diff options
Diffstat (limited to 'server/src/routes')
-rw-r--r-- | server/src/routes/user.rs | 24 |
1 files changed, 19 insertions, 5 deletions
diff --git a/server/src/routes/user.rs b/server/src/routes/user.rs index d0aa056..d5a09e2 100644 --- a/server/src/routes/user.rs +++ b/server/src/routes/user.rs @@ -3,13 +3,13 @@ use crate::models::{ auth::Claims, user::{User, UserList}, }; -use axum::{routing::get, Json, Router}; +use axum::{extract::Path, routing::get, Json, Router}; /// Create routes for `/v1/users/` namespace pub fn create_route() -> Router { Router::new() .route("/", get(list_users)) - .route("/me", get(get_user)) + .route("/:id", get(get_user)) } /// List users. Checks Authorization token @@ -19,9 +19,23 @@ async fn list_users(_: Claims) -> Result<Json<Vec<UserList>>, AppError> { Ok(Json(users)) } -/// Get the user from the `Authorization` header token -async fn get_user(claims: Claims) -> Result<Json<UserList>, AppError> { - match User::find_by_id(claims.user_id).await { +/// Search an user by `user_id`. It works only if the user passed by `Authorization` token is the +/// same of the url or a staffer. +async fn get_user(Path(user_id): Path<i32>, claims: Claims) -> Result<Json<UserList>, AppError> { + let claimed = match User::find_by_id(claims.user_id).await { + Ok(user) => user, + Err(_) => { + return Err(AppError::NotFound("User not found".to_string())); + } + }; + + if user_id != claimed.id { + if !(claimed.is_staff.unwrap()) { + return Err(AppError::Unauthorized); + } + } + + match User::find_by_id(user_id).await { Ok(user) => Ok(Json(user)), Err(_) => Err(AppError::NotFound("User not found".to_string())), } |