Linting and Access Controls

ComputerScienceHouse · Sep 23, 2024 · 75f7683 · 75f7683
1 parent 28c6dc7
commit 75f7683
Show file tree

Hide file tree

Showing 12 changed files with 111 additions and 67 deletions.
diff --git a/...71e765515747a4052d0ad59c2fd64ec81251.json → ...90e28fc6bf4651a85c7a52d6468c44e36852.json b/...71e765515747a4052d0ad59c2fd64ec81251.json → ...90e28fc6bf4651a85c7a52d6468c44e36852.json
diff --git a/...f039194865d02f6abc03662c16fcf147b3e6.json → ...ac476243289d42ccb2c6ba5c35b32bf63986.json b/...f039194865d02f6abc03662c16fcf147b3e6.json → ...ac476243289d42ccb2c6ba5c35b32bf63986.json
diff --git a/...19c67dd744ab3b8225005afe36ccb74bd491.json → ...8bcb575747135c9adccb9a2e1ea881e14963.json b/...19c67dd744ab3b8225005afe36ccb74bd491.json → ...8bcb575747135c9adccb9a2e1ea881e14963.json
diff --git a/...3c61c1a2147289e4b58d0c70680b83a30585.json → ...8cad2ce6b5c7bc1ae2d561c8219967810ee2.json b/...3c61c1a2147289e4b58d0c70680b83a30585.json → ...8cad2ce6b5c7bc1ae2d561c8219967810ee2.json
diff --git a/.sqlx/query-dfb486af0f1ea3f1faa1b68b5a25515cdf802a50dece2d3869b6be8dc30c497c.json b/.sqlx/query-dfb486af0f1ea3f1faa1b68b5a25515cdf802a50dece2d3869b6be8dc30c497c.json
diff --git a/src/api/v1/auth/csh.rs b/src/api/v1/auth/csh.rs
@@ -1,15 +1,15 @@
+use crate::api::v1::auth::models::UserRealm;
+use crate::api::v1::auth::models::{CSHUserInfo, UserInfo};
+use crate::AppState;
 use actix_session::Session;
 use actix_web::http::header;
+use actix_web::{get, Scope};
 use actix_web::{web, HttpResponse, Responder};
 use oauth2::reqwest::async_http_client;
 use oauth2::{AuthorizationCode, TokenResponse};
 use reqwest::Client;
-use utoipa::{OpenApi, ToSchema};
-
-use crate::api::v1::auth::models::{CSHUserInfo, UserInfo, UserRealm};
-use crate::AppState;
-use actix_web::{get, Scope};
 use serde::Deserialize;
+use utoipa::{OpenApi, ToSchema};
 
 use crate::api::v1::auth::common;
 
@@ -34,7 +34,7 @@ async fn login(data: web::Data<AppState>) -> impl Responder {
 #[derive(Deserialize, ToSchema)]
 pub struct AuthRequest {
     code: String,
-    state: String,
+    _state: String,
 }
 
 #[utoipa::path(
@@ -72,11 +72,11 @@ async fn auth(
     sqlx::query!(
         "INSERT INTO users (id, realm, name) VALUES ($1, $2, $3) ON CONFLICT (id) DO UPDATE SET realm = EXCLUDED.realm, name = EXCLUDED.name;",
         user_info.ldap_id,
-        UserRealm::CSH as _,
+        UserRealm::Csh as _,
         format!("{} {}", user_info.given_name, user_info.family_name)
     )
     .execute(&data.db)
-    .await;
+    .await.unwrap();
 
     session.insert("login", true).unwrap();
     session

diff --git a/src/api/v1/auth/google.rs b/src/api/v1/auth/google.rs
@@ -1,16 +1,16 @@
+use crate::api::v1::auth::common;
+use crate::api::v1::auth::models::UserRealm;
+use crate::api::v1::auth::models::{GoogleUserInfo, UserInfo};
+use crate::AppState;
 use actix_session::Session;
 use actix_web::http::header;
+use actix_web::{get, web, Scope};
 use actix_web::{HttpResponse, Responder};
 use oauth2::reqwest::async_http_client;
 use oauth2::{AuthorizationCode, TokenResponse};
 use reqwest::Client;
-use utoipa::{OpenApi, ToSchema};
-
-use crate::api::v1::auth::common;
-use crate::api::v1::auth::models::{GoogleUserInfo, UserInfo, UserRealm};
-use crate::AppState;
-use actix_web::{get, web, Scope};
 use serde::Deserialize;
+use utoipa::{OpenApi, ToSchema};
 
