Fixed rights check on lists and namespaces (#62)

2019-03-08 21:31:37 +00:00
parent 65f428fe78
commit eb4d38b5b8
14 changed files with 118 additions and 161 deletions
--- a/pkg/models/list_users_create.go
+++ b/pkg/models/list_users_create.go
@ -33,40 +33,40 @@ import "code.vikunja.io/web"
 // @Failure 403 {object} code.vikunja.io/web.HTTPError "The user does not have access to the list"
 // @Failure 500 {object} models.Message "Internal error"
 // @Router /lists/{id}/users [put]
-func (ul *ListUser) Create(a web.Auth) (err error) {
+func (lu *ListUser) Create(a web.Auth) (err error) {

 	// Check if the right is valid
-	if err := ul.Right.isValid(); err != nil {
+	if err := lu.Right.isValid(); err != nil {
 		return err
 	}

 	// Check if the list exists
-	l := &List{ID: ul.ListID}
+	l := &List{ID: lu.ListID}
 	if err = l.GetSimpleByID(); err != nil {
 		return
 	}

 	// Check if the user exists
-	if _, err = GetUserByID(ul.UserID); err != nil {
+	if _, err = GetUserByID(lu.UserID); err != nil {
 		return err
 	}

 	// Check if the user already has access or is owner of that list
 	// We explicitly DONT check for teams here
-	if l.OwnerID == ul.UserID {
-		return ErrUserAlreadyHasAccess{UserID: ul.UserID, ListID: ul.ListID}
+	if l.OwnerID == lu.UserID {
+		return ErrUserAlreadyHasAccess{UserID: lu.UserID, ListID: lu.ListID}
 	}

-	exist, err := x.Where("list_id = ? AND user_id = ?", ul.ListID, ul.UserID).Get(&ListUser{})
+	exist, err := x.Where("list_id = ? AND user_id = ?", lu.ListID, lu.UserID).Get(&ListUser{})
 	if err != nil {
 		return
 	}
 	if exist {
-		return ErrUserAlreadyHasAccess{UserID: ul.UserID, ListID: ul.ListID}
+		return ErrUserAlreadyHasAccess{UserID: lu.UserID, ListID: lu.ListID}
 	}

 	// Insert user <-> list relation
-	_, err = x.Insert(ul)
+	_, err = x.Insert(lu)

 	return
 }