Commit fe392b71 authored by Alexis POYEN's avatar Alexis POYEN
Browse files

Technical : allow API call by User.Role

parent ec271433
......@@ -13,13 +13,10 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/BankAccounts/"))
switch method := r.Method; method {
case "GET":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
var o BankAccount
if err := d.db.Preload("Operations").First(&o, id).Error; err != nil {
......@@ -38,7 +35,8 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
d.db.Preload("Operations").Where("user_client_id IN (?)", d.db.Table("user_clients").Select("id").Where("user_banker_id = ?", user.ID).QueryExpr()).Find(&o)
json.NewEncoder(w).Encode(o)
}
case UserClient:
case "CLIENT":
user := d.getLoggedUser(w, r).(UserClient)
if id != 0 {
var o BankAccount
if err := d.db.Preload("Operations").Where("id = ? AND user_client_id = ?", id, user.ID).First(&o).Error; err != nil {
......@@ -52,16 +50,13 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
json.NewEncoder(w).Encode(o)
}
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "POST":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
var o BankAccount
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
......@@ -79,19 +74,16 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
} else {
http.Error(w, "id of UserClient is missing", http.StatusNotFound)
}
case UserClient:
case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "DELETE":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
var o BankAccount
if err := d.db.First(&o, id).Error; err != nil {
......@@ -111,11 +103,9 @@ func (d *DataHandler) HandleBankAccounts(w http.ResponseWriter, r *http.Request)
} else {
http.Error(w, "id is missing", http.StatusNotFound)
}
case UserClient:
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
case "CLIENT":
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
default:
http.Error(w, "method not allowed", 400)
......
......@@ -3,7 +3,6 @@ package models
import (
"encoding/json"
"net/http"
"os"
"strconv"
"strings"
......@@ -14,12 +13,9 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/"))
switch method := r.Method; method {
case "GET":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
if id != 0 {
var o UserBanker
if err := d.db.Preload("UserClients").Where("id = ?", id).First(&o).Error; err != nil {
......@@ -32,7 +28,8 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
d.db.Preload("UserClients").Find(&o)
json.NewEncoder(w).Encode(o)
}
case UserClient:
case "CLIENT":
user := d.getLoggedUser(w, r).(UserClient)
if id != 0 && int(user.ID) == id {
var userClient UserClient
if err := d.db.Where("user_id = ?", user.ID).First(&userClient).Error; err != nil {
......@@ -49,35 +46,38 @@ func (d *DataHandler) HandleBankers(w http.ResponseWriter, r *http.Request) {
http.Error(w, "You can not access this ressource", http.StatusForbidden)
}
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "POST":
if !auth.IsAllowed(w, r, []string{os.Getenv("ADMIN_ROLE")}) {
return
}
var o UserBanker
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
case "CLIENT":
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
d.db.Create(&o)
// var o UserBanker
// err := json.NewDecoder(r.Body).Decode(&o)
// if err != nil {
// http.Error(w, err.Error(), http.StatusInternalServerError)
// }
// d.db.Create(&o)
case "DELETE":
if !auth.IsAllowed(w, r, []string{os.Getenv("ADMIN_ROLE")}) {
return
}
if id != 0 {
var o UserClient
d.db.Delete(&o)
} else {
http.Error(w, "id is missing", http.StatusNotFound)
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
case "CLIENT":
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
// if id != 0 {
// var o UserClient
// d.db.Delete(&o)
// } else {
// http.Error(w, "id is missing", http.StatusNotFound)
// }
default:
http.Error(w, "method not allowed", 400)
}
}
// Add a Banker in DB
func (d *DataHandler) AddBanker(userBanker UserBanker) {
d.db.Create(&userBanker)
}
......@@ -14,12 +14,11 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/UserClients/"))
switch method := r.Method; method {
case "GET":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
var o UserClient
if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil {
......@@ -36,7 +35,8 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
d.db.Preload("BankAccounts").Find(&o)
json.NewEncoder(w).Encode(o)
}
case UserClient:
case "CLIENT":
user := d.getLoggedUser(w, r).(UserClient)
if id != 0 && int(user.ID) == id {
var o UserClient