 #[derive(OpenApi)]
 #[openapi(paths(login, auth,), components(schemas(AuthRequest)))]
@@ -37,7 +37,7 @@ async fn login(data: web::Data<AppState>) -> impl Responder {
 #[derive(Deserialize, ToSchema)]
 pub struct AuthRequest {
     code: String,
-    state: String,
+    _state: String,
 }
 
 #[utoipa::path(
@@ -81,7 +81,7 @@ async fn auth(
         format!("{} {}", user_info.given_name, user_info.family_name)
     )
     .execute(&data.db)
-    .await;
+    .await.unwrap();
 
     session.insert("login", true).unwrap();
     session

diff --git a/src/api/v1/auth/models.rs b/src/api/v1/auth/models.rs
@@ -4,7 +4,7 @@ use utoipa::ToSchema;
 #[derive(sqlx::Type)]
 #[sqlx(type_name = "user_realm", rename_all = "lowercase")]
 pub enum UserRealm {
-    CSH,
+    Csh,
     Google,
 }
 

diff --git a/src/api/v1/event/car/mod.rs b/src/api/v1/event/car/mod.rs
@@ -9,10 +9,10 @@ use actix_web::{
 };
 use chrono::{DateTime, Utc};
 use serde::{Deserialize, Serialize};
-use sqlx::query_as;
+use sqlx::{query, query_as};
 use utoipa::{OpenApi, ToSchema};
 
-use log::{debug, error};
+use log::error;
 
 mod rider;
 
@@ -89,15 +89,25 @@ async fn create_car(
     path: web::Path<i32>,
 ) -> impl Responder {
     let event_id: i32 = path.into_inner();
+    let user_id = session.get::<UserInfo>("userinfo").unwrap().unwrap().id;
     if car.max_capacity < 0 {
         return HttpResponse::BadRequest()
             .body("Sorry @cinnamon, you can't have negative people in your car :)");
     }
+    let check = query!(
+        r#"SELECT COUNT(*) as count FROM (SELECT id FROM car WHERE event_id = $1 AND driver = $2 UNION SELECT rider.car_id FROM rider JOIN car ON rider.car_id = car.id WHERE car.event_id = $1 AND rider.rider = $2)"#,
+        event_id, user_id
+    ).fetch_one(&data.db).await.unwrap();
+
+    if check.count.unwrap() > 0 {
+        return HttpResponse::BadRequest().body("User is already in a car.");
+    }
+
     let result = sqlx::query!(
         r#"
         INSERT INTO car (event_id, driver, max_capacity, departure_time, return_time, comment) VALUES ($1, $2, $3, $4, $5, $6) RETURNING id
         "#,
-        event_id, session.get::<UserInfo>("userinfo").unwrap().unwrap().id, car.max_capacity, car.departure_time, car.return_time, car.comment
+        event_id, user_id, car.max_capacity, car.departure_time, car.return_time, car.comment
     )
     .fetch_one(&data.db)
     .await;
@@ -117,11 +127,7 @@ async fn create_car(
     )
 )]
 #[get("/{car_id}", wrap = "SessionAuth")]
-async fn get_car(
-    data: web::Data<AppState>,
-    session: Session,
-    path: web::Path<(i32, i32)>,
-) -> impl Responder {
+async fn get_car(data: web::Data<AppState>, path: web::Path<(i32, i32)>) -> impl Responder {
     let (event_id, car_id) = path.into_inner();
     let result: Option<CarData> = query_as!(
         CarData,
@@ -155,11 +161,7 @@ async fn get_car(
     )
 )]
 #[get("/", wrap = "SessionAuth")]
-async fn get_all_cars(
-    data: web::Data<AppState>,
-    session: Session,
-    path: web::Path<i32>,
-) -> impl Responder {
+async fn get_all_cars(data: web::Data<AppState>, path: web::Path<i32>) -> impl Responder {
     let event_id: i32 = path.into_inner();
     let result = query_as!(
         CarData,
@@ -213,21 +215,22 @@ async fn update_car(
         departure_time = COALESCE($2, departure_time),
         return_time = COALESCE($3, return_time),
         comment = COALESCE($4, comment)
-        WHERE event_id = $5 AND id = $6 RETURNING id
+        WHERE event_id = $5 AND id = $6 AND driver = $7 RETURNING id
         "#,
         car.max_capacity,
         car.departure_time,
         car.return_time,
         car.comment,
         event_id,
-        car_id
+        car_id,
+        session.get::<UserInfo>("userinfo").unwrap().unwrap().id
     )
     .fetch_optional(&data.db)
     .await;
 
