Add middlewares

router/items.go

@@ -64,14 +64,10 @@ func GetItems(c echo.Context) error {
 // PostItems POST /items
 func PostItems(c echo.Context) error {
 	user := c.Get("user").(model.User)
-	item := model.Item{}
-	if err := BindAndValidate(c, &item); err != nil {
+	item := c.Get("item").(model.Item)
+	if err := c.Validate(&item); err != nil {
 		return c.JSON(http.StatusBadRequest, err)
 	}
-	// item.Type=0⇒個人、1⇒trap所有、2⇒支援課
-	if item.Type != model.PersonalItem && !user.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	res, err := model.CreateItem(item)
 	if err != nil {
 		return c.JSON(http.StatusBadRequest, err)
@@ -129,14 +125,10 @@ func PutItem(c echo.Context) error {
 // DeleteItem DELETE /items/:id
 func DeleteItem(c echo.Context) error {
 	ID := c.Param("id")
-	user := c.Get("user").(model.User)
 	itemID, err := strconv.Atoi(ID)
 	if err != nil {
 		return c.JSON(http.StatusBadRequest, err)
 	}
-	if !user.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	item, err := model.GetItemByID(uint(itemID))
 	if err != nil {
 		return c.JSON(http.StatusNotFound, err)
@@ -182,10 +174,6 @@ func PostOwners(c echo.Context) error {
 	if item.Type == model.SienkaItem {
 		user, _ = model.GetUserByName("sienka")
 	}
-	// item.Type=0⇒個人、1⇒trap(id:1)所有、2⇒支援課(id:2)
-	if item.Type != model.PersonalItem && !me.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	owner := model.Owner{
 		UserID:     user.ID,
 		Rentalable: body.Rentalable,

router/middleware.go

@@ -3,6 +3,7 @@ package router
 import (
 	"errors"
 	"net/http"
+	"strconv"
 
 	"github.com/labstack/echo"
 
@@ -25,6 +26,49 @@ func (client *UserProvider) MiddlewareAuthUser(next echo.HandlerFunc) echo.Handl
 	}
 }
 
+// MiddlewareAdmin Admin以外を弾くmiddleware
+func MiddlewareAdmin(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		user := c.Get("user").(model.User)
+		if !user.Admin {
+			return c.NoContent(http.StatusForbidden)
+		}
+		return next(c)
+	}
+}
+
+// MiddlewareBodyItemSocial リクエストボディから取得したItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
+func MiddlewareBodyItemSocial(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		item := model.Item{}
+		if err := c.Bind(&item); err != nil {
+			return err
+		}
+		c.Set("item", item)
+		user := c.Get("user").(model.User)
+		if item.Type != model.PersonalItem && !user.Admin {
+			return c.NoContent(http.StatusForbidden)
+		}
+		return next(c)
+	}
+}
+
+// MiddlewareParamItemSocial パラメータから取得したItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
+func MiddlewareParamItemSocial(next echo.HandlerFunc) echo.HandlerFunc {
+	return func(c echo.Context) error {
+		itemID, err := strconv.Atoi(c.Param("id"))
+		if err != nil {
+			return next(c)
+		}
+		item, _ := model.GetItemByID(uint(itemID))
+		user := c.Get("user").(model.User)
+		if item.Type != model.PersonalItem && !user.Admin {
+			return c.NoContent(http.StatusForbidden)
+		}
+		return next(c)
+	}
+}
+
 func CreateUserProvider(debugUserName string) *UserProvider {
 	return &UserProvider{AuthUser: func(c echo.Context) (echo.Context, error) {
 		res := debugUserName

router/router.go

@@ -20,18 +20,18 @@ func SetupRouting(e *echo.Echo, client *UserProvider) {
 		{
 			apiUsers.GET("", GetUsers)
 			apiUsers.GET("/me", GetUsersMe)
-			apiUsers.PUT("", PutUsers)
+			apiUsers.PUT("", PutUsers, MiddlewareAdmin)
 		}
 
 		apiItems := api.Group("/items")
 		{
 			apiItems.GET("", GetItems)
-			apiItems.POST("", PostItems)
+			apiItems.POST("", PostItems, MiddlewareBodyItemSocial)
 			apiItems.GET("/:id", GetItem)
 			apiItems.PUT("/:id", PutItem)
-			apiItems.DELETE("/:id", DeleteItem)
-			apiItems.POST("/:id/owners", PostOwners)
-			apiItems.PUT("/:id/owners", PutOwners)
+			apiItems.DELETE("/:id", DeleteItem, MiddlewareAdmin)
+			apiItems.POST("/:id/owners", PostOwners, MiddlewareParamItemSocial)
+			apiItems.PUT("/:id/owners", PutOwners, MiddlewareParamItemSocial)
 			apiItems.POST("/:id/logs", PostLogs)
 			apiItems.POST("/:id/comments", PostComments)
 			apiItems.POST("/:id/likes", PostLikes)

router/users.go

@@ -35,14 +35,10 @@ func PutUsers(c echo.Context) error {
 		return c.JSON(http.StatusBadRequest, err)
 	}
 
-	user := c.Get("user").(model.User)
 	prevUser, err := model.GetUserByName(req.Name)
 	if err != nil {
 		return c.JSON(http.StatusForbidden, err)
 	}
-	if !user.Admin {
-		return c.NoContent(http.StatusForbidden)
-	}
 	if req.Admin == prevUser.Admin {
 		return c.NoContent(http.StatusBadRequest)
 	}