From b74b5f3a44569a0177cfea45ebbc6a41f3f47354 Mon Sep 17 00:00:00 2001 From: smavros Date: Mon, 10 Jun 2019 16:47:46 +0200 Subject: [PATCH] Fixes bug in getUsers(). Adds helper funnction. --- common/utilities.go | 9 +++++++++ routes/user/userEndpoints.go | 15 ++++++++------- 2 files changed, 17 insertions(+), 7 deletions(-) diff --git a/common/utilities.go b/common/utilities.go index b432c52..91deb42 100644 --- a/common/utilities.go +++ b/common/utilities.go @@ -125,3 +125,12 @@ func AuthenticateForTest(t *testing.T, router *gin.Engine, url string, method st return body_data["token"].(string) } + +// Read the parameter with name paramName from the gin Context and +// return it as uint variable +func UintParamFromCtx(c *gin.Context, paramName string) (uint, error) { + + param, err := strconv.Atoi(c.Param(paramName)) + + return uint(param), err +} diff --git a/routes/user/userEndpoints.go b/routes/user/userEndpoints.go index f89bdbd..363300d 100644 --- a/routes/user/userEndpoints.go +++ b/routes/user/userEndpoints.go @@ -5,7 +5,6 @@ import ( "github.com/dgrijalva/jwt-go" "github.com/gin-gonic/gin" "net/http" - "strconv" "time" "git.rwth-aachen.de/acs/public/villas/villasweb-backend-go/common" @@ -238,7 +237,7 @@ func addUser(c *gin.Context) { // @Router /users/{userID} [put] func updateUser(c *gin.Context) { - err := common.ValidateRole(c, common.ModelUser, common.Read) + err := common.ValidateRole(c, common.ModelUser, common.Update) if err != nil { c.JSON(http.StatusUnprocessableEntity, fmt.Sprintf("%v", err)) return @@ -246,8 +245,8 @@ func updateUser(c *gin.Context) { // Find the user var user User - toBeUpdatedID, _ := strconv.ParseInt(c.Param("UserID"), 10, 64) - err = user.ByID(uint(toBeUpdatedID)) + toBeUpdatedID, _ := common.UintParamFromCtx(c, "UserID") + err = user.ByID(toBeUpdatedID) if err != nil { c.JSON(http.StatusNotFound, fmt.Sprintf("%v", err)) return @@ -258,11 +257,13 @@ func updateUser(c *gin.Context) { // in the context from the Authentication middleware) userID, _ := c.Get(common.UserIDCtx) userRole, _ := c.Get(common.UserRoleCtx) + if toBeUpdatedID != userID && userRole != "Admin" { c.JSON(http.StatusForbidden, gin.H{ "success": false, "message": "Invalid authorization", }) + return } // Bind the (context) with the User struct @@ -335,9 +336,9 @@ func getUser(c *gin.Context) { } var user User - id, _ := strconv.ParseInt(c.Param("UserID"), 10, 64) + id, _ := common.UintParamFromCtx(c, "UserID") - err = user.ByID(uint(id)) + err = user.ByID(id) if err != nil { c.JSON(http.StatusNotFound, fmt.Sprintf("%v", err)) return @@ -370,7 +371,7 @@ func deleteUser(c *gin.Context) { } var user User - id, _ := strconv.ParseInt(c.Param("UserID"), 10, 64) + id, _ := common.UintParamFromCtx(c, "UserID") // Check that the user exist err = user.ByID(uint(id))