add validity/permission checks to relation updates

This commit is contained in:
mcbloch 2019-06-09 23:28:33 +02:00
parent 0ec34bd9dc
commit f4999fae6b

View file

@ -85,38 +85,46 @@
:links rels-indexed}))) :links rels-indexed})))
(defn update-relationrequest-status (defn update-relationrequest-status
[id body] "Updates the status of a relationship request"
(let [rr_id_map {:id id} [id body {:keys [:session]}]
success (cond (let [rr (db/get-relation-request {:id id})]
(contains? body :accept) ; Check that you are authorized to change this request
(do (if-not (= (:to_id rr) (get-in session [:user :id]))
(let [rr (db/get-relation-request rr_id_map)] (response/unauthorized "You can only update requests send to you")
(db/create-relation! {:from_id (:from_id rr) :to_id (:to_id rr)})) (if-not (= "open" (:status rr))
(db/update-relation-request-status! (assoc rr_id_map :status "accepted"))) (response/gone "Request is not open anymore")
(contains? body :decline) (let [correct-params?
(db/update-relation-request-status! (assoc rr_id_map :status "declined")) (cond
:else false)] (contains? body :accept)
(if success (do
(response/found "/") (db/create-relation! (select-keys rr [:from_id :to_id]))
(response-wrong-parameters)))) (db/update-relation-request-status! {:id id :status "accepted"}))
(contains? body :decline)
(db/update-relation-request-status! {:id id :status "declined"})
:else false)]
(if correct-params?
(response/found "/")
(response-wrong-parameters)))))))
(defn create-relation-request (defn create-relation-request
[req] "Creates a new request, as requests are unidirectional,
(let [data (:params req) this gets denied if there is a request pending or a relation already established"
[err result] (st/validate data request_relation-schema) [{:keys [:params :session :uri]}]
from-id (get-in req [:session :user :id])] (let [[err result] (st/validate params request_relation-schema)
(if (nil? from-id) (response/found (error-page from_id (get-in session [:user :id])
{:status 400 to_id (:to_id result)]
:title "No user id found in session"}))) (if (= from_id to_id)
(log/debug "Post to " (:uri req) "\n with data " result) (response/unprocessable-entity "Sadly enough, you can't hug yourself :'(")
(if (nil? err) (if-not (nil? err)
(do (response/unprocessable-entity "Incorrect input")
(log/debug "Create relation request") (let [count (db/get-connection-existence {:user_id from_id :other_id to_id})]
(db/create-relation-request! {:from_id from-id (if-not (= 0 (:count count))
:to_id (:to_id result) (do
:status "open"}) (log/info "Existing connections found, aborting.")
(response/found "/")) (response/conflict "There is already a request or relation between you and the other user"))
(do (do
(log/debug "Relation request failed") (log/debug "Create relation request")
(log/debug err) (db/create-relation-request! {:from_id from_id
(response/unprocessable-entity "Incorrect input"))))) :to_id to_id
:status "open"})
(response/found "/"))))))))