Technical : allow API call by User.Role

fe392b71 · Alexis POYEN · ec271433 · fe392b71 · fe392b71 · fe392b71
Commit fe392b71 authored Apr 07, 2020 by Alexis POYEN
--- a/internal/models/bankAccounts.go
+++ b/internal/models/bankAccounts.go
@@ -13,13 +13,10 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
 	id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/BankAccounts/"))
 	switch method := r.Method; method {
 	case "GET":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-
-		user := d.getLoggedUser(w, r)
-		switch user := user.(type) {
-		case UserBanker:
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			user := d.getLoggedUser(w, r).(UserBanker)
 			if id != 0 {
 				var o BankAccount
 				if err := d.db.Preload("Operations").First(&o, id).Error; err != nil {
@@ -38,7 +35,8 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
 				d.db.Preload("Operations").Where("user_client_id IN (?)", d.db.Table("user_clients").Select("id").Where("user_banker_id = ?", user.ID).QueryExpr()).Find(&o)
 				json.NewEncoder(w).Encode(o)
 			}
-		case UserClient:
+		case "CLIENT":
+			user := d.getLoggedUser(w, r).(UserClient)
 			if id != 0 {
 				var o BankAccount
 				if err := d.db.Preload("Operations").Where("id = ? AND user_client_id = ?", id, user.ID).First(&o).Error; err != nil {
@@ -52,16 +50,13 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
 				json.NewEncoder(w).Encode(o)
 			}
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	case "POST":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-
-		user := d.getLoggedUser(w, r)
-		switch user := user.(type) {
-		case UserBanker:
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			user := d.getLoggedUser(w, r).(UserBanker)
 			var o BankAccount
 			err := json.NewDecoder(r.Body).Decode(&o)
 			if err != nil {
@@ -79,19 +74,16 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
 			} else {
 				http.Error(w, "id of UserClient is missing", http.StatusNotFound)
 			}
-		case UserClient:
+		case "CLIENT":
 			http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	case "DELETE":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-
-		user := d.getLoggedUser(w, r)
-		switch user := user.(type) {
-		case UserBanker:
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			user := d.getLoggedUser(w, r).(UserBanker)
 			if id != 0 {
 				var o BankAccount
 				if err := d.db.First(&o, id).Error; err != nil {
@@ -111,11 +103,9 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
 			} else {
 				http.Error(w, "id is missing", http.StatusNotFound)
 			}
-
-		case UserClient:
-			http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
+		case "CLIENT":
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	default:
 		http.Error(w, "method not allowed", 400)

--- a/internal/models/bankers.go
+++ b/internal/models/bankers.go
@@ -3,7 +3,6 @@ package models
 import (
 	"encoding/json"
 	"net/http"
-	"os"
 	"strconv"
 	"strings"

@@ -14,12 +13,9 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
 	id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/"))
 	switch method := r.Method; method {
 	case "GET":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-		user := d.getLoggedUser(w, r)
-		switch user := user.(type) {
-		case UserBanker:
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
 			if id != 0 {
 				var o UserBanker
 				if err := d.db.Preload("UserClients").Where("id = ?", id).First(&o).Error; err != nil {
@@ -32,7 +28,8 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
 				d.db.Preload("UserClients").Find(&o)
 				json.NewEncoder(w).Encode(o)
 			}
-		case UserClient:
+		case "CLIENT":
+			user := d.getLoggedUser(w, r).(UserClient)
 			if id != 0 && int(user.ID) == id {
 				var userClient UserClient
 				if err := d.db.Where("user_id = ?", user.ID).First(&userClient).Error; err != nil {
@@ -49,35 +46,38 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
 				http.Error(w, "You can not access this ressource", http.StatusForbidden)
 			}
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	case "POST":
-		if !auth.IsAllowed(w, r, []string{os.Getenv("ADMIN_ROLE")}) {
-			return
-		}
-		var o UserBanker
-		err := json.NewDecoder(r.Body).Decode(&o)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+		case "CLIENT":
+		default:
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
-		d.db.Create(&o)
+		// var o UserBanker
+		// err := json.NewDecoder(r.Body).Decode(&o)
+		// if err != nil {
+		// 	http.Error(w, err.Error(), http.StatusInternalServerError)
+		// }
+		// d.db.Create(&o)
 	case "DELETE":
-		if !auth.IsAllowed(w, r, []string{os.Getenv("ADMIN_ROLE")}) {
-			return
-		}
-		if id != 0 {
-			var o UserClient
-			d.db.Delete(&o)
-		} else {
-			http.Error(w, "id is missing", http.StatusNotFound)
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+		case "CLIENT":
+		default:
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
+		// if id != 0 {
+		// 	var o UserClient
+		// 	d.db.Delete(&o)
+		// } else {
+		// 	http.Error(w, "id is missing", http.StatusNotFound)
+		// }

