Added check to only let a user delete his own list

2018-06-12 18:46:59 +02:00 · 2018-06-12 18:46:59 +02:00 · 1bb7187285
parent be18247682
commit 1bb7187285
4 changed files with 43 additions and 4 deletions
--- a/models/error.go
+++ b/models/error.go
@ -143,6 +143,27 @@ func (err ErrListDoesNotExist) Error() string {
 	return fmt.Sprintf("List does not exist [ID: %d]", err.ID)
 }

+// ErrNeedToBeListOwner represents an error, where the user is not the owner of that list (used i.e. when deleting a list)
+type ErrNeedToBeListOwner struct {
+	ListID int64
+	UserID int64
+}
+
+// IsErrListDoesNotExist checks if an error is a ErrListDoesNotExist.
+func IsErrNeedToBeListOwner(err error) bool {
+	_, ok := err.(ErrNeedToBeListOwner)
+	return ok
+}
+
+func (err ErrNeedToBeListOwner) Error() string {
+	return fmt.Sprintf("You need to be list owner to do that [ListID: %d, UserID: %d]", err.ListID, err.UserID)
+}
+
+
+// ================
+// List item errors
+// ================
+
 // ErrListItemCannotBeEmpty represents a "ErrListDoesNotExist" kind of error. Used if the list does not exist.
 type ErrListItemCannotBeEmpty struct{}

--- a/models/list_delete.go
+++ b/models/list_delete.go
@ -1,13 +1,17 @@
 package models

-func DeleteListByID(listID int64) (err error) {
+func DeleteListByID(listID int64, doer *User) (err error) {

 	// Check if the list exists
-	_, err = GetListByID(listID)
+	list, err := GetListByID(listID)
 	if err != nil {
 		return
 	}

+	if list.Owner.ID != doer.ID {
+		return ErrNeedToBeListOwner{ListID:listID, UserID:doer.ID}
+	}
+
 	// Delete the list
 	_, err = x.ID(listID).Delete(&List{})
 	if err != nil {
--- a/routes/api/v1/item_delete.go
+++ b/routes/api/v1/item_delete.go
@ -16,7 +16,7 @@ func DeleteListItemByIDtemByID(c echo.Context) error {
 		return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."})
 	}

-	// Check if the user has the right to delete that list
+	// Check if the user has the right to delete that list item
 	user, err := models.GetCurrentUser(c)
 	if err != nil {
 		return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
--- a/routes/api/v1/list_delete.go
+++ b/routes/api/v1/list_delete.go
@ -16,10 +16,24 @@ func DeleteListByID(c echo.Context) error {
 		return c.JSON(http.StatusBadRequest, models.Message{"Invalid ID."})
 	}

-	err = models.DeleteListByID(itemID)
+	// Check if the user has the right to delete that list
+	user, err := models.GetCurrentUser(c)
 	if err != nil {
 		return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
 	}

+	err = models.DeleteListByID(itemID, &user)
+	if err != nil {
+		if models.IsErrNeedToBeListOwner(err) {
+			return c.JSON(http.StatusForbidden, models.Message{"You need to be the list owner to delete a list."})
+		}
+
+		if models.IsErrListDoesNotExist(err) {
+			return c.JSON(http.StatusNotFound, models.Message{"This list does not exist."})
+		}
+
+		return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
+	}
+
 	return c.JSON(http.StatusOK, models.Message{"The list was deleted with success."})
 }