Check admin code for admin pages

2020-10-04 16:03:16 -06:00
parent 3ad9b2955f
commit 4eca005046
4 changed files with 135 additions and 3 deletions
--- a/front/server.go
+++ b/front/server.go
@ -2,6 +2,7 @@ package front

 import (
 	"context"
+	"errors"
 	"fmt"
 	"io"
 	"log"
@ -300,7 +301,28 @@ func (h *handler) handleDoCreate(w http.ResponseWriter, r *http.Request) {
 	http.Redirect(w, r, pathCreateSuccess+"?"+successQuery.Encode(), http.StatusSeeOther)
 }

+func (h *handler) blockUnauthorizedAdmin(w http.ResponseWriter, r *http.Request) bool {
+	eventID := r.URL.Query().Get(fieldNameEventID)
+	adminCode := r.URL.Query().Get(fieldNameAdminCode)
+
+	err := h.store.AuthorizeEventAdmin(context.Background(), back.CheckEventAdminCodeQuery{
+		EventID:   eventID,
+		AdminCode: adminCode,
+	})
+	var authError back.UnauthorizedError
+	if errors.As(err, &authError) {
+		http.Error(w, "Event not found", http.StatusNotFound)
+		logError(authError)
+		return true
+	}
+	return internalServerError(w, err)
+}
+
 func (h *handler) handleCreateSuccess(w http.ResponseWriter, r *http.Request) {
+	if h.blockUnauthorizedAdmin(w, r) {
+		return
+	}
+
 	eventID := r.URL.Query().Get(fieldNameEventID)
 	event, err := h.store.GetEventMetadata(r.Context(), back.GetEventMetadataQuery{
 		EventID: eventID,
@ -348,8 +370,13 @@ func (h *handler) handleCreateSuccess(w http.ResponseWriter, r *http.Request) {
 }

 func (h *handler) handleAdmin(w http.ResponseWriter, r *http.Request) {
+	if h.blockUnauthorizedAdmin(w, r) {
+		return
+	}
+
 	query := r.URL.Query()
 	eventID := query.Get(fieldNameEventID)
+
 	metadata, err := h.store.GetEventMetadata(context.Background(), back.GetEventMetadataQuery{
 		EventID: eventID,
 	})