summaryrefslogtreecommitdiff
path: root/server/src/routes
diff options
context:
space:
mode:
Diffstat (limited to 'server/src/routes')
-rw-r--r--server/src/routes/user.rs24
1 files changed, 19 insertions, 5 deletions
diff --git a/server/src/routes/user.rs b/server/src/routes/user.rs
index d0aa056..d5a09e2 100644
--- a/server/src/routes/user.rs
+++ b/server/src/routes/user.rs
@@ -3,13 +3,13 @@ use crate::models::{
auth::Claims,
user::{User, UserList},
};
-use axum::{routing::get, Json, Router};
+use axum::{extract::Path, routing::get, Json, Router};
/// Create routes for `/v1/users/` namespace
pub fn create_route() -> Router {
Router::new()
.route("/", get(list_users))
- .route("/me", get(get_user))
+ .route("/:id", get(get_user))
}
/// List users. Checks Authorization token
@@ -19,9 +19,23 @@ async fn list_users(_: Claims) -> Result<Json<Vec<UserList>>, AppError> {
Ok(Json(users))
}
-/// Get the user from the `Authorization` header token
-async fn get_user(claims: Claims) -> Result<Json<UserList>, AppError> {
- match User::find_by_id(claims.user_id).await {
+/// Search an user by `user_id`. It works only if the user passed by `Authorization` token is the
+/// same of the url or a staffer.
+async fn get_user(Path(user_id): Path<i32>, claims: Claims) -> Result<Json<UserList>, AppError> {
+ let claimed = match User::find_by_id(claims.user_id).await {
+ Ok(user) => user,
+ Err(_) => {
+ return Err(AppError::NotFound("User not found".to_string()));
+ }
+ };
+
+ if user_id != claimed.id {
+ if !(claimed.is_staff.unwrap()) {
+ return Err(AppError::Unauthorized);
+ }
+ }
+
+ match User::find_by_id(user_id).await {
Ok(user) => Ok(Json(user)),
Err(_) => Err(AppError::NotFound("User not found".to_string())),
}