Skip to content
This repository was archived by the owner on Feb 6, 2024. It is now read-only.

Commit 3eeaec0

Browse files
nmattianmattia
committed
handler: feat: protect GET slids
1 parent 310e77b commit 3eeaec0

File tree

1 file changed

+13
-1
lines changed

1 file changed

+13
-1
lines changed

infra/handler/src/DeckGo/Handler.hs

Lines changed: 13 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -634,7 +634,19 @@ getDeck env deckId = do
634634
-- SLIDES
635635

636636
slidesGet :: Aws.Env -> Firebase.UserId -> DeckId -> Servant.Handler [Item SlideId Slide]
637-
slidesGet env _ _ = do
637+
slidesGet env fuid deckId = do
638+
639+
getDeck env deckId >>= \case
640+
Nothing -> do
641+
liftIO $ putStrLn $ unwords
642+
[ "Trying to GET slides for", show deckId, "but deck doesn't exist." ]
643+
Servant.throwError Servant.err404
644+
Just deck@Deck{deckOwnerId, deckSlides} -> do
645+
when (Firebase.unUserId fuid /= unFirebaseId (unUserId deckOwnerId)) $ do
646+
liftIO $ putStrLn $ unwords $
647+
[ "Slides were requested for ", show deck, "but requester is not the owner", show fuid ]
648+
Servant.throwError Servant.err404
649+
638650
res <- runAWS env $ Aws.send $ DynamoDB.scan "Slides"
639651
case res of
640652
Right scanResponse ->

0 commit comments

Comments
 (0)