     match updated {
         Ok(Some(_)) => HttpResponse::Ok().body("Car updated successfully"),
-        Ok(None) => HttpResponse::NotFound().body("Car not found"),
+        Ok(None) => HttpResponse::NotFound().body("Car not found or you are not the driver."),
         Err(_) => HttpResponse::InternalServerError().body("Failed to update car"),
     }
 }
@@ -249,16 +252,17 @@ async fn delete_car(
     let (event_id, car_id) = path.into_inner();
 
     let deleted = sqlx::query!(
-        "DELETE FROM car WHERE event_id = $1 AND id = $2 RETURNING id",
+        "DELETE FROM car WHERE event_id = $1 AND id = $2 AND driver = $3 RETURNING id",
         event_id,
-        car_id
+        car_id,
+        session.get::<UserInfo>("userinfo").unwrap().unwrap().id
     )
     .fetch_optional(&data.db)
     .await;
 
     match deleted {
         Ok(Some(_)) => HttpResponse::Ok().body("Car deleted"),
-        Ok(None) => HttpResponse::NotFound().body("Car not found"),
+        Ok(None) => HttpResponse::NotFound().body("Car not found or you are not the driver."),
         Err(_) => HttpResponse::InternalServerError().body("Failed to delete car"),
     }
 }

diff --git a/src/api/v1/event/car/rider/mod.rs b/src/api/v1/event/car/rider/mod.rs
@@ -8,8 +8,8 @@ use actix_web::{
     HttpResponse, Responder, Scope,
 };
 use log::error;
-use serde::{Deserialize, Serialize};
-use utoipa::{OpenApi, ToSchema};
+use sqlx::query;
+use utoipa::OpenApi;
 
 #[derive(OpenApi)]
 #[openapi(paths(create_rider, delete_rider))]
@@ -30,13 +30,24 @@ async fn create_rider(
     session: Session,
     path: web::Path<(i32, i32)>,
 ) -> impl Responder {
-    let (_event_id, car_id) = path.into_inner();
+    let (event_id, car_id) = path.into_inner();
+    let user_id = session.get::<UserInfo>("userinfo").unwrap().unwrap().id;
+
+    let check = query!(
+        r#"SELECT COUNT(*) as count FROM (SELECT id FROM car WHERE event_id = $1 AND driver = $2 UNION SELECT rider.car_id FROM rider JOIN car ON rider.car_id = car.id WHERE car.event_id = $1 AND rider.rider = $2)"#,
+        event_id, user_id
+    ).fetch_one(&data.db).await.unwrap();
+
+    if check.count.unwrap() > 0 {
+        return HttpResponse::BadRequest().body("User is already in a car.");
+    }
+
     let result = sqlx::query!(
         r#"
         INSERT INTO rider (car_id, rider) VALUES ($1, $2)
         "#,
         car_id,
-        session.get::<UserInfo>("userinfo").unwrap().unwrap().id
+        user_id
     )
     .execute(&data.db)
     .await;
-Original file line number
+Diff line change
@@ Expand Up / @@ -4,7 +4,7 @@ use utoipa::ToSchema; @@
     #[derive(sqlx::Type)]
     #[sqlx(type_name = "user_realm", rename_all = "lowercase")]
     pub enum UserRealm {
-        CSH,
+        Csh,
         Google,
     }
@@ Expand Down @@