1 files changed, 19 insertions, 5 deletions

diff --git a/server/src/routes/user.rs b/server/src/routes/user.rs
index d0aa056..d5a09e2 100644
--- a/server/src/routes/user.rs
+++ b/server/src/routes/user.rs
@@ -3,13 +3,13 @@ use crate::models::{
     auth::Claims,
     user::{User, UserList},
 };
-use axum::{routing::get, Json, Router};
+use axum::{extract::Path, routing::get, Json, Router};
 
 /// Create routes for `/v1/users/` namespace
 pub fn create_route() -> Router {
     Router::new()
         .route("/", get(list_users))
-        .route("/me", get(get_user))
+        .route("/:id", get(get_user))
 }
 
 /// List users. Checks Authorization token
@@ -19,9 +19,23 @@ async fn list_users(_: Claims) -> Result<Json<Vec<UserList>>, AppError> {
     Ok(Json(users))
 }
 
-/// Get the user from the `Authorization` header token
-async fn get_user(claims: Claims) -> Result<Json<UserList>, AppError> {
-    match User::find_by_id(claims.user_id).await {
+/// Search an user by `user_id`. It works only if the user passed by `Authorization` token is the
+/// same of the url or a staffer.
+async fn get_user(Path(user_id): Path<i32>, claims: Claims) -> Result<Json<UserList>, AppError> {
+    let claimed = match User::find_by_id(claims.user_id).await {
+        Ok(user) => user,
+        Err(_) => {
+            return Err(AppError::NotFound("User not found".to_string()));
+        }
+    };
+
+    if user_id != claimed.id {
+        if !(claimed.is_staff.unwrap()) {
+            return Err(AppError::Unauthorized);
+        }
+    }
+
+    match User::find_by_id(user_id).await {
         Ok(user) => Ok(Json(user)),
         Err(_) => Err(AppError::NotFound("User not found".to_string())),
     }