From 26e0c5eee0ccc01f330265ece37f77be058af143 Mon Sep 17 00:00:00 2001
From: H1rono <hronok66@gmail.com>
Date: Thu, 20 Apr 2023 17:10:47 +0900
Subject: [PATCH 1/3] Add middlewares

---
 router/items.go      | 12 ------------
 router/middleware.go | 25 +++++++++++++++++++++++++
 router/router.go     | 40 +++++++++++++++++++++++++++++++++++-----
 router/users.go      |  4 ----
 4 files changed, 60 insertions(+), 21 deletions(-)

diff --git a/router/items.go b/router/items.go
index 8eaed0d1..e5449cc6 100644
--- a/router/items.go
+++ b/router/items.go
@@ -68,10 +68,6 @@ func PostItems(c echo.Context) error {
 	if err := BindAndValidate(c, &item); err != nil {
 		return c.JSON(http.StatusBadRequest, err)
 	}
-	// item.Type=0⇒個人、1⇒trap所有、2⇒支援課
-	if item.Type != model.PersonalItem && !user.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	res, err := model.CreateItem(item)
 	if err != nil {
 		return c.JSON(http.StatusBadRequest, err)
@@ -129,14 +125,10 @@ func PutItem(c echo.Context) error {
 // DeleteItem DELETE /items/:id
 func DeleteItem(c echo.Context) error {
 	ID := c.Param("id")
-	user := c.Get("user").(model.User)
 	itemID, err := strconv.Atoi(ID)
 	if err != nil {
 		return c.JSON(http.StatusBadRequest, err)
 	}
-	if !user.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	item, err := model.GetItemByID(uint(itemID))
 	if err != nil {
 		return c.JSON(http.StatusNotFound, err)
@@ -182,10 +174,6 @@ func PostOwners(c echo.Context) error {
 	if item.Type == model.SienkaItem {
 		user, _ = model.GetUserByName("sienka")
 	}
-	// item.Type=0⇒個人、1⇒trap(id:1)所有、2⇒支援課(id:2)
-	if item.Type != model.PersonalItem && !me.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	owner := model.Owner{
 		UserID:     user.ID,
 		Rentalable: body.Rentalable,
diff --git a/router/middleware.go b/router/middleware.go
index bfdd322c..5ac6fef5 100644
--- a/router/middleware.go
+++ b/router/middleware.go
@@ -25,6 +25,31 @@ func (client *UserProvider) MiddlewareAuthUser(next echo.HandlerFunc) echo.Handl
 	}
 }
 
+// MiddlewareAdmin Admin以外を弾くmiddleware
+func MiddlewareAdmin(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		user := c.Get("user").(model.User)
+		if !user.Admin {
+			return c.NoContent(http.StatusForbidden)
+		}
+		return next(c)
+	}
+}
+
+// MiddlewareItemSocial ItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
+func MiddlewareItemSocial(getItem func(c echo.Context) model.Item) func(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(next echo.HandlerFunc) echo.HandlerFunc {
+		return func(c echo.Context) error {
+			item := getItem(c)
+			user := c.Get("user").(model.User)
+			if item.Type != model.PersonalItem && !user.Admin {
+				return c.NoContent(http.StatusForbidden)
+			}
+			return next(c)
+		}
+	}
+}
+
 func CreateUserProvider(debugUserName string) *UserProvider {
 	return &UserProvider{AuthUser: func(c echo.Context) (echo.Context, error) {
 		res := debugUserName
diff --git a/router/router.go b/router/router.go
index ed74a859..071c689a 100644
--- a/router/router.go
+++ b/router/router.go
@@ -1,9 +1,14 @@
 package router
 
 import (
+	"bytes"
+	"encoding/json"
+	"io/ioutil"
 	"net/http"
+	"strconv"
 
 	"github.com/labstack/echo/middleware"
+	"github.com/traPtitech/booQ/model"
 
 	"github.com/labstack/echo"
 )
@@ -20,18 +25,43 @@ func SetupRouting(e *echo.Echo, client *UserProvider) {
 		{
 			apiUsers.GET("", GetUsers)
 			apiUsers.GET("/me", GetUsersMe)
-			apiUsers.PUT("", PutUsers)
+			apiUsers.PUT("", PutUsers, MiddlewareAdmin)
 		}
 
