From 739cd1ba90bc0411c7d4d48943f84f19db6aced2 Mon Sep 17 00:00:00 2001
From: Santo Cariotti <santo@dcariotti.me>
Date: Tue, 3 Sep 2024 12:36:24 +0200
Subject: Limit `users` query to admins only

---
 src/graphql/types/user.rs | 10 +++++++++-
 1 file changed, 9 insertions(+), 1 deletion(-)

(limited to 'src/graphql')

diff --git a/src/graphql/types/user.rs b/src/graphql/types/user.rs
index 85f559e..69ffc38 100644
--- a/src/graphql/types/user.rs
+++ b/src/graphql/types/user.rs
@@ -57,7 +57,15 @@ pub async fn get_users<'ctx>(
     let auth: &Authentication = ctx.data().unwrap();
     match auth {
         Authentication::NotLogged => Err("Unauthorized".to_string()),
-        Authentication::Logged(_claims) => {
+        Authentication::Logged(claims) => {
+            let claim_user = find_user(client, claims.user_id)
+                .await
+                .expect("Should not be here");
+
+            if !claim_user.is_admin {
+                return Err("Unauthorized".to_string());
+            }
+
             let rows = client
                 .query(
                     "SELECT id, email, password, name, address, is_admin FROM users LIMIT $1 OFFSET $2",
-- 
cgit v1.2.3-18-g5258