Skip to content
This repository was archived by the owner on Feb 6, 2024. It is now read-only.

Commit b07280f

Browse files
nmattianmattia
committed
handler: feat: protect slide put and del
1 parent da6eef8 commit b07280f

File tree

1 file changed

+40
-2
lines changed

1 file changed

+40
-2
lines changed

infra/handler/src/DeckGo/Handler.hs

Lines changed: 40 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -705,7 +705,26 @@ slidesPost env fuid deckId slide = do
705705
pure $ Item slideId slide
706706

707707
slidesPut :: Aws.Env -> Firebase.UserId -> DeckId -> SlideId -> Slide -> Servant.Handler (Item SlideId Slide)
708-
slidesPut env _ _ slideId slide = do
708+
slidesPut env fuid deckId slideId slide = do
709+
710+
getDeck env deckId >>= \case
711+
Nothing -> do
712+
liftIO $ putStrLn $ unwords
713+
[ "Trying to PUT slide", show slideId, "of deck", show deckId
714+
, "but deck doesn't exist." ]
715+
Servant.throwError Servant.err404
716+
Just deck@Deck{deckOwnerId, deckSlides} -> do
717+
when (Firebase.unUserId fuid /= unFirebaseId (unUserId deckOwnerId)) $ do
718+
liftIO $ putStrLn $ unwords $
719+
[ "Trying to PUT slide", show slideId, "of deck", show deck
720+
, "but requester is not the owner", show fuid ]
721+
Servant.throwError Servant.err404
722+
723+
unless (slideId `elem` deckSlides) $ do
724+
liftIO $ putStrLn $ unwords $
725+
[ "Trying to PUT slide", show slideId, "of deck", show deck
726+
, "but slide doesn't belong to deck owned by", show fuid ]
727+
Servant.throwError Servant.err404
709728

710729
res <- runAWS env $ Aws.send $ DynamoDB.updateItem "Slides" &
711730
DynamoDB.uiUpdateExpression .~ Just
@@ -724,7 +743,26 @@ slidesPut env _ _ slideId slide = do
724743
pure $ Item slideId slide
725744

726745
slidesDelete :: Aws.Env -> Firebase.UserId -> DeckId -> SlideId -> Servant.Handler ()
727-
slidesDelete env _ _ slideId = do
746+
slidesDelete env fuid deckId slideId = do
747+
748+
getDeck env deckId >>= \case
749+
Nothing -> do
750+
liftIO $ putStrLn $ unwords
751+
[ "Trying to DELETE slide", show slideId, "of deck", show deckId
752+
, "but deck doesn't exist." ]
753+
Servant.throwError Servant.err404
754+
Just deck@Deck{deckOwnerId, deckSlides} -> do
755+
when (Firebase.unUserId fuid /= unFirebaseId (unUserId deckOwnerId)) $ do
756+
liftIO $ putStrLn $ unwords $
757+
[ "Trying to DELETE slide", show slideId, "of deck", show deck
758+
, "but requester is not the owner", show fuid ]
759+
Servant.throwError Servant.err404
760+
761+
unless (slideId `elem` deckSlides) $ do
762+
liftIO $ putStrLn $ unwords $
763+
[ "Trying to DELETE slide", show slideId, "of deck", show deck
764+
, "but slide doesn't belong to deck owned by", show fuid ]
765+
Servant.throwError Servant.err404
728766

729767
res <- runAWS env $ Aws.send $ DynamoDB.deleteItem "Slides" &
730768
DynamoDB.diKey .~ HMS.singleton "SlideId"

0 commit comments

Comments
 (0)