 		apiItems := api.Group("/items")
 		{
 			apiItems.GET("", GetItems)
-			apiItems.POST("", PostItems)
+			apiItems.POST("", PostItems, MiddlewareItemSocial(func(c echo.Context) model.Item {
+				item := model.Item{}
+				body, err := ioutil.ReadAll(c.Request().Body)
+				if err != nil {
+					return model.Item{}
+				}
+				c.Request().Body = ioutil.NopCloser(bytes.NewBuffer(body))
+				if err = json.Unmarshal(body, &item); err != nil {
+					return model.Item{}
+				}
+				return item
+			}))
 			apiItems.GET("/:id", GetItem)
 			apiItems.PUT("/:id", PutItem)
-			apiItems.DELETE("/:id", DeleteItem)
-			apiItems.POST("/:id/owners", PostOwners)
-			apiItems.PUT("/:id/owners", PutOwners)
+			apiItems.DELETE("/:id", DeleteItem, MiddlewareAdmin)
+			apiItems.POST("/:id/owners", PostOwners, MiddlewareItemSocial(func(c echo.Context) model.Item {
+				itemID, err := strconv.Atoi(c.Param("id"))
+				if err != nil {
+					return model.Item{}
+				}
+				item, _ := model.GetItemByID(uint(itemID))
+				return item
+			}))
+			apiItems.PUT("/:id/owners", PutOwners, MiddlewareItemSocial(func(c echo.Context) model.Item {
+				itemID, err := strconv.Atoi(c.Param("id"))
+				if err != nil {
+					return model.Item{}
+				}
+				item, _ := model.GetItemByID(uint(itemID))
+				return item
+			}))
 			apiItems.POST("/:id/logs", PostLogs)
 			apiItems.POST("/:id/comments", PostComments)
 			apiItems.POST("/:id/likes", PostLikes)
diff --git a/router/users.go b/router/users.go
index c24cd067..cbe9b873 100644
--- a/router/users.go
+++ b/router/users.go
@@ -35,14 +35,10 @@ func PutUsers(c echo.Context) error {
 		return c.JSON(http.StatusBadRequest, err)
 	}
 
-	user := c.Get("user").(model.User)
 	prevUser, err := model.GetUserByName(req.Name)
 	if err != nil {
 		return c.JSON(http.StatusForbidden, err)
 	}
-	if !user.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	if req.Admin == prevUser.Admin {
 		return c.NoContent(http.StatusBadRequest)
 	}

From e72a26d737b9cc63ed19cb91f0113af26c46b605 Mon Sep 17 00:00:00 2001
From: H1rono <hronok66@gmail.com>
Date: Thu, 18 May 2023 18:37:56 +0900
Subject: [PATCH 2/3] Modify middlewares

---
 router/middleware.go | 44 +++++++++++++++++++++++++++++++++++---------
 router/router.go     | 36 +++---------------------------------
 2 files changed, 38 insertions(+), 42 deletions(-)

diff --git a/router/middleware.go b/router/middleware.go
index 5ac6fef5..21f5e270 100644
--- a/router/middleware.go
+++ b/router/middleware.go
@@ -1,8 +1,12 @@
 package router
 
 import (
+	"bytes"
+	"encoding/json"
 	"errors"
+	"io/ioutil"
 	"net/http"
+	"strconv"
 
 	"github.com/labstack/echo"
 
@@ -36,17 +40,39 @@ func MiddlewareAdmin(next echo.HandlerFunc) echo.HandlerFunc {
 	}
 }
 
-// MiddlewareItemSocial ItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
-func MiddlewareItemSocial(getItem func(c echo.Context) model.Item) func(next echo.HandlerFunc) echo.HandlerFunc {
-	return func(next echo.HandlerFunc) echo.HandlerFunc {
-		return func(c echo.Context) error {
-			item := getItem(c)
-			user := c.Get("user").(model.User)
-			if item.Type != model.PersonalItem && !user.Admin {
-				return c.NoContent(http.StatusForbidden)
-			}
+// MiddlewareBodyItemSocial リクエストボディから取得したItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
+func MiddlewareBodyItemSocial(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		body, err := ioutil.ReadAll(c.Request().Body)
+		if err != nil {
+			return next(c)
+		}
+		c.Request().Body = ioutil.NopCloser(bytes.NewBuffer(body))
+		item := model.Item{}
+		if err = json.Unmarshal(body, &item); err != nil {
+			return next(c)
+		}
+		user := c.Get("user").(model.User)
+		if item.Type != model.PersonalItem && !user.Admin {
+			return c.NoContent(http.StatusForbidden)
+		}
+		return next(c)
+	}
+}
+
+// MiddlewareParamItemSocial パラメータから取得したItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
+func MiddlewareParamItemSocial(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		itemID, err := strconv.Atoi(c.Param("id"))
+		if err != nil {
 			return next(c)
 		}
+		item, _ := model.GetItemByID(uint(itemID))
+		user := c.Get("user").(model.User)
+		if item.Type != model.PersonalItem && !user.Admin {
+			return c.NoContent(http.StatusForbidden)
+		}
+		return next(c)
 	}
 }
 
diff --git a/router/router.go b/router/router.go
index 071c689a..c6cb3756 100644
--- a/router/router.go
+++ b/router/router.go
@@ -1,14 +1,9 @@
 package router
 
 import (
-	"bytes"
-	"encoding/json"
-	"io/ioutil"
 	"net/http"
-	"strconv"
 
