Determine whether a user can access a group information or not

2024-12-28 14:38:52 +00:00 · 2020-06-24 17:57:13 +02:00 · 2020-06-24 17:57:13 +02:00 · ed498a73d6
commit ed498a73d6
parent b89a319cfb
2 changed files with 22 additions and 3 deletions
--- a/src/data/group.rs
+++ b/src/data/group.rs
@ -11,7 +11,7 @@ pub enum GroupVisibilityLevel {
 }

 #[allow(non_camel_case_types)]
-#[derive(Eq, PartialEq, Hash, Debug)]
+#[derive(Eq, PartialEq, Hash, Debug, PartialOrd)]
 pub enum GroupAccessLevel {
    //Can not even know if the group exists or not
    NO_ACCESS = 0,
@ -30,4 +30,18 @@ pub enum GroupAccessLevel {

    //Can do everything
    ADMIN_ACCESS = 5,
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::data::group::GroupAccessLevel;
+
+    #[test]
+    fn access_level_coherence() {
+        assert!(GroupAccessLevel::NO_ACCESS < GroupAccessLevel::LIMITED_ACCESS);
+        assert!(GroupAccessLevel::LIMITED_ACCESS < GroupAccessLevel::VIEW_ACCESS);
+        assert!(GroupAccessLevel::VIEW_ACCESS < GroupAccessLevel::MEMBER_ACCESS);
+        assert!(GroupAccessLevel::MEMBER_ACCESS < GroupAccessLevel::MODERATOR_ACCESS);
+        assert!(GroupAccessLevel::MODERATOR_ACCESS < GroupAccessLevel::ADMIN_ACCESS);
+    }
 }
--- a/src/data/http_request_handler.rs
+++ b/src/data/http_request_handler.rs
@ -467,8 +467,13 @@ impl HttpRequestHandler {
        let group_id = self.post_group_id(name)?;
        let access_level = groups_helper::get_access_level(&group_id, self.user_id_opt())?;

-        // TODO : add security checks
-        println!("Curr access level: {:?} / Expected: {:?}", access_level, min_level);
+        if access_level == GroupAccessLevel::NO_ACCESS {
+            self.not_found("Specified group not found!".to_string())?;
+        }
+
+        if access_level < min_level {
+            self.forbidden("You do not have enough rights to perform what you intend to do on this group!".to_string())?;
+        }

        Ok(group_id)
    }