Check admin code for admin pages

This commit is contained in:
2020-10-04 16:03:16 -06:00
parent 3ad9b2955f
commit 4eca005046
4 changed files with 135 additions and 3 deletions

View File

@ -2,6 +2,7 @@ package front
import (
"context"
"errors"
"fmt"
"io"
"log"
@ -300,7 +301,28 @@ func (h *handler) handleDoCreate(w http.ResponseWriter, r *http.Request) {
http.Redirect(w, r, pathCreateSuccess+"?"+successQuery.Encode(), http.StatusSeeOther)
}
func (h *handler) blockUnauthorizedAdmin(w http.ResponseWriter, r *http.Request) bool {
eventID := r.URL.Query().Get(fieldNameEventID)
adminCode := r.URL.Query().Get(fieldNameAdminCode)
err := h.store.AuthorizeEventAdmin(context.Background(), back.CheckEventAdminCodeQuery{
EventID: eventID,
AdminCode: adminCode,
})
var authError back.UnauthorizedError
if errors.As(err, &authError) {
http.Error(w, "Event not found", http.StatusNotFound)
logError(authError)
return true
}
return internalServerError(w, err)
}
func (h *handler) handleCreateSuccess(w http.ResponseWriter, r *http.Request) {
if h.blockUnauthorizedAdmin(w, r) {
return
}
eventID := r.URL.Query().Get(fieldNameEventID)
event, err := h.store.GetEventMetadata(r.Context(), back.GetEventMetadataQuery{
EventID: eventID,
@ -348,8 +370,13 @@ func (h *handler) handleCreateSuccess(w http.ResponseWriter, r *http.Request) {
}
func (h *handler) handleAdmin(w http.ResponseWriter, r *http.Request) {
if h.blockUnauthorizedAdmin(w, r) {
return
}
query := r.URL.Query()
eventID := query.Get(fieldNameEventID)
metadata, err := h.store.GetEventMetadata(context.Background(), back.GetEventMetadataQuery{
EventID: eventID,
})