 	"github.com/labstack/echo/middleware"
-	"github.com/traPtitech/booQ/model"
 
 	"github.com/labstack/echo"
 )
@@ -31,37 +26,12 @@ func SetupRouting(e *echo.Echo, client *UserProvider) {
 		apiItems := api.Group("/items")
 		{
 			apiItems.GET("", GetItems)
-			apiItems.POST("", PostItems, MiddlewareItemSocial(func(c echo.Context) model.Item {
-				item := model.Item{}
-				body, err := ioutil.ReadAll(c.Request().Body)
-				if err != nil {
-					return model.Item{}
-				}
-				c.Request().Body = ioutil.NopCloser(bytes.NewBuffer(body))
-				if err = json.Unmarshal(body, &item); err != nil {
-					return model.Item{}
-				}
-				return item
-			}))
+			apiItems.POST("", PostItems, MiddlewareBodyItemSocial)
 			apiItems.GET("/:id", GetItem)
 			apiItems.PUT("/:id", PutItem)
 			apiItems.DELETE("/:id", DeleteItem, MiddlewareAdmin)
-			apiItems.POST("/:id/owners", PostOwners, MiddlewareItemSocial(func(c echo.Context) model.Item {
-				itemID, err := strconv.Atoi(c.Param("id"))
-				if err != nil {
-					return model.Item{}
-				}
-				item, _ := model.GetItemByID(uint(itemID))
-				return item
-			}))
-			apiItems.PUT("/:id/owners", PutOwners, MiddlewareItemSocial(func(c echo.Context) model.Item {
-				itemID, err := strconv.Atoi(c.Param("id"))
-				if err != nil {
-					return model.Item{}
-				}
-				item, _ := model.GetItemByID(uint(itemID))
-				return item
-			}))
+			apiItems.POST("/:id/owners", PostOwners, MiddlewareParamItemSocial)
+			apiItems.PUT("/:id/owners", PutOwners, MiddlewareParamItemSocial)
 			apiItems.POST("/:id/logs", PostLogs)
 			apiItems.POST("/:id/comments", PostComments)
 			apiItems.POST("/:id/likes", PostLikes)

From f03ee8da7ca3682041f2b0126a2579fa11d58b9f Mon Sep 17 00:00:00 2001
From: H1rono <hronok66@gmail.com>
Date: Tue, 4 Jul 2023 22:10:23 +0900
Subject: [PATCH 3/3] :recycle: Use Context::Set

---
 router/items.go      |  4 ++--
 router/middleware.go | 13 +++----------
 2 files changed, 5 insertions(+), 12 deletions(-)

diff --git a/router/items.go b/router/items.go
index e5449cc6..be83dd3a 100644
--- a/router/items.go
+++ b/router/items.go
@@ -64,8 +64,8 @@ func GetItems(c echo.Context) error {
 // PostItems POST /items
 func PostItems(c echo.Context) error {
 	user := c.Get("user").(model.User)
-	item := model.Item{}
-	if err := BindAndValidate(c, &item); err != nil {
+	item := c.Get("item").(model.Item)
+	if err := c.Validate(&item); err != nil {
 		return c.JSON(http.StatusBadRequest, err)
 	}
 	res, err := model.CreateItem(item)
diff --git a/router/middleware.go b/router/middleware.go
index 21f5e270..fd24b95b 100644
--- a/router/middleware.go
+++ b/router/middleware.go
@@ -1,10 +1,7 @@
 package router
 
 import (
-	"bytes"
-	"encoding/json"
 	"errors"
-	"io/ioutil"
 	"net/http"
 	"strconv"
 
@@ -43,15 +40,11 @@ func MiddlewareAdmin(next echo.HandlerFunc) echo.HandlerFunc {
 // MiddlewareBodyItemSocial リクエストボディから取得したItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
 func MiddlewareBodyItemSocial(next echo.HandlerFunc) echo.HandlerFunc {
 	return func(c echo.Context) error {
-		body, err := ioutil.ReadAll(c.Request().Body)
-		if err != nil {
-			return next(c)
-		}
-		c.Request().Body = ioutil.NopCloser(bytes.NewBuffer(body))
 		item := model.Item{}
-		if err = json.Unmarshal(body, &item); err != nil {
-			return next(c)
+		if err := c.Bind(&item); err != nil {
+			return err
 		}
+		c.Set("item", item)
 		user := c.Get("user").(model.User)
 		if item.Type != model.PersonalItem && !user.Admin {
 			return c.NoContent(http.StatusForbidden)