Skip to content
This repository was archived by the owner on Feb 6, 2024. It is now read-only.

Commit da6eef8

Browse files
nmattianmattia
committed
handler: feat: protect slide post
1 parent 3c2f26b commit da6eef8

File tree

1 file changed

+36
-2
lines changed

1 file changed

+36
-2
lines changed

infra/handler/src/DeckGo/Handler.hs

Lines changed: 36 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -629,7 +629,27 @@ getDeck env deckId = do
629629
-- SLIDES
630630

631631
slidesGetSlideId :: Aws.Env -> Firebase.UserId -> DeckId -> SlideId -> Servant.Handler (Item SlideId Slide)
632-
slidesGetSlideId env _ _ slideId = do
632+
slidesGetSlideId env fuid deckId slideId = do
633+
634+
getDeck env deckId >>= \case
635+
Nothing -> do
636+
liftIO $ putStrLn $ unwords
637+
[ "Trying to GET slide", show slideId, "of deck", show deckId
638+
, "but deck doesn't exist." ]
639+
Servant.throwError Servant.err404
640+
Just deck@Deck{deckOwnerId, deckSlides} -> do
641+
when (Firebase.unUserId fuid /= unFirebaseId (unUserId deckOwnerId)) $ do
642+
liftIO $ putStrLn $ unwords $
643+
[ "Trying to GET slide", show slideId, "of deck", show deck
644+
, "but requester is not the owner", show fuid ]
645+
Servant.throwError Servant.err404
646+
647+
unless (slideId `elem` deckSlides) $ do
648+
liftIO $ putStrLn $ unwords $
649+
[ "Trying to GET slide", show slideId, "of deck", show deck
650+
, "but slide doesn't belong to deck owned by", show fuid ]
651+
Servant.throwError Servant.err404
652+
633653
res <- runAWS env $ Aws.send $ DynamoDB.getItem "Slides" &
634654
DynamoDB.giKey .~ HMS.singleton "SlideId" (slideIdToAttributeValue slideId)
635655
case res of
@@ -655,7 +675,21 @@ slidesGetSlideId env _ _ slideId = do
655675
Servant.throwError Servant.err500
656676

657677
slidesPost :: Aws.Env -> Firebase.UserId -> DeckId -> Slide -> Servant.Handler (Item SlideId Slide)
658-
slidesPost env _ _ slide = do
678+
slidesPost env fuid deckId slide = do
679+
680+
getDeck env deckId >>= \case
681+
Nothing -> do
682+
liftIO $ putStrLn $ unwords
683+
[ "Trying to POST slide", show slide, "of deck", show deckId
684+
, "but deck doesn't exist." ]
685+
Servant.throwError Servant.err404
686+
Just deck@Deck{deckOwnerId} -> do
687+
when (Firebase.unUserId fuid /= unFirebaseId (unUserId deckOwnerId)) $ do
688+
liftIO $ putStrLn $ unwords $
689+
[ "Trying to POST slide", show slide, "of deck", show deck
690+
, "but requester is not the owner", show fuid ]
691+
Servant.throwError Servant.err404
692+
659693
slideId <- liftIO $ SlideId <$> newId
660694

661695
res <- runAWS env $

0 commit comments

Comments
 (0)