Check admin code for admin pages

2020-10-04 16:03:16 -06:00
parent 3ad9b2955f
commit 4eca005046
4 changed files with 135 additions and 3 deletions
--- a/back/store.go
+++ b/back/store.go
@ -3,6 +3,7 @@ package back
 import (
 	"context"
 	"errors"
+	"fmt"
 	"log"
 	"os"

@ -13,6 +14,15 @@ import (

 var ErrNotFound = errors.New("not found")

+type UnauthorizedError struct {
+	EventID   string
+	AdminCode string
+}
+
+func (u UnauthorizedError) Error() string {
+	return fmt.Sprintf("unauthorized: EventID = %s, AdminCode = %s", u.EventID, u.AdminCode)
+}
+
 type GenString func(length int) (string, error)

 type Store struct {
@ -164,6 +174,37 @@ func (s *Store) CreateEvent(ctx context.Context, cmd CreateEventCommand) (result
 	return
 }

+type CheckEventAdminCodeQuery struct {
+	EventID   string
+	AdminCode string
+}
+
+func (s *Store) AuthorizeEventAdmin(ctx context.Context, query CheckEventAdminCodeQuery) error {
+	conn := s.pool.Get(ctx)
+	defer s.pool.Put(conn)
+
+	const dbQuery = `
+		SELECT 1
+		FROM event
+		WHERE id = ? AND admin_code = ?;`
+	var doesMatch bool
+	err := sqlitex.Exec(conn, dbQuery,
+		func(stmt *sqlite.Stmt) error {
+			doesMatch = true
+			return nil
+		}, query.EventID, query.AdminCode)
+	if err != nil {
+		return err
+	}
+	if !doesMatch {
+		return UnauthorizedError{
+			EventID:   query.EventID,
+			AdminCode: query.AdminCode,
+		}
+	}
+	return nil
+}
+
 type GetEventMetadataQuery struct {
 	EventID string
 }
--- a/back/store_test.go
+++ b/back/store_test.go
@ -175,6 +175,7 @@ func TestGetEventResponseSummary(t *testing.T) {
 func TestCreateEventResponse(t *testing.T) {
 	store, err := back.NewMemoryStore(back.SecureGenString)
 	is.New(t).NoErr(err)
+	defer store.Close()

 	createEvent := func(is *is.I) (eventID string) {
 		event, err := store.CreateEvent(context.Background(), back.CreateEventCommand{
@ -238,3 +239,64 @@ func TestCreateEventResponse(t *testing.T) {
 		is.Equal(dateHours, response.DateHours)
 	})
 }
+
+func TestAuthorizeEventAdmin(t *testing.T) {
+	store, err := back.NewMemoryStore(back.SecureGenString)
+	is.New(t).NoErr(err)
+	defer store.Close()
+
+	t.Run("returns ErrUnauthorized if admin code is wrong", func(t *testing.T) {
+		is := is.New(t)
+
+		event, err := store.CreateEvent(context.Background(), back.CreateEventCommand{
+			Name:        "my event",
+			Description: "stuff happening",
+			Earliest:    date.Today(),
+			Latest:      date.Today(),
+		})
+		is.NoErr(err)
+
+		badAdminCode := event.AdminCode + "x"
+		err = store.AuthorizeEventAdmin(context.Background(), back.CheckEventAdminCodeQuery{
+			EventID:   event.EventID,
+			AdminCode: badAdminCode,
+		})
+		is.Equal(err, back.UnauthorizedError{
+			EventID:   event.EventID,
+			AdminCode: badAdminCode,
+		})
+	})
+
+	t.Run("return ErrUnauthorized if event does not exist", func(t *testing.T) {
+		is := is.New(t)
+
+		randString, err := back.SecureGenString(10)
+		is.NoErr(err)
+		err = store.AuthorizeEventAdmin(context.Background(), back.CheckEventAdminCodeQuery{
+			EventID:   randString,
+			AdminCode: randString,
+		})
+		is.Equal(err, back.UnauthorizedError{
+			EventID:   randString,
+			AdminCode: randString,
+		})
+	})
+
+	t.Run("returns nil if admin code is correct", func(t *testing.T) {
+		is := is.New(t)
+
+		event, err := store.CreateEvent(context.Background(), back.CreateEventCommand{
+			Name:        "my event",
+			Description: "stuff happening",
+			Earliest:    date.Today(),
+			Latest:      date.Today(),
+		})
+		is.NoErr(err)
+
+		err = store.AuthorizeEventAdmin(context.Background(), back.CheckEventAdminCodeQuery{
+			EventID:   event.EventID,
+			AdminCode: event.AdminCode,
+		})
+		is.NoErr(err)
+	})
+}