Team routes (#92)

* Team routes template * More work on teams * Updating routes WIP * Edit routes * Fixes * Run prepare, prevent non-members from seeing perms * More fixes * Finish team routes * More fixes * Unpushed changes * Some more fixes and error handling * Fix sqlx prepare, formatting Co-authored-by: Aeledfyr <aeledfyr@gmail.com>
2020-11-09 19:39:23 -07:00
parent c8e58a1e5b
commit 578d673a4e
15 changed files with 1237 additions and 111 deletions
--- a/src/routes/mods.rs
+++ b/src/routes/mods.rs
@@ -1,8 +1,10 @@
 use super::ApiError;
-use crate::auth::check_is_moderator_from_headers;
+use crate::auth::get_user_from_headers;
 use crate::database;
 use crate::models;
 use crate::models::mods::SearchRequest;
+use crate::models::teams::Permissions;
+use crate::models::users::Role;
 use crate::search::{search_for_mod, SearchConfig, SearchError};
 use actix_web::{delete, get, web, HttpRequest, HttpResponse};
 use serde::{Deserialize, Serialize};
@@ -92,17 +94,30 @@ pub async fn mod_delete(
    pool: web::Data<PgPool>,
    config: web::Data<SearchConfig>,
 ) -> Result<HttpResponse, ApiError> {
-    check_is_moderator_from_headers(
-        req.headers(),
-        &mut *pool
-            .acquire()
-            .await
-            .map_err(|e| ApiError::DatabaseError(e.into()))?,
-    )
-    .await
-    .map_err(|_| ApiError::AuthenticationError)?;
-
+    let user = get_user_from_headers(req.headers(), &**pool).await?;
    let id = info.into_inner().0;
+
+    if user.role != Role::Moderator || user.role != Role::Admin {
+        let mod_item = database::models::Mod::get(id.into(), &**pool)
+            .await
+            .map_err(|e| ApiError::DatabaseError(e.into()))?
+            .ok_or_else(|| ApiError::InvalidInputError("Invalid Mod ID specified!".to_string()))?;
+        let team_member = database::models::TeamMember::get_from_user_id(
+            mod_item.team_id,
+            user.id.into(),
+            &**pool,
+        )
+        .await
+        .map_err(ApiError::DatabaseError)?
+        .ok_or_else(|| ApiError::InvalidInputError("Invalid Mod ID specified!".to_string()))?;
+
+        if !team_member.permissions.contains(Permissions::DELETE_MOD) {
+            return Err(ApiError::CustomAuthenticationError(
+                "You don't have permission to delete this mod".to_string(),
+            ));
+        }
+    }
+
    let result = database::models::Mod::remove_full(id.into(), &**pool)
        .await
        .map_err(|e| ApiError::DatabaseError(e.into()))?;