traPtitech · H1rono · Apr 20, 2023 · May 18, 2023 · Jul 4, 2023 · ryoha000
diff --git a/router/items.go b/router/items.go
@@ -68,10 +68,6 @@ func PostItems(c echo.Context) error {
  if err := BindAndValidate(c, &item); err != nil {
  return c.JSON(http.StatusBadRequest, err)
  }
- // item.Type=0⇒個人、1⇒trap所有、2⇒支援課
- if item.Type != model.PersonalItem && !user.Admin {
- return c.NoContent(http.StatusForbidden)
- }
  res, err := model.CreateItem(item)
  if err != nil {
  return c.JSON(http.StatusBadRequest, err)
@@ -129,14 +125,10 @@ func PutItem(c echo.Context) error {
 // DeleteItem DELETE /items/:id
 func DeleteItem(c echo.Context) error {
  ID := c.Param("id")
- user := c.Get("user").(model.User)
  itemID, err := strconv.Atoi(ID)
  if err != nil {
  return c.JSON(http.StatusBadRequest, err)
  }
- if !user.Admin {
- return c.NoContent(http.StatusForbidden)
- }
  item, err := model.GetItemByID(uint(itemID))
  if err != nil {
  return c.JSON(http.StatusNotFound, err)
@@ -182,10 +174,6 @@ func PostOwners(c echo.Context) error {
  if item.Type == model.SienkaItem {
  user, _ = model.GetUserByName("sienka")
  }
- // item.Type=0⇒個人、1⇒trap(id:1)所有、2⇒支援課(id:2)
- if item.Type != model.PersonalItem && !me.Admin {
- return c.NoContent(http.StatusForbidden)
- }
  owner := model.Owner{
  UserID: user.ID,
  Rentalable: body.Rentalable,

diff --git a/router/middleware.go b/router/middleware.go
@@ -25,6 +25,31 @@ func (client *UserProvider) MiddlewareAuthUser(next echo.HandlerFunc) echo.Handl
  }
 }
 
+// MiddlewareAdmin Admin以外を弾くmiddleware
+func MiddlewareAdmin(next echo.HandlerFunc) echo.HandlerFunc {
+ return func(c echo.Context) error {
+ user := c.Get("user").(model.User)
+ if !user.Admin {
+ return c.NoContent(http.StatusForbidden)
+ }
+ return next(c)
+ }
+}
+
+// MiddlewareItemSocial ItemがPersonalItemでない場合はAdmin以外を弾くmiddleware
+func MiddlewareItemSocial(getItem func(c echo.Context) model.Item) func(next echo.HandlerFunc) echo.HandlerFunc {
+ return func(next echo.HandlerFunc) echo.HandlerFunc {
+ return func(c echo.Context) error {
+ item := getItem(c)
+ user := c.Get("user").(model.User)
+ if item.Type != model.PersonalItem && !user.Admin {
+ return c.NoContent(http.StatusForbidden)
+ }
+ return next(c)
+ }
+ }
+}
+
 func CreateUserProvider(debugUserName string) *UserProvider {
  return &UserProvider{AuthUser: func(c echo.Context) (echo.Context, error) {
  res := debugUserName

diff --git a/router/router.go b/router/router.go
@@ -1,9 +1,14 @@
 package router
 
 import (
+ "bytes"
+ "encoding/json"
+ "io/ioutil"
  "net/http"
+ "strconv"
 
  "github.com/labstack/echo/middleware"
+ "github.com/traPtitech/booQ/model"
 
  "github.com/labstack/echo"
 )
@@ -20,18 +25,43 @@ func SetupRouting(e *echo.Echo, client *UserProvider) {
  {
  apiUsers.GET("", GetUsers)
  apiUsers.GET("/me", GetUsersMe)
- apiUsers.PUT("", PutUsers)
+ apiUsers.PUT("", PutUsers, MiddlewareAdmin)
  }
 
  apiItems := api.Group("/items")
  {
  apiItems.GET("", GetItems)
- apiItems.POST("", PostItems)
+ apiItems.POST("", PostItems, MiddlewareItemSocial(func(c echo.Context) model.Item {
+ item := model.Item{}
+ body, err := ioutil.ReadAll(c.Request().Body)
+ if err != nil {
+ return model.Item{}
+ }
+ c.Request().Body = ioutil.NopCloser(bytes.NewBuffer(body))
+ if err = json.Unmarshal(body, &item); err != nil {
+ return model.Item{}
+ }
+ return item
+ }))
  apiItems.GET("/:id", GetItem)
  apiItems.PUT("/:id", PutItem)
- apiItems.DELETE("/:id", DeleteItem)
- apiItems.POST("/:id/owners", PostOwners)
- apiItems.PUT("/:id/owners", PutOwners)
+ apiItems.DELETE("/:id", DeleteItem, MiddlewareAdmin)
+ apiItems.POST("/:id/owners", PostOwners, MiddlewareItemSocial(func(c echo.Context) model.Item {
+ itemID, err := strconv.Atoi(c.Param("id"))
+ if err != nil {
+ return model.Item{}
+ }
+ item, _ := model.GetItemByID(uint(itemID))
+ return item
+ }))
+ apiItems.PUT("/:id/owners", PutOwners, MiddlewareItemSocial(func(c echo.Context) model.Item {
+ itemID, err := strconv.Atoi(c.Param("id"))
+ if err != nil {
+ return model.Item{}
+ }
+ item, _ := model.GetItemByID(uint(itemID))
+ return item
+ }))
  apiItems.POST("/:id/logs", PostLogs)
  apiItems.POST("/:id/comments", PostComments)
  apiItems.POST("/:id/likes", PostLikes)

diff --git a/router/users.go b/router/users.go
@@ -35,14 +35,10 @@ func PutUsers(c echo.Context) error {
  return c.JSON(http.StatusBadRequest, err)
  }
 
- user := c.Get("user").(model.User)
  prevUser, err := model.GetUserByName(req.Name)
  if err != nil {
  return c.JSON(http.StatusForbidden, err)
  }
- if !user.Admin {
- return c.NoContent(http.StatusForbidden)
- }
  if req.Admin == prevUser.Admin {
  return c.NoContent(http.StatusBadRequest)
  }