Skip to content
Snippets Groups Projects
Commit fe392b71 authored by Alexis Poyen's avatar Alexis Poyen
Browse files

Technical : allow API call by User.Role

parent ec271433
No related branches found
No related tags found
No related merge requests found
...@@ -13,13 +13,10 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request) ...@@ -13,13 +13,10 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/BankAccounts/")) id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/BankAccounts/"))
switch method := r.Method; method { switch method := r.Method; method {
case "GET": case "GET":
if !auth.IsAllowed(w, r, []string{"*"}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
if id != 0 { if id != 0 {
var o BankAccount var o BankAccount
if err := d.db.Preload("Operations").First(&o, id).Error; err != nil { if err := d.db.Preload("Operations").First(&o, id).Error; err != nil {
...@@ -38,7 +35,8 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request) ...@@ -38,7 +35,8 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
d.db.Preload("Operations").Where("user_client_id IN (?)", d.db.Table("user_clients").Select("id").Where("user_banker_id = ?", user.ID).QueryExpr()).Find(&o) d.db.Preload("Operations").Where("user_client_id IN (?)", d.db.Table("user_clients").Select("id").Where("user_banker_id = ?", user.ID).QueryExpr()).Find(&o)
json.NewEncoder(w).Encode(o) json.NewEncoder(w).Encode(o)
} }
case UserClient: case "CLIENT":
user := d.getLoggedUser(w, r).(UserClient)
if id != 0 { if id != 0 {
var o BankAccount var o BankAccount
if err := d.db.Preload("Operations").Where("id = ? AND user_client_id = ?", id, user.ID).First(&o).Error; err != nil { if err := d.db.Preload("Operations").Where("id = ? AND user_client_id = ?", id, user.ID).First(&o).Error; err != nil {
...@@ -52,16 +50,13 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request) ...@@ -52,16 +50,13 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
json.NewEncoder(w).Encode(o) json.NewEncoder(w).Encode(o)
} }
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
case "POST": case "POST":
if !auth.IsAllowed(w, r, []string{"*"}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
var o BankAccount var o BankAccount
err := json.NewDecoder(r.Body).Decode(&o) err := json.NewDecoder(r.Body).Decode(&o)
if err != nil { if err != nil {
...@@ -79,19 +74,16 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request) ...@@ -79,19 +74,16 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
} else { } else {
http.Error(w, "id of UserClient is missing", http.StatusNotFound) http.Error(w, "id of UserClient is missing", http.StatusNotFound)
} }
case UserClient: case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed) http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
case "DELETE": case "DELETE":
if !auth.IsAllowed(w, r, []string{"*"}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
if id != 0 { if id != 0 {
var o BankAccount var o BankAccount
if err := d.db.First(&o, id).Error; err != nil { if err := d.db.First(&o, id).Error; err != nil {
...@@ -111,11 +103,9 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request) ...@@ -111,11 +103,9 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
} else { } else {
http.Error(w, "id is missing", http.StatusNotFound) http.Error(w, "id is missing", http.StatusNotFound)
} }
case "CLIENT":
case UserClient:
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
default: default:
http.Error(w, "method not allowed", 400) http.Error(w, "method not allowed", 400)
......
