add validity/permission checks to relation updates

src/clj/cat/routes/home.clj

@@ -85,38 +85,46 @@
                   :links rels-indexed})))
 
 (defn update-relationrequest-status
-  [id body]
+  "Updates the status of a relationship request"
-  (let [rr_id_map {:id id}
+  [id body {:keys [:session]}]
-        success (cond
+  (let [rr (db/get-relation-request {:id id})]
-                  (contains? body :accept)
+      ; Check that you are authorized to change this request
-                  (do
+    (if-not (= (:to_id rr) (get-in session [:user :id]))
-                    (let [rr (db/get-relation-request rr_id_map)]
+      (response/unauthorized "You can only update requests send to you")
-                      (db/create-relation! {:from_id (:from_id rr) :to_id (:to_id rr)}))
+      (if-not (= "open" (:status rr))
-                    (db/update-relation-request-status! (assoc rr_id_map :status "accepted")))
+        (response/gone "Request is not open anymore")
-                  (contains? body :decline)
+        (let [correct-params?
-                  (db/update-relation-request-status! (assoc rr_id_map :status "declined"))
+              (cond
-                  :else false)]
+                (contains? body :accept)
-    (if success
+                (do
-      (response/found "/")
+                  (db/create-relation! (select-keys rr [:from_id :to_id]))
-      (response-wrong-parameters))))
+                  (db/update-relation-request-status! {:id id :status "accepted"}))
+                (contains? body :decline)
+                (db/update-relation-request-status! {:id id :status "declined"})
+                :else false)]
+          (if correct-params?
+            (response/found "/")
+            (response-wrong-parameters)))))))
 
 (defn create-relation-request
-  [req]
+  "Creates a new request, as requests are unidirectional,
-  (let [data (:params req)
+  this gets denied if there is a request pending or a relation already established"
-        [err result] (st/validate data request_relation-schema)
+  [{:keys [:params :session :uri]}]
-        from-id (get-in req [:session :user :id])]
+  (let [[err result] (st/validate params request_relation-schema)
-    (if (nil? from-id) (response/found (error-page
+        from_id (get-in session [:user :id])
-                                        {:status 400
+        to_id (:to_id result)]
-                                         :title  "No user id found in session"})))
+    (if (= from_id to_id)
-    (log/debug "Post to " (:uri req) "\n with data " result)
+      (response/unprocessable-entity "Sadly enough, you can't hug yourself :'(")
-    (if (nil? err)
+      (if-not (nil? err)
-      (do
+        (response/unprocessable-entity "Incorrect input")
-        (log/debug "Create relation request")
+        (let [count (db/get-connection-existence {:user_id from_id :other_id to_id})]
-        (db/create-relation-request! {:from_id from-id
+          (if-not (= 0 (:count count))
-                                      :to_id   (:to_id result)
+            (do
-                                      :status  "open"})
+              (log/info "Existing connections found, aborting.")
-        (response/found "/"))
+              (response/conflict "There is already a request or relation between you and the other user"))
-      (do
+            (do
-        (log/debug "Relation request failed")
+              (log/debug "Create relation request")
-        (log/debug err)
+              (db/create-relation-request! {:from_id from_id
-        (response/unprocessable-entity "Incorrect input")))))
+                                            :to_id   to_id
+                                            :status  "open"})
+              (response/found "/"))))))))