feat(reactions): add permission check when fetching all reactions
This commit is contained in:
parent
5c846ea990
commit
49b174e19f
|
@ -17,11 +17,13 @@
|
|||
package models
|
||||
|
||||
import (
|
||||
"code.vikunja.io/api/pkg/user"
|
||||
"code.vikunja.io/web"
|
||||
"time"
|
||||
|
||||
"code.vikunja.io/web"
|
||||
"xorm.io/builder"
|
||||
"xorm.io/xorm"
|
||||
|
||||
"code.vikunja.io/api/pkg/user"
|
||||
)
|
||||
|
||||
type ReactionKind int
|
||||
|
@ -74,7 +76,16 @@ type ReactionMap map[string][]*user.User
|
|||
// @Failure 403 {object} web.HTTPError "The user does not have access to the entity"
|
||||
// @Failure 500 {object} models.Message "Internal error"
|
||||
// @Router /{kind}/{id}/reactions [get]
|
||||
func (r *Reaction) ReadAll(s *xorm.Session, _ web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
|
||||
func (r *Reaction) ReadAll(s *xorm.Session, a web.Auth, _ string, _ int, _ int) (result interface{}, resultCount int, numberOfTotalItems int64, err error) {
|
||||
|
||||
can, _, err := r.CanRead(s, a)
|
||||
if err != nil {
|
||||
return nil, 0, 0, err
|
||||
}
|
||||
if !can {
|
||||
return nil, 0, 0, ErrGenericForbidden{}
|
||||
}
|
||||
|
||||
reactions := []*Reaction{}
|
||||
err = s.Where("entity_id = ? AND entity_kind = ?", r.EntityID, r.EntityKind).Find(&reactions)
|
||||
if err != nil {
|
||||
|
|
Loading…
Reference in New Issue