...@@ -3,7 +3,6 @@ package models ...@@ -3,7 +3,6 @@ package models
import ( import (
"encoding/json" "encoding/json"
"net/http" "net/http"
"os"
"strconv" "strconv"
"strings" "strings"
...@@ -14,12 +13,9 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) { ...@@ -14,12 +13,9 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/")) id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/"))
switch method := r.Method; method { switch method := r.Method; method {
case "GET": case "GET":
if !auth.IsAllowed(w, r, []string{"*"}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
if id != 0 { if id != 0 {
var o UserBanker var o UserBanker
if err := d.db.Preload("UserClients").Where("id = ?", id).First(&o).Error; err != nil { if err := d.db.Preload("UserClients").Where("id = ?", id).First(&o).Error; err != nil {
...@@ -32,7 +28,8 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) { ...@@ -32,7 +28,8 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
d.db.Preload("UserClients").Find(&o) d.db.Preload("UserClients").Find(&o)
json.NewEncoder(w).Encode(o) json.NewEncoder(w).Encode(o)
} }
case UserClient: case "CLIENT":
user := d.getLoggedUser(w, r).(UserClient)
if id != 0 && int(user.ID) == id { if id != 0 && int(user.ID) == id {
var userClient UserClient var userClient UserClient
if err := d.db.Where("user_id = ?", user.ID).First(&userClient).Error; err != nil { if err := d.db.Where("user_id = ?", user.ID).First(&userClient).Error; err != nil {
...@@ -49,35 +46,38 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) { ...@@ -49,35 +46,38 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
http.Error(w, "You can not access this ressource", http.StatusForbidden) http.Error(w, "You can not access this ressource", http.StatusForbidden)
} }
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
case "POST": case "POST":
if !auth.IsAllowed(w, r, []string{os.Getenv("ADMIN_ROLE")}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
var o UserBanker case "CLIENT":
err := json.NewDecoder(r.Body).Decode(&o) default:
if err != nil { http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
http.Error(w, err.Error(), http.StatusInternalServerError)
} }
d.db.Create(&o) // var o UserBanker
// err := json.NewDecoder(r.Body).Decode(&o)
// if err != nil {
// http.Error(w, err.Error(), http.StatusInternalServerError)
// }
// d.db.Create(&o)
case "DELETE": case "DELETE":
if !auth.IsAllowed(w, r, []string{os.Getenv("ADMIN_ROLE")}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
if id != 0 { case "CLIENT":
var o UserClient default:
d.db.Delete(&o) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} else {
http.Error(w, "id is missing", http.StatusNotFound)
} }
// if id != 0 {
// var o UserClient
// d.db.Delete(&o)
// } else {
// http.Error(w, "id is missing", http.StatusNotFound)
// }
default: default:
http.Error(w, "method not allowed", 400) http.Error(w, "method not allowed", 400)
} }
} }
// Add a Banker in DB
func (d *DataHandler) AddBanker(userBanker UserBanker) {
d.db.Create(&userBanker)
}
...@@ -14,12 +14,11 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) { ...@@ -14,12 +14,11 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/")) id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/"))
switch method := r.Method; method { switch method := r.Method; method {
case "GET": case "GET":
if !auth.IsAllowed(w, r, []string{"*"}) {
return switch auth.GetLoggedUserTechnical(w, r).Role {
} case "ADMIN":
user := d.getLoggedUser(w, r) case "BANKER":
switch user := user.(type) { user := d.getLoggedUser(w, r).(UserBanker)
case UserBanker:
if id != 0 { if id != 0 {
var o UserClient var o UserClient
if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil { if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil {
...@@ -36,7 +35,8 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) { ...@@ -36,7 +35,8 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
d.db.Preload("BankAccounts").Find(&o) d.db.Preload("BankAccounts").Find(&o)
json.NewEncoder(w).Encode(o) json.NewEncoder(w).Encode(o)
} }
case UserClient: case "CLIENT":
user := d.getLoggedUser(w, r).(UserClient)
if id != 0 && int(user.ID) == id { if id != 0 && int(user.ID) == id {
var o UserClient var o UserClient
if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil { if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil {
...@@ -53,15 +53,13 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) { ...@@ -53,15 +53,13 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
return return
} }
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
case "POST": case "POST":
if !auth.IsAllowed(w, r, []string{"*"}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
user := d.getLoggedUser(w, r) user := d.getLoggedUser(w, r).(UserBanker)
switch user := user.(type) {
case UserBanker:
var o UserClient var o UserClient
err := json.NewDecoder(r.Body).Decode(&o) err := json.NewDecoder(r.Body).Decode(&o)
if err != nil { if err != nil {
...@@ -69,19 +67,16 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) { ...@@ -69,19 +67,16 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
