/
update_manager.go
102 lines (92 loc) · 2.95 KB
/
update_manager.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
package groups
import (
"net/http"
"github.com/go-chi/render"
"github.com/France-ioi/AlgoreaBackend/app/database"
"github.com/France-ioi/AlgoreaBackend/app/formdata"
"github.com/France-ioi/AlgoreaBackend/app/service"
)
// swagger:operation PUT /groups/{group_id}/managers/{manager_id} groups groupManagerEdit
//
// ---
// summary: Change permissions of a group manager
// description: >
//
// Modifies permissions of a group manager.
//
//
// The authenticated user should have 'can_manage:memberships_and_group' permission on the group
// and the `{group_id}`-`{manager_id}` pair should exist in `group_managers,
// otherwise the "forbidden" error is returned.
// parameters:
// - name: group_id
// in: path
// required: true
// type: integer
// - name: manager_id
// in: path
// required: true
// type: integer
// - in: body
// name: data
// required: true
// description: New permissions of the manager
// schema:
// "$ref": "#/definitions/createGroupManagerRequest"
// responses:
// "200":
// "$ref": "#/responses/updatedResponse"
// "400":
// "$ref": "#/responses/badRequestResponse"
// "401":
// "$ref": "#/responses/unauthorizedResponse"
// "403":
// "$ref": "#/responses/forbiddenResponse"
// "500":
// "$ref": "#/responses/internalErrorResponse"
func (srv *Service) updateGroupManager(w http.ResponseWriter, r *http.Request) service.APIError {
var err error
user := srv.GetUser(r)
groupID, err := service.ResolveURLQueryPathInt64Field(r, "group_id")
if err != nil {
return service.ErrInvalidRequest(err)
}
managerID, err := service.ResolveURLQueryPathInt64Field(r, "manager_id")
if err != nil {
return service.ErrInvalidRequest(err)
}
input := createGroupManagerRequest{}
formData := formdata.NewFormData(&input)
err = formData.ParseJSONRequestData(r)
if err != nil {
return service.ErrInvalidRequest(err)
}
apiError := service.NoError
err = srv.GetStore(r).InTransaction(func(store *database.DataStore) error {
var found bool
// 1) the authenticated user should have can_manage:memberships_and_group permission on the groupID
// 2) there should be a row in group_managers for the given groupID-managerID pair
found, err = store.Groups().ManagedBy(user).WithWriteLock().
Where("groups.id = ?", groupID).
Joins(`
JOIN group_managers AS this_manager
ON this_manager.group_id = groups.id AND this_manager.manager_id = ?`, managerID).
Where("group_managers.can_manage = 'memberships_and_group'").HasRows()
service.MustNotBeError(err)
if !found {
apiError = service.InsufficientAccessRightsError
return apiError.Error // rollback
}
values := formData.ConstructMapForDB()
return store.GroupManagers().
Where("group_id = ?", groupID).
Where("manager_id = ?", managerID).
UpdateColumn(values).Error()
})
if apiError != service.NoError {
return apiError
}
service.MustNotBeError(err)
service.MustNotBeError(render.Render(w, r, service.UpdateSuccess(nil)))
return service.NoError
}