Added check if the wants to change its own password

2018-01-23 15:58:01 +01:00 · 2018-01-23 15:58:01 +01:00 · bcb8b08001
parent 434856a44f
commit bcb8b08001
1 changed files with 17 additions and 14 deletions
--- a/routes/api/v1/user_update_password.go
+++ b/routes/api/v1/user_update_password.go
@ -15,8 +15,23 @@ type datPassword struct {
 // UserChangePassword is the handler to add a user
 func UserChangePassword(c echo.Context) error {

-	// Check if the user is admin
-	if !models.IsAdmin(c) {
+	// Get the ID
+	user := c.Param("id")
+
+	if user == "" {
+		return c.JSON(http.StatusBadRequest, models.Message{"User ID cannot be empty."})
+	}
+
+	// Make int
+	userID, err := strconv.ParseInt(user, 10, 64)
+	if err != nil {
+		return c.JSON(http.StatusInternalServerError, models.Message{"Error getting user infos."})
+	}
+
+
+	// Check if the user is admin or itself
+	userJWTinfo, err := models.GetCurrentUser(c)
+	if !models.IsAdmin(c) || userJWTinfo.ID == userID {
 		return echo.ErrUnauthorized
 	}

@ -33,18 +48,6 @@ func UserChangePassword(c echo.Context) error {
 		datPw.Password = pwFromString
 	}

-	user := c.Param("id")
-
-	if user == "" {
-		return c.JSON(http.StatusBadRequest, models.Message{"User ID cannot be empty."})
-	}
-
-	// Make int
-	userID, err := strconv.ParseInt(user, 10, 64)
-	if err != nil {
-		return c.JSON(http.StatusInternalServerError, models.Message{"Error getting user infos."})
-	}
-
 	// Get User Infos
 	_, exists, err := models.GetUserByID(userID)