Protect POST, DELETE routes

2019-12-19 13:56:54 +01:00 · 2019-12-19 13:56:54 +01:00 · e94c4b9afa
commit e94c4b9afa
parent 96485fc9f3
7 changed files with 71 additions and 44 deletions
--- a/dist/main.bundle.js
+++ b/dist/main.bundle.js
--- a/dist/styles.css
+++ b/dist/styles.css
@ -15452,8 +15452,15 @@ ul.karmen-related-elements {
 }

 .oef-anchor-selection:target {
-    background: yellow;
+    animation-name: bg-fade-in-fade-out-animation;
+    animation-duration: 2s;
+    animation-timing-function: ease-in-out;
 }

+@keyframes bg-fade-in-fade-out-animation {
+    0%     { background-color:white; }
+    50.0%  { background-color:#f8f9fa; }
+    100.0% { background-color:white; }
+}

 /*# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiIsImZpbGUiOiJzdHlsZXMuY3NzIiwic291cmNlUm9vdCI6IiJ9*/
--- a/handlers/handlers.go
+++ b/handlers/handlers.go
@ -266,49 +266,59 @@ func post(w http.ResponseWriter, r *http.Request, model string, pattern PathPatt
 	if err != nil {
 		respondWithError(w, r, err)
 	} else {
-		data, err = postFn(mux.Vars(r), w, r)
-		if err != nil {
-			respondWithError(w, r, err)
-		} else if pattern.RedirectPattern != "" {
-			if id := mux.Vars(r)["id"]; id != "" {
-				modelId, _ := strconv.Atoi(id)
-				http.Redirect(w, r, pattern.RedirectPath(model, uint(modelId)), http.StatusSeeOther)
-			} else {
-				http.Redirect(w, r, pattern.RedirectPath(model, data.(orm.IDer).GetID()), http.StatusSeeOther)
-			}
-		} else {
-			renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
-		}
+		claims := r.Context().Value("user").(*jwt.Token).Claims.(jwt.MapClaims)

+		role := claims["role"].(string)
+		if !hasPermission(role, pattern.Path(model)) {
+			renderer.Render[respFormat](w, r, fmt.Errorf("%s", "Errore di autorizzazione"))
+		} else {
+			data, err = postFn(mux.Vars(r), w, r)
+			if err != nil {
+				respondWithError(w, r, err)
+			} else if pattern.RedirectPattern != "" {
+				if id := mux.Vars(r)["id"]; id != "" {
+					modelId, _ := strconv.Atoi(id)
+					http.Redirect(w, r, pattern.RedirectPath(model, uint(modelId)), http.StatusSeeOther)
+				} else {
+					http.Redirect(w, r, pattern.RedirectPath(model, data.(orm.IDer).GetID()), http.StatusSeeOther)
+				}
+			} else {
+				renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
+			}
+		}
 	}

 }

 func delete(w http.ResponseWriter, r *http.Request, model string, pattern PathPattern) {
-	var (
-		data interface{}
-		err  error
-	)
+	var data interface{}

 	respFormat := renderer.GetContentFormat(r)

-	postFn, err := orm.GetFunc(pattern.Path(model))
-	if err != nil {
-		renderer.Render[r.URL.Query().Get("format")](w, r, err)
-	}
-	data, err = postFn(mux.Vars(r), w, r)
-	if err != nil {
-		renderer.Render["html"](w, r, err)
-	} else if pattern.RedirectPattern != "" {
-		var data struct {
-			RedirectUrl string `json:"redirect_url"`
-		}
-		data.RedirectUrl = pattern.RedirectPath(model)
+	claims := r.Context().Value("user").(*jwt.Token).Claims.(jwt.MapClaims)

-		w.Header().Set("Content-Type", "application/json")
-		json.NewEncoder(w).Encode(data)
+	role := claims["role"].(string)
+	if !hasPermission(role, pattern.Path(model)) {
+		renderer.Render[respFormat](w, r, fmt.Errorf("%s", "Errore di autorizzazione"))
 	} else {
-		renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
+		postFn, err := orm.GetFunc(pattern.Path(model))
+		if err != nil {
+			renderer.Render[r.URL.Query().Get("format")](w, r, err)
+		}
+		data, err = postFn(mux.Vars(r), w, r)
+		if err != nil {
+			renderer.Render["html"](w, r, err)
+		} else if pattern.RedirectPattern != "" {
+			var data struct {
+				RedirectUrl string `json:"redirect_url"`
+			}
+			data.RedirectUrl = pattern.RedirectPath(model)
+
+			w.Header().Set("Content-Type", "application/json")
+			json.NewEncoder(w).Encode(data)
+		} else {
+			renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
+		}
 	}
 }

--- a/handlers/role.go
+++ b/handlers/role.go
@ -10,7 +10,6 @@ const (

 var (
 	RolePermissions map[string]map[string][]int = map[string]map[string][]int{
-
 		"administrator": map[string][]int{
 			"Contest":     []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},
 			"Participant": []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},
--- a/orm/contest.go
+++ b/orm/contest.go
@ -24,7 +24,7 @@ type Contest struct {
 	Date      time.Time
 	StartTime time.Time
 	EndTime   time.Time
-	Duration  int // minutes
+	Duration  int // in minutes

 	NumQuestions          int
 	NumAnswersPerQuestion int
@ -59,9 +59,9 @@ func (c *Contest) Create(args map[string]string, w http.ResponseWriter, r *http.
 			r.PostForm.Set("StartTime", time.Time{}.String())
 			r.PostForm.Set("EndTime", time.Time{}.String())
 		} else {
-			r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
-			r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
-			r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+00:00", date, endTime))
+			r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
+			r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
+			r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+01:00", date, endTime))
 		}

 		err = renderer.Decode(contest, r)
@ -139,9 +139,9 @@ func (c *Contest) Update(args map[string]string, w http.ResponseWriter, r *http.
 			r.PostForm.Set("StartTime", time.Time{}.Format(time.RFC3339))
 			r.PostForm.Set("EndTime", time.Time{}.Format(time.RFC3339))
 		} else {
-			r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
-			r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
-			r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+00:00", date, endTime))
+			r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
+			r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
+			r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+01:00", date, endTime))
 		}

 		err = renderer.Decode(contest, r)
@ -178,6 +178,10 @@ func SaveContest(contest interface{}) (interface{}, error) {
 	return contest, nil
 }

+func (c *Contest) isAlwaysActive() bool {
+	return c.StartTime.IsZero() || c.EndTime.IsZero() || c.Duration == 0
+}
+
 func (c *Contest) generateQuestionsOrder() (string, error) {
 	var (
 		order     []string
--- a/orm/response.go
+++ b/orm/response.go
@ -173,7 +173,7 @@ func (model *Response) Update(args map[string]string, w http.ResponseWriter, r *

 		// Write StartTime for the first time if user is a participant

-		if isParticipant(r) && !response.Contest.StartTime.IsZero() && !response.Contest.EndTime.IsZero() {
+		if isParticipant(r) && !response.Contest.isAlwaysActive() {
 			if response.StartTime.IsZero() {
 				if err := DB().Model(&response).Update("start_time", time.Now()).Error; err != nil {
 					return nil, err
--- a/src/style.css
+++ b/src/style.css
@ -103,6 +103,13 @@ ul.karmen-related-elements {
 }

 .oef-anchor-selection:target {
-    background: yellow;
+    animation-name: bg-fade-in-fade-out-animation;
+    animation-duration: 2s;
+    animation-timing-function: ease-in-out;
 }

+@keyframes bg-fade-in-fade-out-animation {
+    0%     { background-color:white; }
+    50.0%  { background-color:#f8f9fa; }
+    100.0% { background-color:white; }
+}