thallada/BazaarRealmAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Add auth to delete endpoints

Browse Source
This commit is contained in:
Tyler Hallada
2020-07-30 01:09:29 -04:00
parent 79b45551fd
commit 68b04b4f4c
10 changed files with 136 additions and 25 deletions
Download Patch File Download Diff File Expand all files Collapse all files

27
src/models/interior_ref_list.rs
View File

@@ -8,6 +8,7 @@ use tracing::instrument;
use super::ListParams;
use super::Model;
use crate::problem::forbidden_permission;
// sqlx queries for this model need to be `query_as_unchecked!` because `query_as!` does not
// support user-defined types (`ref_list` Json field).
@@ -31,6 +32,7 @@ pub struct InteriorRef {
pub struct InteriorRefList {
pub id: Option<i32>,
pub shop_id: i32,
pub owner_id: i32,
pub ref_list: Json<Vec<InteriorRef>>,
pub created_at: Option<NaiveDateTime>,
pub updated_at: Option<NaiveDateTime>,
@@ -64,10 +66,11 @@ impl Model for InteriorRefList {
Ok(sqlx::query_as_unchecked!(
Self,
"INSERT INTO interior_ref_lists
(shop_id, ref_list, created_at, updated_at)
VALUES ($1, $2, now(), now())
(shop_id, owner_id, ref_list, created_at, updated_at)
VALUES ($1, $2, $3, now(), now())
RETURNING *",
self.shop_id,
self.owner_id,
self.ref_list,
)
.fetch_one(db)
@@ -75,12 +78,20 @@ impl Model for InteriorRefList {
}
#[instrument(level = "debug", skip(db))]
async fn delete(db: &PgPool, id: i32) -> Result<u64> {
Ok(
sqlx::query!("DELETE FROM interior_ref_lists WHERE id = $1", id)
.execute(db)
.await?,
)
async fn delete(db: &PgPool, owner_id: i32, id: i32) -> Result<u64> {
let interior_ref_list =
sqlx::query!("SELECT owner_id FROM interior_ref_lists WHERE id = $1", id)
.fetch_one(db)
.await?;
if interior_ref_list.owner_id == owner_id {
return Ok(
sqlx::query!("DELETE FROM interior_ref_lists WHERE id = $1", id)
.execute(db)
.await?,
);
} else {
return Err(forbidden_permission());
}
}
#[instrument(level = "debug", skip(db))]

2
src/models/model.rs
View File

@@ -24,6 +24,6 @@ where
}
async fn get(db: &PgPool, id: i32) -> Result<Self>;
async fn save(self, db: &PgPool) -> Result<Self>;
async fn delete(db: &PgPool, id: i32) -> Result<u64>;
async fn delete(db: &PgPool, owner_id: i32, id: i32) -> Result<u64>;
async fn list(db: &PgPool, list_params: ListParams) -> Result<Vec<Self>>;
}

16
src/models/owner.rs
View File

@@ -9,6 +9,7 @@ use uuid::Uuid;
use super::ListParams;
use super::Model;
use crate::problem::forbidden_permission;
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct Owner {
@@ -58,10 +59,17 @@ impl Model for Owner {
}
#[instrument(level = "debug", skip(db))]
async fn delete(db: &PgPool, id: i32) -> Result<u64> {
Ok(sqlx::query!("DELETE FROM owners WHERE id = $1", id)
.execute(db)
.await?)
async fn delete(db: &PgPool, owner_id: i32, id: i32) -> Result<u64> {
let owner = sqlx::query!("SELECT id FROM owners WHERE id = $1", id)
.fetch_one(db)
.await?;
if owner.id == owner_id {
Ok(sqlx::query!("DELETE FROM owners WHERE id = $1", id)
.execute(db)
.await?)
} else {
return Err(forbidden_permission());
}
}
#[instrument(level = "debug", skip(db))]

16
src/models/shop.rs
View File

@@ -7,6 +7,7 @@ use tracing::instrument;
use super::ListParams;
use super::Model;
use crate::problem::forbidden_permission;
#[derive(Debug, Serialize, Deserialize, Clone)]
pub struct Shop {
@@ -63,10 +64,17 @@ impl Model for Shop {
}
#[instrument(level = "debug", skip(db))]
async fn delete(db: &PgPool, id: i32) -> Result<u64> {
Ok(sqlx::query!("DELETE FROM shops WHERE id = $1", id)
.execute(db)
.await?)
async fn delete(db: &PgPool, owner_id: i32, id: i32) -> Result<u64> {
let shop = sqlx::query!("SELECT owner_id FROM shops WHERE id = $1", id)
.fetch_one(db)
.await?;
if shop.owner_id == owner_id {
return Ok(sqlx::query!("DELETE FROM shops WHERE shops.id = $1", id)
.execute(db)
.await?);
} else {
return Err(forbidden_permission());
}
}
#[instrument(level = "debug", skip(db))]