diff --git a/cmd/api/contex.go b/cmd/api/contex.go new file mode 100644 index 0000000..0b977be --- /dev/null +++ b/cmd/api/contex.go @@ -0,0 +1,18 @@ +package main + +import ( + "github.com/gin-gonic/gin" + "github.com/kunalkumar-1/Evently/internals/database" +) + +func (app *application) GetUserFromContext(c *gin.Context) *database.User { + contextUser, exist := c.Get("user") + if !exist { + return &database.User{} + } + user, ok := contextUser.(*database.User) + if !ok { + return &database.User{} + } + return user +} diff --git a/cmd/api/events.go b/cmd/api/events.go index 02b56af..b59971a 100644 --- a/cmd/api/events.go +++ b/cmd/api/events.go @@ -22,6 +22,9 @@ func (app *application) createEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) + event.OwnerId = user.Id + // Insert into db err := app.models.Events.Insert(&event) @@ -85,6 +88,7 @@ func (app *application) updateEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) // get user from context existingEvent, err := app.models.Events.Get(id) if err != nil { @@ -101,10 +105,17 @@ func (app *application) updateEvent(c *gin.Context) { return } + if existingEvent.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "erorr": "You are not authorized to update this event", + }) + return + } + updatedEvent := &database.Event{} fmt.Println("Existing Event:", existingEvent) - fmt.Println("upadtedEvent:", updatedEvent) + fmt.Println("UpadtedEvent:", updatedEvent) if err := c.ShouldBindJSON(updatedEvent); err != nil { c.JSON(http.StatusBadGateway, gin.H{ @@ -136,6 +147,27 @@ func (app *application) deleteEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) // get user from context + existingEvent, err := app.models.Events.Get(id) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{ + "error": "Failed to retireve event", + }) + } + if existingEvent == nil { + c.JSON(http.StatusNotFound, gin.H{ + "erorr": "Event not found", + }) + return + } + + if existingEvent.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "erorr": "You are not authorized to delete this event", + }) + return + } + if err := app.models.Events.Delete(id); err != nil { c.JSON(http.StatusInternalServerError, gin.H{ "error": "Failed to delete event", @@ -143,6 +175,7 @@ func (app *application) deleteEvent(c *gin.Context) { } c.JSON(http.StatusNoContent, nil) + } func (app *application) addAttendeeToEvent(c *gin.Context) { @@ -190,6 +223,15 @@ func (app *application) addAttendeeToEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) + + if event.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "erorr": "You are not authorized to add attendees to this event", + }) + return + } + existingAttendee, err := app.models.Attendees.GetByEventAndAttendee(event.Id, userToAdd.Id) //get user by id if err != nil { // if error in getting user c.JSON(http.StatusInternalServerError, gin.H{ @@ -255,6 +297,28 @@ func (app *application) deleteAttendeeFromEvent(c *gin.Context) { }) } + event, err := app.models.Events.Get(id) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{ + "error": "Failed to retireve event", + }) + return + } + if event == nil { + c.JSON(http.StatusNotFound, gin.H{ + "erorr": "Event not found", + }) + return + } + + user := app.GetUserFromContext(c) + if event.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "error": "You are not authorized to delete attendees from this event", + }) + return + } + err = app.models.Attendees.Delete(userId, id) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{ diff --git a/internals/database/event.go b/internals/database/event.go index 8ef699b..fcd2067 100644 --- a/internals/database/event.go +++ b/internals/database/event.go @@ -13,7 +13,7 @@ type EventModel struct { type Event struct { Id int `json:"id"` - OwnerId int `json:"ownerId" binding:"required"` + OwnerId int `json:"ownerId"` Name string `json:"name" binding:"required,min=3,max=50"` Description string `json:"description" binding:"required,min=3,max=500"` Date string `json:"date" binding:"required"`