if err := d.db.Preload("BankAccounts").Where("id = ?", id).First(&o).Error; err != nil {
......@@ -53,15 +53,13 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
return
}
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "POST":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
var o UserClient
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
......@@ -69,19 +67,16 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
}
o.UserBankerID = user.ID
d.db.Create(&o)
case UserClient:
case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "DELETE":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
user := d.getLoggedUser(w, r)
switch user := user.(type) {
case UserBanker:
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
user := d.getLoggedUser(w, r).(UserBanker)
if id != 0 {
var o UserClient
if err := d.db.Where("id = ?", id).First(&o).Error; err != nil {
......@@ -99,17 +94,12 @@ func (d *DataHandler) HandleClients(w http.ResponseWriter, r *http.Request) {
} else {
http.Error(w, "id is missing", http.StatusNotFound)
}
case UserClient:
case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
default:
http.Error(w, "method not allowed", 400)
}
}
// Add a Client in DB
func (d *DataHandler) AddClient(userClient UserClient) {
d.db.Create(&userClient)
}
......@@ -14,70 +14,72 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
id, _ := strconv.Atoi(strings.TrimPrefix(r.URL.Path, "/api/Operations/"))
switch method := r.Method; method {
case "GET":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
if id != 0 {
var o Operation
if err := d.db.First(&o, id).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
if id != 0 {
var o Operation
if err := d.db.First(&o, id).Error; err != nil {
http.Error(w, "id does not exist", http.StatusNotFound)
return
}
json.NewEncoder(w).Encode(o)
} else {
var o []Operation
d.db.Find(&o)
json.NewEncoder(w).Encode(o)
}
json.NewEncoder(w).Encode(o)
} else {
var o []Operation
d.db.Find(&o)
json.NewEncoder(w).Encode(o)
case "CLIENT":
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
case "POST":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
}
var o Operation
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
var o Operation
err := json.NewDecoder(r.Body).Decode(&o)
if err != nil {
http.Error(w, err.Error(), http.StatusInternalServerError)
}
var debtor BankAccount
var creditor BankAccount
if err := d.db.First(&debtor, o.Debtor).Error; err == nil {
if (debtor.Amount + o.Amount) >= debtor.BankOverdraft {
if err := d.db.First(&creditor, o.Creditor).Error; err == nil {
// Update BankAccounts
debtor.Amount += o.Amount
creditor.Amount -= o.Amount
d.db.Save(&debtor)
d.db.Save(&creditor)
var debtor BankAccount
var creditor BankAccount
if err := d.db.First(&debtor, o.Debtor).Error; err == nil {
if (debtor.Amount + o.Amount) >= debtor.BankOverdraft {
if err := d.db.First(&creditor, o.Creditor).Error; err == nil {
// Update BankAccounts
debtor.Amount += o.Amount
creditor.Amount -= o.Amount
d.db.Save(&debtor)
d.db.Save(&creditor)
now := time.Now()
o.Date = now
d.db.Create(&o)
now := time.Now()
o.Date = now
d.db.Create(&o)
// Add the operation to creditor
op := Operation{
Debtor: o.Creditor,
Amount: -o.Amount,
Date: now,
Creditor: o.Debtor,
// Add the operation to creditor
op := Operation{
Debtor: o.Creditor,
Amount: -o.Amount,
Date: now,
Creditor: o.Debtor,
}
d.db.Create(&op)
}
d.db.Create(&op)
} else {
http.Error(w, "Not enough money", http.StatusExpectationFailed)
}
} else {
http.Error(w, "Not enough money", http.StatusExpectationFailed)
}
}
case "DELETE":
if !auth.IsAllowed(w, r, []string{"*"}) {
return
case "CLIENT":
default:
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
user := d.getLoggedUser(w, r)
switch user.(type) {
case UserBanker:
case "DELETE":
switch auth.GetLoggedUserTechnical(w, r).Role {
case "ADMIN":
case "BANKER":
if id != 0 {
var o Operation
if err := d.db.First(&o, id).Error; err != nil {
......@@ -110,10 +112,10 @@ func (d *DataHandler) HandleOperations(w http.ResponseWriter, r *http.Request) {
} else {
http.Error(w, "id is missing", http.StatusNotFound)
}
case UserClient:
case "CLIENT":
http.Error(w, "You're not authorize to execute this method on this ressource.", http.StatusMethodNotAllowed)
default:
http.Error(w, "Could not get logged user", http.StatusInternalServerError)
http.Error(w, "Could not get role of logged user", http.StatusInternalServerError)
}
default:
http.Error(w, "method not allowed", http.StatusMethodNotAllowed)
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment