From 57e8ccd03994a12abf46e3be04327164622f2604 Mon Sep 17 00:00:00 2001 From: KUNAL KUMAR Date: Wed, 12 Nov 2025 01:18:16 +0530 Subject: [PATCH 1/2] auth: added context for auth check if the user has permission --- cmd/api/contex.go | 18 ++++++++++ cmd/api/events.go | 67 ++++++++++++++++++++++++++++++++++++- internals/database/event.go | 2 +- 3 files changed, 85 insertions(+), 2 deletions(-) create mode 100644 cmd/api/contex.go diff --git a/cmd/api/contex.go b/cmd/api/contex.go new file mode 100644 index 0000000..02ed0a3 --- /dev/null +++ b/cmd/api/contex.go @@ -0,0 +1,18 @@ +package main + +import ( + "github.com/gin-gonic/gin" + "github.com/kunalkumar-1/Evently/internals/database" +) + +func(app *application) GetUserFromContext(c *gin.Context) *database.User { + contextUser, exist := c.Get("user") + if !exist { + return &database.User{} + } + user, ok := contextUser.(*database.User) + if !ok { + return &database.User{} + } + return user +} \ No newline at end of file diff --git a/cmd/api/events.go b/cmd/api/events.go index 02b56af..2ac744d 100644 --- a/cmd/api/events.go +++ b/cmd/api/events.go @@ -22,6 +22,10 @@ func (app *application) createEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) + event.OwnerId = user.Id + + // Insert into db err := app.models.Events.Insert(&event) @@ -85,6 +89,7 @@ func (app *application) updateEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) // get user from context existingEvent, err := app.models.Events.Get(id) if err != nil { @@ -101,10 +106,17 @@ func (app *application) updateEvent(c *gin.Context) { return } + if existingEvent.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "erorr": "You are not authorized to update this event", + }) + return + } + updatedEvent := &database.Event{} fmt.Println("Existing Event:", existingEvent) - fmt.Println("upadtedEvent:", updatedEvent) + fmt.Println("UpadtedEvent:", updatedEvent) if err := c.ShouldBindJSON(updatedEvent); err != nil { c.JSON(http.StatusBadGateway, gin.H{ @@ -136,6 +148,27 @@ func (app *application) deleteEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) // get user from context + existingEvent, err := app.models.Events.Get(id) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{ + "error": "Failed to retireve event", + }) +} + if existingEvent == nil { + c.JSON(http.StatusNotFound, gin.H{ + "erorr": "Event not found", + }) + return + } + + if existingEvent.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "erorr": "You are not authorized to delete this event", + }) + return + } + if err := app.models.Events.Delete(id); err != nil { c.JSON(http.StatusInternalServerError, gin.H{ "error": "Failed to delete event", @@ -143,6 +176,7 @@ func (app *application) deleteEvent(c *gin.Context) { } c.JSON(http.StatusNoContent, nil) + } func (app *application) addAttendeeToEvent(c *gin.Context) { @@ -190,6 +224,15 @@ func (app *application) addAttendeeToEvent(c *gin.Context) { return } + user := app.GetUserFromContext(c) + + if event.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "erorr": "You are not authorized to add attendees to this event", + }) + return + } + existingAttendee, err := app.models.Attendees.GetByEventAndAttendee(event.Id, userToAdd.Id) //get user by id if err != nil { // if error in getting user c.JSON(http.StatusInternalServerError, gin.H{ @@ -255,6 +298,28 @@ func (app *application) deleteAttendeeFromEvent(c *gin.Context) { }) } + event, err := app.models.Events.Get(id) + if err != nil { + c.JSON(http.StatusInternalServerError, gin.H{ + "error": "Failed to retireve event", + }) + return + } + if event == nil { + c.JSON(http.StatusNotFound, gin.H{ + "erorr": "Event not found", + }) + return + } + + user := app.GetUserFromContext(c) + if event.OwnerId != user.Id { + c.JSON(http.StatusForbidden, gin.H{ + "error": "You are not authorized to delete attendees from this event", + }) + return + } + err = app.models.Attendees.Delete(userId, id) if err != nil { c.JSON(http.StatusInternalServerError, gin.H{ diff --git a/internals/database/event.go b/internals/database/event.go index 8ef699b..fcd2067 100644 --- a/internals/database/event.go +++ b/internals/database/event.go @@ -13,7 +13,7 @@ type EventModel struct { type Event struct { Id int `json:"id"` - OwnerId int `json:"ownerId" binding:"required"` + OwnerId int `json:"ownerId"` Name string `json:"name" binding:"required,min=3,max=50"` Description string `json:"description" binding:"required,min=3,max=500"` Date string `json:"date" binding:"required"` From 9f893e9d98eaf1a7d7b44311fc5a2b3490f7eef7 Mon Sep 17 00:00:00 2001 From: KUNAL KUMAR Date: Wed, 12 Nov 2025 01:18:43 +0530 Subject: [PATCH 2/2] auth: added context for auth check if the user has permission --- cmd/api/contex.go | 4 ++-- cmd/api/events.go | 9 ++++----- 2 files changed, 6 insertions(+), 7 deletions(-) diff --git a/cmd/api/contex.go b/cmd/api/contex.go index 02ed0a3..0b977be 100644 --- a/cmd/api/contex.go +++ b/cmd/api/contex.go @@ -5,7 +5,7 @@ import ( "github.com/kunalkumar-1/Evently/internals/database" ) -func(app *application) GetUserFromContext(c *gin.Context) *database.User { +func (app *application) GetUserFromContext(c *gin.Context) *database.User { contextUser, exist := c.Get("user") if !exist { return &database.User{} @@ -15,4 +15,4 @@ func(app *application) GetUserFromContext(c *gin.Context) *database.User { return &database.User{} } return user -} \ No newline at end of file +} diff --git a/cmd/api/events.go b/cmd/api/events.go index 2ac744d..b59971a 100644 --- a/cmd/api/events.go +++ b/cmd/api/events.go @@ -24,7 +24,6 @@ func (app *application) createEvent(c *gin.Context) { user := app.GetUserFromContext(c) event.OwnerId = user.Id - // Insert into db err := app.models.Events.Insert(&event) @@ -112,7 +111,7 @@ func (app *application) updateEvent(c *gin.Context) { }) return } - + updatedEvent := &database.Event{} fmt.Println("Existing Event:", existingEvent) @@ -153,8 +152,8 @@ func (app *application) deleteEvent(c *gin.Context) { if err != nil { c.JSON(http.StatusInternalServerError, gin.H{ "error": "Failed to retireve event", - }) -} + }) + } if existingEvent == nil { c.JSON(http.StatusNotFound, gin.H{ "erorr": "Event not found", @@ -176,7 +175,7 @@ func (app *application) deleteEvent(c *gin.Context) { } c.JSON(http.StatusNoContent, nil) - + } func (app *application) addAttendeeToEvent(c *gin.Context) {