 	default:
 		http.Error(w, "method not allowed", 400)
 	}
 }
-
-// Add a Banker in DB
-func (d *DataHandler) AddBanker(userBanker UserBanker) {
-	d.db.Create(&userBanker)
-}
--- a/internal/models/clients.go
+++ b/internal/models/clients.go
@@ -14,12 +14,11 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
 	id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/"))
 	switch method := r.Method; method {
 	case "GET":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-		user := d.getLoggedUser(w, r)
-		switch user := user.(type) {
-		case UserBanker:
+
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			user := d.getLoggedUser(w, r).(UserBanker)
 			if id != 0 {
 				var o UserClient
 				if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil {
@@ -36,7 +35,8 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
 				d.db.Preload("BankAccounts").Find(&o)
 				json.NewEncoder(w).Encode(o)
 			}
-		case UserClient:
+		case "CLIENT":
+			user := d.getLoggedUser(w, r).(UserClient)
 			if id != 0 && int(user.ID) == id {
 				var o UserClient
 				if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil {
@@ -53,15 +53,13 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
 				return
 			}
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	case "POST":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-		user := d.getLoggedUser(w, r)
-		switch user := user.(type) {
-		case UserBanker:
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			user := d.getLoggedUser(w, r).(UserBanker)
 			var o UserClient
 			err := json.NewDecoder(r.Body).Decode(&o)
 			if err != nil {
@@ -69,19 +67,16 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
 			}
 			o.UserBankerID = user.ID
 			d.db.Create(&o)
-		case UserClient:
+		case "CLIENT":
 			http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	case "DELETE":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-
-		user := d.getLoggedUser(w, r)
-		switch user := user.(type) {
-		case UserBanker:
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			user := d.getLoggedUser(w, r).(UserBanker)
 			if id != 0 {
 				var o UserClient
 				if err := d.db.Where("id = ?", id).First(&o).Error; err != nil {
@@ -99,17 +94,12 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
 			} else {
 				http.Error(w, "id is missing", http.StatusNotFound)
 			}
-		case UserClient:
+		case "CLIENT":
 			http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	default:
 		http.Error(w, "method not allowed", 400)
 	}
 }
-
-// Add a Client in DB
-func (d *DataHandler) AddClient(userClient UserClient) {
-	d.db.Create(&userClient)
-}
--- a/internal/models/operations.go
+++ b/internal/models/operations.go
@@ -14,70 +14,72 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
 	id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/Operations/"))
 	switch method := r.Method; method {
 	case "GET":
-
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-
-		if id != 0 {
-			var o Operation
-			if err := d.db.First(&o, id).Error; err != nil {
-				http.Error(w, "id does not exist", http.StatusNotFound)
-				return
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			if id != 0 {
+				var o Operation
+				if err := d.db.First(&o, id).Error; err != nil {
+					http.Error(w, "id does not exist", http.StatusNotFound)
+					return
+				}
+				json.NewEncoder(w).Encode(o)
+			} else {
+				var o []Operation
+				d.db.Find(&o)
+				json.NewEncoder(w).Encode(o)
 			}
-			json.NewEncoder(w).Encode(o)
-		} else {
-			var o []Operation
-			d.db.Find(&o)
-			json.NewEncoder(w).Encode(o)
+		case "CLIENT":
+		default:
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	case "POST":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
-		}
-
-		var o Operation
-		err := json.NewDecoder(r.Body).Decode(&o)
-		if err != nil {
-			http.Error(w, err.Error(), http.StatusInternalServerError)
-		}
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
+			var o Operation
+			err := json.NewDecoder(r.Body).Decode(&o)
+			if err != nil {
+				http.Error(w, err.Error(), http.StatusInternalServerError)
+			}

-		var debtor BankAccount
-		var creditor BankAccount
-		if err := d.db.First(&debtor, o.Debtor).Error; err == nil {
-			if (debtor.Amount + o.Amount) >= debtor.BankOverdraft {
-				if err := d.db.First(&creditor, o.Creditor).Error; err == nil {
-					// Update BankAccounts
-					debtor.Amount += o.Amount
-					creditor.Amount -= o.Amount
-					d.db.Save(&debtor)
-					d.db.Save(&creditor)
+			var debtor BankAccount
+			var creditor BankAccount
+			if err := d.db.First(&debtor, o.Debtor).Error; err == nil {
+				if (debtor.Amount + o.Amount) >= debtor.BankOverdraft {
+					if err := d.db.First(&creditor, o.Creditor).Error; err == nil {
+						// Update BankAccounts
+						debtor.Amount += o.Amount
+						creditor.Amount -= o.Amount
+						d.db.Save(&debtor)
+						d.db.Save(&creditor)

-					now := time.Now()
-					o.Date = now
-					d.db.Create(&o)
+						now := time.Now()
+						o.Date = now
+						d.db.Create(&o)

-					// Add the operation to creditor
-					op := Operation{
-						Debtor:   o.Creditor,
-						Amount:   -o.Amount,
-						Date:     now,
-						Creditor: o.Debtor,
+						// Add the operation to creditor
+						op := Operation{
+							Debtor:   o.Creditor,
+							Amount:   -o.Amount,
+							Date:     now,
+							Creditor: o.Debtor,
+						}
+						d.db.Create(&op)
 					}
-					d.db.Create(&op)
+				} else {
+					http.Error(w, "Not enough money", http.StatusExpectationFailed)
 				}
-			} else {
-				http.Error(w, "Not enough money", http.StatusExpectationFailed)
 			}
-		}
-	case "DELETE":
-		if !auth.IsAllowed(w, r, []string{"*"}) {
-			return
+		case "CLIENT":
+		default:
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}

-		user := d.getLoggedUser(w, r)
-		switch user.(type) {
-		case UserBanker:
+	case "DELETE":
+		switch auth.GetLoggedUserTechnical(w, r).Role {
+		case "ADMIN":
+		case "BANKER":
 			if id != 0 {
 				var o Operation
 				if err := d.db.First(&o, id).Error; err != nil {
@@ -110,10 +112,10 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
 			} else {
 				http.Error(w, "id is missing", http.StatusNotFound)
 			}
-		case UserClient:
+		case "CLIENT":
 			http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
 		default:
-			http.Error(w, "Could not get logged user", http.StatusInternalServerError)
+			http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
 		}
 	default:
 		http.Error(w, "method not allowed", http.StatusMethodNotAllowed)