} }
o.UserBankerID = user.ID o.UserBankerID = user.ID
d.db.Create(&o) d.db.Create(&o)
case UserClient: case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed) http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
case "DELETE": case "DELETE":
if !auth.IsAllowed(w, r, []string{"*"}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
if id != 0 { if id != 0 {
var o UserClient var o UserClient
if err := d.db.Where("id = ?", id).First(&o).Error; err != nil { if err := d.db.Where("id = ?", id).First(&o).Error; err != nil {
...@@ -99,17 +94,12 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) { ...@@ -99,17 +94,12 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
} else { } else {
http.Error(w, "id is missing", http.StatusNotFound) http.Error(w, "id is missing", http.StatusNotFound)
} }
case UserClient: case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed) http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
default: default:
http.Error(w, "method not allowed", 400) http.Error(w, "method not allowed", 400)
} }
} }
// Add a Client in DB
func (d *DataHandler) AddClient(userClient UserClient) {
d.db.Create(&userClient)
}
...@@ -14,70 +14,72 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) { ...@@ -14,70 +14,72 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/Operations/")) id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/Operations/"))
switch method := r.Method; method { switch method := r.Method; method {
case "GET": case "GET":
switch auth.GetLoggedUserTechnical(w, r).Role {
if !auth.IsAllowed(w, r, []string{"*"}) { case "ADMIN":
return case "BANKER":
} if id != 0 {
var o Operation
if id != 0 { if err := d.db.First(&o, id).Error; err != nil {
var o Operation http.Error(w, "id does not exist", http.StatusNotFound)
if err := d.db.First(&o, id).Error; err != nil { return
http.Error(w, "id does not exist", http.StatusNotFound) }
return json.NewEncoder(w).Encode(o)
} else {
var o []Operation
d.db.Find(&o)
json.NewEncoder(w).Encode(o)
} }
json.NewEncoder(w).Encode(o) case "CLIENT":
} else { default:
var o []Operation http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
d.db.Find(&o)
json.NewEncoder(w).Encode(o)
} }
case "POST": case "POST":
if !auth.IsAllowed(w, r, []string{"*"}) { switch auth.GetLoggedUserTechnical(w, r).Role {
return case "ADMIN":
} case "BANKER":
var o Operation
var o Operation err := json.NewDecoder(r.Body).Decode(&o)
err := json.NewDecoder(r.Body).Decode(&o) if err != nil {
if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError)
http.Error(w, err.Error(), http.StatusInternalServerError) }
}
var debtor BankAccount var debtor BankAccount
var creditor BankAccount var creditor BankAccount
if err := d.db.First(&debtor, o.Debtor).Error; err == nil { if err := d.db.First(&debtor, o.Debtor).Error; err == nil {
if (debtor.Amount + o.Amount) >= debtor.BankOverdraft { if (debtor.Amount + o.Amount) >= debtor.BankOverdraft {
if err := d.db.First(&creditor, o.Creditor).Error; err == nil { if err := d.db.First(&creditor, o.Creditor).Error; err == nil {
// Update BankAccounts // Update BankAccounts
debtor.Amount += o.Amount debtor.Amount += o.Amount
creditor.Amount -= o.Amount creditor.Amount -= o.Amount
d.db.Save(&debtor) d.db.Save(&debtor)
d.db.Save(&creditor) d.db.Save(&creditor)
now := time.Now() now := time.Now()
o.Date = now o.Date = now
d.db.Create(&o) d.db.Create(&o)
// Add the operation to creditor // Add the operation to creditor
op := Operation{ op := Operation{
Debtor: o.Creditor, Debtor: o.Creditor,
Amount: -o.Amount, Amount: -o.Amount,
Date: now, Date: now,
Creditor: o.Debtor, Creditor: o.Debtor,
}
d.db.Create(&op)
} }
d.db.Create(&op) } else {
http.Error(w, "Not enough money", http.StatusExpectationFailed)
} }
} else {
http.Error(w, "Not enough money", http.StatusExpectationFailed)
} }
} case "CLIENT":
case "DELETE": default:
if !auth.IsAllowed(w, r, []string{"*"}) { http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
return
} }
user := d.getLoggedUser(w, r) case "DELETE":
switch user.(type) { switch auth.GetLoggedUserTechnical(w, r).Role {
case UserBanker: case "ADMIN":
case "BANKER":
if id != 0 { if id != 0 {
var o Operation var o Operation
if err := d.db.First(&o, id).Error; err != nil { if err := d.db.First(&o, id).Error; err != nil {
...@@ -110,10 +112,10 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) { ...@@ -110,10 +112,10 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
} else { } else {
http.Error(w, "id is missing", http.StatusNotFound) http.Error(w, "id is missing", http.StatusNotFound)
} }
case UserClient: case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed) http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default: default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError) http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
} }
default: default:
http.Error(w, "method not allowed", http.StatusMethodNotAllowed) http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment