Protect POST, DELETE routes

This commit is contained in:
Andrea Fazzi 2019-12-19 13:56:54 +01:00
parent 96485fc9f3
commit e94c4b9afa
7 changed files with 71 additions and 44 deletions

2
dist/main.bundle.js vendored

File diff suppressed because one or more lines are too long

9
dist/styles.css vendored
View file

@ -15452,8 +15452,15 @@ ul.karmen-related-elements {
}
.oef-anchor-selection:target {
background: yellow;
animation-name: bg-fade-in-fade-out-animation;
animation-duration: 2s;
animation-timing-function: ease-in-out;
}
@keyframes bg-fade-in-fade-out-animation {
0% { background-color:white; }
50.0% { background-color:#f8f9fa; }
100.0% { background-color:white; }
}
/*# sourceMappingURL=data:application/json;charset=utf-8;base64,eyJ2ZXJzaW9uIjozLCJzb3VyY2VzIjpbXSwibmFtZXMiOltdLCJtYXBwaW5ncyI6IiIsImZpbGUiOiJzdHlsZXMuY3NzIiwic291cmNlUm9vdCI6IiJ9*/

View file

@ -265,6 +265,12 @@ func post(w http.ResponseWriter, r *http.Request, model string, pattern PathPatt
if err != nil {
respondWithError(w, r, err)
} else {
claims := r.Context().Value("user").(*jwt.Token).Claims.(jwt.MapClaims)
role := claims["role"].(string)
if !hasPermission(role, pattern.Path(model)) {
renderer.Render[respFormat](w, r, fmt.Errorf("%s", "Errore di autorizzazione"))
} else {
data, err = postFn(mux.Vars(r), w, r)
if err != nil {
@ -279,19 +285,22 @@ func post(w http.ResponseWriter, r *http.Request, model string, pattern PathPatt
} else {
renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
}
}
}
}
func delete(w http.ResponseWriter, r *http.Request, model string, pattern PathPattern) {
var (
data interface{}
err error
)
var data interface{}
respFormat := renderer.GetContentFormat(r)
claims := r.Context().Value("user").(*jwt.Token).Claims.(jwt.MapClaims)
role := claims["role"].(string)
if !hasPermission(role, pattern.Path(model)) {
renderer.Render[respFormat](w, r, fmt.Errorf("%s", "Errore di autorizzazione"))
} else {
postFn, err := orm.GetFunc(pattern.Path(model))
if err != nil {
renderer.Render[r.URL.Query().Get("format")](w, r, err)
@ -311,6 +320,7 @@ func delete(w http.ResponseWriter, r *http.Request, model string, pattern PathPa
renderer.Render[respFormat](w, r, data.(orm.IDer).GetID())
}
}
}
func respondWithError(w http.ResponseWriter, r *http.Request, err error) {
respFormat := renderer.GetContentFormat(r)

View file

@ -10,7 +10,6 @@ const (
var (
RolePermissions map[string]map[string][]int = map[string]map[string][]int{
"administrator": map[string][]int{
"Contest": []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},
"Participant": []int{PermissionCreate, PermissionRead, PermissionReadAll, PermissionUpdate, PermissionDelete},

View file

@ -24,7 +24,7 @@ type Contest struct {
Date time.Time
StartTime time.Time
EndTime time.Time
Duration int // minutes
Duration int // in minutes
NumQuestions int
NumAnswersPerQuestion int
@ -59,9 +59,9 @@ func (c *Contest) Create(args map[string]string, w http.ResponseWriter, r *http.
r.PostForm.Set("StartTime", time.Time{}.String())
r.PostForm.Set("EndTime", time.Time{}.String())
} else {
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+00:00", date, endTime))
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+01:00", date, endTime))
}
err = renderer.Decode(contest, r)
@ -139,9 +139,9 @@ func (c *Contest) Update(args map[string]string, w http.ResponseWriter, r *http.
r.PostForm.Set("StartTime", time.Time{}.Format(time.RFC3339))
r.PostForm.Set("EndTime", time.Time{}.Format(time.RFC3339))
} else {
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+00:00", date, startTime))
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+00:00", date, endTime))
r.PostForm.Set("Date", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
r.PostForm.Set("StartTime", fmt.Sprintf("%sT%s:00+01:00", date, startTime))
r.PostForm.Set("EndTime", fmt.Sprintf("%sT%s:00+01:00", date, endTime))
}
err = renderer.Decode(contest, r)
@ -178,6 +178,10 @@ func SaveContest(contest interface{}) (interface{}, error) {
return contest, nil
}
func (c *Contest) isAlwaysActive() bool {
return c.StartTime.IsZero() || c.EndTime.IsZero() || c.Duration == 0
}
func (c *Contest) generateQuestionsOrder() (string, error) {
var (
order []string

View file

@ -173,7 +173,7 @@ func (model *Response) Update(args map[string]string, w http.ResponseWriter, r *
// Write StartTime for the first time if user is a participant
if isParticipant(r) && !response.Contest.StartTime.IsZero() && !response.Contest.EndTime.IsZero() {
if isParticipant(r) && !response.Contest.isAlwaysActive() {
if response.StartTime.IsZero() {
if err := DB().Model(&response).Update("start_time", time.Now()).Error; err != nil {
return nil, err

View file

@ -103,6 +103,13 @@ ul.karmen-related-elements {
}
.oef-anchor-selection:target {
background: yellow;
animation-name: bg-fade-in-fade-out-animation;
animation-duration: 2s;
animation-timing-function: ease-in-out;
}
@keyframes bg-fade-in-fade-out-animation {
0% { background-color:white; }
50.0% { background-color:#f8f9fa; }
100.0% { background-color:white; }
}