server: Don't match household id with tuples

2023-05-29 22:01:20 +02:00 · 2023-05-29 22:01:20 +02:00 · 14fbde812f
commit 14fbde812f
parent d5f3edc33f
2 changed files with 19 additions and 12 deletions
--- a/src/routes/household.rs
+++ b/src/routes/household.rs
@ -13,12 +13,13 @@ use api::{
    AddToHouseholdRequest, CreateHouseholdRequest, CreateHouseholdResponse, EmptyResponse,
    Households,
 };
+use serde::Deserialize;

 use super::{AppState, AuthenticatedUser, RouteError};
 use crate::entity::{household, household_members, prelude::*};

 #[derive(Debug)]
-pub(super) struct AuthorizedHousehold(Uuid);
+pub(super) struct AuthorizedHousehold(pub household::Model);

 #[async_trait]
 impl<S> FromRequestParts<S> for AuthorizedHousehold
@ -35,18 +36,24 @@ where

        let user = AuthenticatedUser::from_request_parts(parts, state).await?;

-        let Path(household): Path<Uuid> = Path::from_request_parts(parts, state).await?;
+        #[derive(Deserialize)]
+        struct HouseholdPathParam {
+            house_id: Uuid,
+        }

-        let matching_count = user
+        let Path(household): Path<HouseholdPathParam> =
+            Path::from_request_parts(parts, state).await?;
+
+        let household = user
            .model
            .find_related(Household)
-            .filter(household::Column::Id.eq(household))
-            .count(&app_state.db)
+            .filter(household::Column::Id.eq(household.house_id))
+            .one(&app_state.db)
            .await?;

-        match matching_count {
-            0 => Err(RouteError::Unauthorized),
-            _ => Ok(AuthorizedHousehold(household)),
+        match household {
+            None => Err(RouteError::Unauthorized),
+            Some(household) => Ok(AuthorizedHousehold(household)),
        }
    }
 }
@ -101,7 +108,7 @@ pub(super) async fn add_member(
    Json(request): Json<AddToHouseholdRequest>,
 ) -> super::JsonResult<EmptyResponse> {
    let member = household_members::ActiveModel {
-        household: ActiveValue::Set(household),
+        household: ActiveValue::Set(household.id),
        user: ActiveValue::Set(request.user),
    };

@ -130,11 +137,11 @@ pub(super) async fn leave(
    user: AuthenticatedUser,
    state: State<AppState>,
 ) -> super::JsonResult<EmptyResponse> {
-    HouseholdMembers::delete_by_id((household, user.model.id))
+    HouseholdMembers::delete_by_id((household.id, user.model.id))
        .exec(&state.db)
        .await?;

-    let Some(household) = Household::find_by_id(household)
+    let Some(household) = Household::find_by_id(household.id)
        .one(&state.db)
        .await? else {
        return Ok(Json(EmptyResponse {}));
--- a/src/routes/mod.rs
+++ b/src/routes/mod.rs
@ -181,7 +181,7 @@ pub(crate) fn router(api_allowed: Option<HeaderValue>) -> Router<AppState> {
                .layer(mk_service(vec![Method::GET, Method::POST])),
        )
        .route(
-            "/household/:id",
+            "/household/:house_id",
            put(household::add_member)
                .delete(household::leave)
                .layer(mk_service(vec![Method::PUT, Method::DELETE])),