = id.into_inner(); let old_person = database::get_person(&conn, id)?.ok_or(ServerError::NotFound)?; - if user.username != old_person.created_by { - Err(ServerError::Forbidden)?; + if may_edit(&user, &old_person.created_by) { + database::update_person(&conn, id, &data.into_inner())?; + Ok(()) + } else { + Err(ServerError::Forbidden) } - - database::update_person(&conn, id, &data.into_inner())?; - - Ok(()) }) .await?; @@ -90,7 +91,7 @@ pub async fn delete_person( let conn = db.into_inner().get()?; let user = authenticate(&conn, auth.token()).or(Err(ServerError::Unauthorized))?; - if user.is_editor { + if may_delete(&user) { database::delete_person(&conn, id.into_inner())?; Ok(()) } else {