Merge pull request #7 from KunalKumar-1/ctx

auth: added context for auth check if the user has permission

Author: KunalKumar-1

cmd/api/contex.go

@@ -0,0 +1,18 @@
+package main
+
+import (
+	"github.com/gin-gonic/gin"
+	"github.com/kunalkumar-1/Evently/internals/database"
+)
+
+func (app *application) GetUserFromContext(c *gin.Context) *database.User {
+	contextUser, exist := c.Get("user")
+	if !exist {
+		return &database.User{}
+	}
+	user, ok := contextUser.(*database.User)
+	if !ok {
+		return &database.User{}
+	}
+	return user
+}

cmd/api/events.go

@@ -22,6 +22,9 @@ func (app *application) createEvent(c *gin.Context) {
 		return
 	}
 
+	user := app.GetUserFromContext(c)
+	event.OwnerId = user.Id
+
 	// Insert into db
 	err := app.models.Events.Insert(&event)
 
@@ -85,6 +88,7 @@ func (app *application) updateEvent(c *gin.Context) {
 		return
 	}
 
+	user := app.GetUserFromContext(c) // get user from context
 	existingEvent, err := app.models.Events.Get(id)
 
 	if err != nil {
@@ -101,10 +105,17 @@ func (app *application) updateEvent(c *gin.Context) {
 		return
 	}
 
+	if existingEvent.OwnerId != user.Id {
+		c.JSON(http.StatusForbidden, gin.H{
+			"erorr": "You are not authorized to update this event",
+		})
+		return
+	}
+
 	updatedEvent := &database.Event{}
 
 	fmt.Println("Existing Event:", existingEvent)
-	fmt.Println("upadtedEvent:", updatedEvent)
+	fmt.Println("UpadtedEvent:", updatedEvent)
 
 	if err := c.ShouldBindJSON(updatedEvent); err != nil {
 		c.JSON(http.StatusBadGateway, gin.H{
@@ -136,13 +147,35 @@ func (app *application) deleteEvent(c *gin.Context) {
 		return
 	}
 
+	user := app.GetUserFromContext(c) // get user from context
+	existingEvent, err := app.models.Events.Get(id)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to retireve event",
+		})
+	}
+	if existingEvent == nil {
+		c.JSON(http.StatusNotFound, gin.H{
+			"erorr": "Event not found",
+		})
+		return
+	}
+
+	if existingEvent.OwnerId != user.Id {
+		c.JSON(http.StatusForbidden, gin.H{
+			"erorr": "You are not authorized to delete this event",
+		})
+		return
+	}
+
 	if err := app.models.Events.Delete(id); err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{
 			"error": "Failed to delete event",
 		})
 	}
 
 	c.JSON(http.StatusNoContent, nil)
+
 }
 
 func (app *application) addAttendeeToEvent(c *gin.Context) {
@@ -190,6 +223,15 @@ func (app *application) addAttendeeToEvent(c *gin.Context) {
 		return
 	}
 
+	user := app.GetUserFromContext(c)
+
+	if event.OwnerId != user.Id {
+		c.JSON(http.StatusForbidden, gin.H{
+			"erorr": "You are not authorized to add attendees to this event",
+		})
+		return
+	}
+
 	existingAttendee, err := app.models.Attendees.GetByEventAndAttendee(event.Id, userToAdd.Id) //get user by id
 	if err != nil {                                                                             // if error in getting user
 		c.JSON(http.StatusInternalServerError, gin.H{
@@ -255,6 +297,28 @@ func (app *application) deleteAttendeeFromEvent(c *gin.Context) {
 		})
 	}
 
+	event, err := app.models.Events.Get(id)
+	if err != nil {
+		c.JSON(http.StatusInternalServerError, gin.H{
+			"error": "Failed to retireve event",
+		})
+		return
+	}
+	if event == nil {
+		c.JSON(http.StatusNotFound, gin.H{
+			"erorr": "Event not found",
+		})
+		return
+	}
+
+	user := app.GetUserFromContext(c)
+	if event.OwnerId != user.Id {
+		c.JSON(http.StatusForbidden, gin.H{
+			"error": "You are not authorized to delete attendees from this event",
+		})
+		return
+	}
+
 	err = app.models.Attendees.Delete(userId, id)
 	if err != nil {
 		c.JSON(http.StatusInternalServerError, gin.H{

internals/database/event.go

@@ -13,7 +13,7 @@ type EventModel struct {
 
 type Event struct {
 	Id          int    `json:"id"`
-	OwnerId     int    `json:"ownerId" binding:"required"`
+	OwnerId     int    `json:"ownerId"`
 	Name        string `json:"name" binding:"required,min=3,max=50"`
 	Description string `json:"description" binding:"required,min=3,max=500"`
 	Date        string `json:"date" binding:"required"`