From 4371ba5f0916147e8d60237d1e2fbb6a1fdf834a Mon Sep 17 00:00:00 2001 From: Santo Cariotti Date: Thu, 1 Dec 2022 10:18:51 +0100 Subject: Replace /me endpoint with /:id --- server/src/routes/user.rs | 24 +++++++++++++++++++----- 1 file changed, 19 insertions(+), 5 deletions(-) (limited to 'server/src/routes/user.rs') diff --git a/server/src/routes/user.rs b/server/src/routes/user.rs index d0aa056..d5a09e2 100644 --- a/server/src/routes/user.rs +++ b/server/src/routes/user.rs @@ -3,13 +3,13 @@ use crate::models::{ auth::Claims, user::{User, UserList}, }; -use axum::{routing::get, Json, Router}; +use axum::{extract::Path, routing::get, Json, Router}; /// Create routes for `/v1/users/` namespace pub fn create_route() -> Router { Router::new() .route("/", get(list_users)) - .route("/me", get(get_user)) + .route("/:id", get(get_user)) } /// List users. Checks Authorization token @@ -19,9 +19,23 @@ async fn list_users(_: Claims) -> Result>, AppError> { Ok(Json(users)) } -/// Get the user from the `Authorization` header token -async fn get_user(claims: Claims) -> Result, AppError> { - match User::find_by_id(claims.user_id).await { +/// Search an user by `user_id`. It works only if the user passed by `Authorization` token is the +/// same of the url or a staffer. +async fn get_user(Path(user_id): Path, claims: Claims) -> Result, AppError> { + let claimed = match User::find_by_id(claims.user_id).await { + Ok(user) => user, + Err(_) => { + return Err(AppError::NotFound("User not found".to_string())); + } + }; + + if user_id != claimed.id { + if !(claimed.is_staff.unwrap()) { + return Err(AppError::Unauthorized); + } + } + + match User::find_by_id(user_id).await { Ok(user) => Ok(Json(user)), Err(_) => Err(AppError::NotFound("User not found".to_string())), } -- cgit v1.2.3-18-g5258