From ed498a73d695536e9a3261f1ef54d7817c08c409 Mon Sep 17 00:00:00 2001
From: Pierre HUBERT <pierre.git@communiquons.org>
Date: Wed, 24 Jun 2020 17:57:13 +0200
Subject: [PATCH] Determine whether a user can access a group information or
 not

---
 src/data/group.rs                | 16 +++++++++++++++-
 src/data/http_request_handler.rs |  9 +++++++--
 2 files changed, 22 insertions(+), 3 deletions(-)

diff --git a/src/data/group.rs b/src/data/group.rs
index c360510..7b90108 100644
--- a/src/data/group.rs
+++ b/src/data/group.rs
@@ -11,7 +11,7 @@ pub enum GroupVisibilityLevel {
 }
 
 #[allow(non_camel_case_types)]
-#[derive(Eq, PartialEq, Hash, Debug)]
+#[derive(Eq, PartialEq, Hash, Debug, PartialOrd)]
 pub enum GroupAccessLevel {
     //Can not even know if the group exists or not
     NO_ACCESS = 0,
@@ -30,4 +30,18 @@ pub enum GroupAccessLevel {
 
     //Can do everything
     ADMIN_ACCESS = 5,
+}
+
+#[cfg(test)]
+mod tests {
+    use crate::data::group::GroupAccessLevel;
+
+    #[test]
+    fn access_level_coherence() {
+        assert!(GroupAccessLevel::NO_ACCESS < GroupAccessLevel::LIMITED_ACCESS);
+        assert!(GroupAccessLevel::LIMITED_ACCESS < GroupAccessLevel::VIEW_ACCESS);
+        assert!(GroupAccessLevel::VIEW_ACCESS < GroupAccessLevel::MEMBER_ACCESS);
+        assert!(GroupAccessLevel::MEMBER_ACCESS < GroupAccessLevel::MODERATOR_ACCESS);
+        assert!(GroupAccessLevel::MODERATOR_ACCESS < GroupAccessLevel::ADMIN_ACCESS);
+    }
 }
\ No newline at end of file
diff --git a/src/data/http_request_handler.rs b/src/data/http_request_handler.rs
index e606a57..ea2241a 100644
--- a/src/data/http_request_handler.rs
+++ b/src/data/http_request_handler.rs
@@ -467,8 +467,13 @@ impl HttpRequestHandler {
         let group_id = self.post_group_id(name)?;
         let access_level = groups_helper::get_access_level(&group_id, self.user_id_opt())?;
 
-        // TODO : add security checks
-        println!("Curr access level: {:?} / Expected: {:?}", access_level, min_level);
+        if access_level == GroupAccessLevel::NO_ACCESS {
+            self.not_found("Specified group not found!".to_string())?;
+        }
+
+        if access_level < min_level {
+            self.forbidden("You do not have enough rights to perform what you intend to do on this group!".to_string())?;
+        }
 
         Ok(group_id)
     }