Check admin code for admin pages
This commit is contained in:
@ -2,6 +2,7 @@ package front
|
||||
|
||||
import (
|
||||
"context"
|
||||
"errors"
|
||||
"fmt"
|
||||
"io"
|
||||
"log"
|
||||
@ -300,7 +301,28 @@ func (h *handler) handleDoCreate(w http.ResponseWriter, r *http.Request) {
|
||||
http.Redirect(w, r, pathCreateSuccess+"?"+successQuery.Encode(), http.StatusSeeOther)
|
||||
}
|
||||
|
||||
func (h *handler) blockUnauthorizedAdmin(w http.ResponseWriter, r *http.Request) bool {
|
||||
eventID := r.URL.Query().Get(fieldNameEventID)
|
||||
adminCode := r.URL.Query().Get(fieldNameAdminCode)
|
||||
|
||||
err := h.store.AuthorizeEventAdmin(context.Background(), back.CheckEventAdminCodeQuery{
|
||||
EventID: eventID,
|
||||
AdminCode: adminCode,
|
||||
})
|
||||
var authError back.UnauthorizedError
|
||||
if errors.As(err, &authError) {
|
||||
http.Error(w, "Event not found", http.StatusNotFound)
|
||||
logError(authError)
|
||||
return true
|
||||
}
|
||||
return internalServerError(w, err)
|
||||
}
|
||||
|
||||
func (h *handler) handleCreateSuccess(w http.ResponseWriter, r *http.Request) {
|
||||
if h.blockUnauthorizedAdmin(w, r) {
|
||||
return
|
||||
}
|
||||
|
||||
eventID := r.URL.Query().Get(fieldNameEventID)
|
||||
event, err := h.store.GetEventMetadata(r.Context(), back.GetEventMetadataQuery{
|
||||
EventID: eventID,
|
||||
@ -348,8 +370,13 @@ func (h *handler) handleCreateSuccess(w http.ResponseWriter, r *http.Request) {
|
||||
}
|
||||
|
||||
func (h *handler) handleAdmin(w http.ResponseWriter, r *http.Request) {
|
||||
if h.blockUnauthorizedAdmin(w, r) {
|
||||
return
|
||||
}
|
||||
|
||||
query := r.URL.Query()
|
||||
eventID := query.Get(fieldNameEventID)
|
||||
|
||||
metadata, err := h.store.GetEventMetadata(context.Background(), back.GetEventMetadataQuery{
|
||||
EventID: eventID,
|
||||
})
|
||||
|
Reference in New Issue
Block a user