Limit `users` query to admins only

author: Santo Cariotti <santo@dcariotti.me> 2024-09-03 12:36:24 +0200
committer: Santo Cariotti <santo@dcariotti.me> 2024-09-03 12:36:24 +0200
commit: 739cd1ba90bc0411c7d4d48943f84f19db6aced2 (patch)
tree: 6542a722510dd2afefd5c27533c2231e8078e411 /src/graphql
parent: 1aab73450987ebdaa813265b6911b4ce8134a788 (diff)
1 files changed, 9 insertions, 1 deletions
diff --git a/src/graphql/types/user.rs b/src/graphql/types/user.rs
index 85f559e..69ffc38 100644
--- a/src/graphql/types/user.rs
+++ b/src/graphql/types/user.rs
@@ -57,7 +57,15 @@ pub async fn get_users<'ctx>(
     let auth: &Authentication = ctx.data().unwrap();
     match auth {
         Authentication::NotLogged => Err("Unauthorized".to_string()),
-        Authentication::Logged(_claims) => {
+        Authentication::Logged(claims) => {
+            let claim_user = find_user(client, claims.user_id)
+                .await
+                .expect("Should not be here");
+
+            if !claim_user.is_admin {
+                return Err("Unauthorized".to_string());
+            }
+
             let rows = client
                 .query(
                     "SELECT id, email, password, name, address, is_admin FROM users LIMIT $1 OFFSET $2",
author	Santo Cariotti <santo@dcariotti.me>	2024-09-03 12:36:24 +0200
committer	Santo Cariotti <santo@dcariotti.me>	2024-09-03 12:36:24 +0200
commit	739cd1ba90bc0411c7d4d48943f84f19db6aced2 (patch)
tree	6542a722510dd2afefd5c27533c2231e8078e411 /src/graphql
parent	1aab73450987ebdaa813265b6911b4ce8134a788 (diff)