Protect POST, DELETE routes
This commit is contained in:
Andrea Fazzi
parent
96485fc9f3
commit
e94c4b9afa
7 changed files with 71 additions and 44 deletions
2
dist/main.bundle.js
vendored
2
dist/main.bundle.js
vendored
File diff suppressed because one or more lines are too long
9
dist/styles.css
vendored
9
dist/styles.css
vendored
|
|
@ -15452,8 +15452,15 @@ ul.karmen-related-elements {
|
||||||
}
|
}
|
||||||
|
|
||||||
.oef-anchor-selection:target {
|
.oef-anchor-selection:target {
|
||||||
background: yellow;
|
animation-name: bg-fade-in-fade-out-animation;
|
||||||
|
animation-duration: 2s;
|
||||||
|
animation-timing-function: ease-in-out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@keyframes bg-fade-in-fade-out-animation {
|
||||||
|
0% { background-color:white; }
|
||||||
|
50.0% { background-color:#f8f9fa; }
|
||||||
|
100.0% { background-color:white; }
|
||||||
|
}
|
||||||
|
|
||||||
/*# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiIsImZpbGUiOiJzdHlsZXMuY3NzIiwic291cmNlUm9vdCI6IiJ9*/
|
/*# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiIsImZpbGUiOiJzdHlsZXMuY3NzIiwic291cmNlUm9vdCI6IiJ9*/
|
||||||
|
|
@ -266,49 +266,59 @@ func post(w http.ResponseWriter, r *http.Request, model string, pattern PathPatt
|
||||||
if err != nil {
|
if err != nil {
|
||||||
respondWithError(w, r, err)
|
respondWithError(w, r, err)
|
||||||
} else {
|
} else {
|
||||||
data, err = postFn(mux.Vars(r), w, r)
|
claims := r.Context().Value("user").(*jwt.Token).Claims.(jwt.MapClaims)
|
||||||
if err != nil {
|
|
||||||
respondWithError(w, r, err)
|
|
||||||
} else if pattern.RedirectPattern != "" {
|
|
||||||
if id := mux.Vars(r)["id"]; id != "" {
|
|
||||||
modelId, _ := strconv.Atoi(id)
|
|
||||||
http.Redirect(w, r, pattern.RedirectPath(model, uint(modelId)), http.StatusSeeOther)
|
|
||||||
} else {
|
|
||||||
http.Redirect(w, r, pattern.RedirectPath(model, data.(orm.IDer).GetID()), http.StatusSeeOther)
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
|
|
||||||
}
|
|
||||||
|
|
||||||
|
role := claims["role"].(string)
|
||||||
|
if !hasPermission(role, pattern.Path(model)) {
|
||||||
|
renderer.Render[respFormat](w, r, fmt.Errorf("%s", "Errore di autorizzazione"))
|
||||||
|
} else {
|
||||||
|
data, err = postFn(mux.Vars(r), w, r)
|
||||||
|
if err != nil {
|
||||||
|
respondWithError(w, r, err)
|
||||||
|
} else if pattern.RedirectPattern != "" {
|
||||||
|
if id := mux.Vars(r)["id"]; id != "" {
|
||||||
|
modelId, _ := strconv.Atoi(id)
|
||||||
|
http.Redirect(w, r, pattern.RedirectPath(model, uint(modelId)), http.StatusSeeOther)
|
||||||
|
} else {
|
||||||
|
http.Redirect(w, r, pattern.RedirectPath(model, data.(orm.IDer).GetID()), http.StatusSeeOther)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func delete(w http.ResponseWriter, r *http.Request, model string, pattern PathPattern) {
|
func delete(w http.ResponseWriter, r *http.Request, model string, pattern PathPattern) {
|
||||||
var (
|
var data interface{}
|
||||||
data interface{}
|
|
||||||
err error
|
|
||||||
)
|
|
||||||
|
|
||||||
respFormat := renderer.GetContentFormat(r)
|
respFormat := renderer.GetContentFormat(r)
|
||||||
|
|
||||||
postFn, err := orm.GetFunc(pattern.Path(model))
|
claims := r.Context().Value("user").(*jwt.Token).Claims.(jwt.MapClaims)
|
||||||
if err != nil {
|
|
||||||
renderer.Render[r.URL.Query().Get("format")](w, r, err)
|
|
||||||
}
|
|
||||||
data, err = postFn(mux.Vars(r), w, r)
|
|
||||||
if err != nil {
|
|
||||||
renderer.Render["html"](w, r, err)
|
|
||||||
} else if pattern.RedirectPattern != "" {
|
|
||||||
var data struct {
|
|
||||||
RedirectUrl string `json:"redirect_url"`
|
|
||||||
}
|
|
||||||
data.RedirectUrl = pattern.RedirectPath(model)
|
|
||||||
|
|
||||||
w.Header().Set("Content-Type", "application/json")
|
role := claims["role"].(string)
|
||||||
json.NewEncoder(w).Encode(data)
|
if !hasPermission(role, pattern.Path(model)) {
|
||||||
|
renderer.Render[respFormat](w, r, fmt.Errorf("%s", "Errore di autorizzazione"))
|
||||||
} else {
|
} else {
|
||||||
renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
|
postFn, err := orm.GetFunc(pattern.Path(model))
|
||||||
|
if err != nil {
|
||||||
|
renderer.Render[r.URL.Query().Get("format")](w, r, err)
|
||||||
|
}
|
||||||
|
data, err = postFn(mux.Vars(r), w, r)
|
||||||
|
if err != nil {
|
||||||
|
renderer.Render["html"](w, r, err)
|
||||||
|
} else if pattern.RedirectPattern != "" {
|
||||||
|
var data struct {
|
||||||
|
RedirectUrl string `json:"redirect_url"`
|
||||||
|
}
|
||||||
|
data.RedirectUrl = pattern.RedirectPath(model)
|
||||||
|
|
||||||
|
w.Header().Set("Content-Type", "application/json")
|
||||||
|
json.NewEncoder(w).Encode(data)
|
||||||
|
} else {
|
||||||
|
renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
|
||||||
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -10,7 +10,6 @@ const (
|
||||||
|
|
||||||
var (
|
var (
|
||||||
RolePermissions map[string]map[string][]int = map[string]map[string][]int{
|
RolePermissions map[string]map[string][]int = map[string]map[string][]int{
|
||||||
|
|
||||||
"administrator": map[string][]int{
|
"administrator": map[string][]int{
|
||||||
"Contest": []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},
|
"Contest": []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},
|
||||||
"Participant": []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},
|
"Participant": []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},
|
||||||
|
|
|
||||||
|
|
@ -24,7 +24,7 @@ type Contest struct {
|
||||||
Date time.Time
|
Date time.Time
|
||||||
StartTime time.Time
|
StartTime time.Time
|
||||||
EndTime time.Time
|
EndTime time.Time
|
||||||
Duration int // minutes
|
Duration int // in minutes
|
||||||
|
|
||||||
NumQuestions int
|
NumQuestions int
|
||||||
NumAnswersPerQuestion int
|
NumAnswersPerQuestion int
|
||||||
|
|
@ -59,9 +59,9 @@ func (c *Contest) Create(args map[string]string, w http.ResponseWriter, r *http.
|
||||||
r.PostForm.Set("StartTime", time.Time{}.String())
|
r.PostForm.Set("StartTime", time.Time{}.String())
|
||||||
r.PostForm.Set("EndTime", time.Time{}.String())
|
r.PostForm.Set("EndTime", time.Time{}.String())
|
||||||
} else {
|
} else {
|
||||||
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
|
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
|
||||||
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
|
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
|
||||||
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+00:00", date, endTime))
|
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+01:00", date, endTime))
|
||||||
}
|
}
|
||||||
|
|
||||||
err = renderer.Decode(contest, r)
|
err = renderer.Decode(contest, r)
|
||||||
|
|
@ -139,9 +139,9 @@ func (c *Contest) Update(args map[string]string, w http.ResponseWriter, r *http.
|
||||||
r.PostForm.Set("StartTime", time.Time{}.Format(time.RFC3339))
|
r.PostForm.Set("StartTime", time.Time{}.Format(time.RFC3339))
|
||||||
r.PostForm.Set("EndTime", time.Time{}.Format(time.RFC3339))
|
r.PostForm.Set("EndTime", time.Time{}.Format(time.RFC3339))
|
||||||
} else {
|
} else {
|
||||||
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
|
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
|
||||||
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
|
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
|
||||||
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+00:00", date, endTime))
|
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+01:00", date, endTime))
|
||||||
}
|
}
|
||||||
|
|
||||||
err = renderer.Decode(contest, r)
|
err = renderer.Decode(contest, r)
|
||||||
|
|
@ -178,6 +178,10 @@ func SaveContest(contest interface{}) (interface{}, error) {
|
||||||
return contest, nil
|
return contest, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func (c *Contest) isAlwaysActive() bool {
|
||||||
|
return c.StartTime.IsZero() || c.EndTime.IsZero() || c.Duration == 0
|
||||||
|
}
|
||||||
|
|
||||||
func (c *Contest) generateQuestionsOrder() (string, error) {
|
func (c *Contest) generateQuestionsOrder() (string, error) {
|
||||||
var (
|
var (
|
||||||
order []string
|
order []string
|
||||||
|
|
|
||||||
|
|
@ -173,7 +173,7 @@ func (model *Response) Update(args map[string]string, w http.ResponseWriter, r *
|
||||||
|
|
||||||
// Write StartTime for the first time if user is a participant
|
// Write StartTime for the first time if user is a participant
|
||||||
|
|
||||||
if isParticipant(r) && !response.Contest.StartTime.IsZero() && !response.Contest.EndTime.IsZero() {
|
if isParticipant(r) && !response.Contest.isAlwaysActive() {
|
||||||
if response.StartTime.IsZero() {
|
if response.StartTime.IsZero() {
|
||||||
if err := DB().Model(&response).Update("start_time", time.Now()).Error; err != nil {
|
if err := DB().Model(&response).Update("start_time", time.Now()).Error; err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
|
|
|
||||||
|
|
@ -103,6 +103,13 @@ ul.karmen-related-elements {
|
||||||
}
|
}
|
||||||
|
|
||||||
.oef-anchor-selection:target {
|
.oef-anchor-selection:target {
|
||||||
background: yellow;
|
animation-name: bg-fade-in-fade-out-animation;
|
||||||
|
animation-duration: 2s;
|
||||||
|
animation-timing-function: ease-in-out;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@keyframes bg-fade-in-fade-out-animation {
|
||||||
|
0% { background-color:white; }
|
||||||
|
50.0% { background-color:#f8f9fa; }
|
||||||
|
100.0% { background-color:white; }
|
||||||
|
}
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue