diff --git a/models/error.go b/models/error.go index bbf8a94fc..de48c22e1 100644 --- a/models/error.go +++ b/models/error.go @@ -399,6 +399,22 @@ func (err ErrNeedToHaveNamespaceReadAccess) Error() string { return fmt.Sprintf("You need to be namespace owner to do that [NamespaceID: %d, UserID: %d]", err.NamespaceID, err.UserID) } +// ErrTeamDoesNotHaveAccessToNamespace represents an error, where the Team is not the owner of that namespace (used i.e. when deleting a namespace) +type ErrTeamDoesNotHaveAccessToNamespace struct { + NamespaceID int64 + TeamID int64 +} + +// IsErrTeamDoesNotHaveAccessToNamespace checks if an error is a ErrNamespaceDoesNotExist. +func IsErrTeamDoesNotHaveAccessToNamespace(err error) bool { + _, ok := err.(ErrTeamDoesNotHaveAccessToNamespace) + return ok +} + +func (err ErrTeamDoesNotHaveAccessToNamespace) Error() string { + return fmt.Sprintf("You need to have access to this namespace to do that [NamespaceID: %d, TeamID: %d]", err.NamespaceID, err.TeamID) +} + // ============ // Team errors // ============ @@ -496,6 +512,22 @@ func (err ErrCannotDeleteLastTeamMember) Error() string { return fmt.Sprintf("This user is already a member of that team. [Team ID: %d, User ID: %d]", err.TeamID, err.UserID) } +// ErrTeamDoesNotHaveAccessToList represents an error, where the Team is not the owner of that List (used i.e. when deleting a List) +type ErrTeamDoesNotHaveAccessToList struct { + ListID int64 + TeamID int64 +} + +// IsErrTeamDoesNotHaveAccessToList checks if an error is a ErrListDoesNotExist. +func IsErrTeamDoesNotHaveAccessToList(err error) bool { + _, ok := err.(ErrTeamDoesNotHaveAccessToList) + return ok +} + +func (err ErrTeamDoesNotHaveAccessToList) Error() string { + return fmt.Sprintf("You need to have access to this List to do that [ListID: %d, TeamID: %d]", err.ListID, err.TeamID) +} + // ==================== // User <-> List errors // ==================== diff --git a/models/team_list_delete.go b/models/team_list_delete.go index 45748924c..3d14b6629 100644 --- a/models/team_list_delete.go +++ b/models/team_list_delete.go @@ -3,18 +3,22 @@ package models // Delete deletes a team <-> list relation based on the list & team id func (tl *TeamList) Delete() (err error) { - // Check if the list exists - _, err = GetListByID(tl.ListID) - if err != nil { - return - } - // Check if the team exists _, err = GetTeamByID(tl.TeamID) if err != nil { return } + // Check if the team has access to the list + has, err := x.Where("team_id = ? AND list_id = ?", tl.TeamID, tl.ListID). + Get(&TeamList{}) + if err != nil { + return + } + if !has { + return ErrTeamDoesNotHaveAccessToList{TeamID: tl.TeamID, ListID: tl.ListID} + } + // Delete the relation _, err = x.Where("team_id = ?", tl.TeamID). And("list_id = ?", tl.ListID). diff --git a/models/team_namespace_delete.go b/models/team_namespace_delete.go index 62f7cab78..ff4078ebc 100644 --- a/models/team_namespace_delete.go +++ b/models/team_namespace_delete.go @@ -3,18 +3,22 @@ package models // Delete deletes a team <-> namespace relation based on the namespace & team id func (tn *TeamNamespace) Delete() (err error) { - // Check if the namespace exists - _, err = GetNamespaceByID(tn.NamespaceID) - if err != nil { - return - } - // Check if the team exists _, err = GetTeamByID(tn.TeamID) if err != nil { return } + // Check if the team has access to the namespace + has, err := x.Where("team_id = ? AND namespace_id = ?", tn.TeamID, tn.NamespaceID). + Get(&TeamNamespace{}) + if err != nil { + return + } + if !has { + return ErrTeamDoesNotHaveAccessToNamespace{TeamID: tn.TeamID, NamespaceID: tn.NamespaceID} + } + // Delete the relation _, err = x.Where("team_id = ?", tn.TeamID). And("namespace_id = ?", tn.NamespaceID). diff --git a/routes/crud/delete.go b/routes/crud/delete.go index 919d6130e..1cb91606f 100644 --- a/routes/crud/delete.go +++ b/routes/crud/delete.go @@ -33,6 +33,9 @@ func (c *WebHandler) DeleteWeb(ctx echo.Context) error { if models.IsErrListDoesNotExist(err) { return echo.NewHTTPError(http.StatusNotFound, "This list does not exist.") } + if models.IsErrTeamDoesNotHaveAccessToList(err) { + return echo.NewHTTPError(http.StatusBadRequest, "This team does not have access to the list.") + } if models.IsErrTeamDoesNotExist(err) { return echo.NewHTTPError(http.StatusNotFound, "This team does not exist.")