From 14fbde812f64a66259d8e6ac8544bac0e9ea37a3 Mon Sep 17 00:00:00 2001
From: traxys <quentin+dev@familleboyer.net>
Date: Mon, 29 May 2023 22:01:20 +0200
Subject: [PATCH] server: Don't match household id with tuples

---
 src/routes/household.rs | 29 ++++++++++++++++++-----------
 src/routes/mod.rs       |  2 +-
 2 files changed, 19 insertions(+), 12 deletions(-)

diff --git a/src/routes/household.rs b/src/routes/household.rs
index e8dc37b..46da2a6 100644
--- a/src/routes/household.rs
+++ b/src/routes/household.rs
@@ -13,12 +13,13 @@ use api::{
     AddToHouseholdRequest, CreateHouseholdRequest, CreateHouseholdResponse, EmptyResponse,
     Households,
 };
+use serde::Deserialize;
 
 use super::{AppState, AuthenticatedUser, RouteError};
 use crate::entity::{household, household_members, prelude::*};
 
 #[derive(Debug)]
-pub(super) struct AuthorizedHousehold(Uuid);
+pub(super) struct AuthorizedHousehold(pub household::Model);
 
 #[async_trait]
 impl<S> FromRequestParts<S> for AuthorizedHousehold
@@ -35,18 +36,24 @@ where
 
         let user = AuthenticatedUser::from_request_parts(parts, state).await?;
 
-        let Path(household): Path<Uuid> = Path::from_request_parts(parts, state).await?;
+        #[derive(Deserialize)]
+        struct HouseholdPathParam {
+            house_id: Uuid,
+        }
 
-        let matching_count = user
+        let Path(household): Path<HouseholdPathParam> =
+            Path::from_request_parts(parts, state).await?;
+
+        let household = user
             .model
             .find_related(Household)
-            .filter(household::Column::Id.eq(household))
-            .count(&app_state.db)
+            .filter(household::Column::Id.eq(household.house_id))
+            .one(&app_state.db)
             .await?;
 
-        match matching_count {
-            0 => Err(RouteError::Unauthorized),
-            _ => Ok(AuthorizedHousehold(household)),
+        match household {
+            None => Err(RouteError::Unauthorized),
+            Some(household) => Ok(AuthorizedHousehold(household)),
         }
     }
 }
@@ -101,7 +108,7 @@ pub(super) async fn add_member(
     Json(request): Json<AddToHouseholdRequest>,
 ) -> super::JsonResult<EmptyResponse> {
     let member = household_members::ActiveModel {
-        household: ActiveValue::Set(household),
+        household: ActiveValue::Set(household.id),
         user: ActiveValue::Set(request.user),
     };
 
@@ -130,11 +137,11 @@ pub(super) async fn leave(
     user: AuthenticatedUser,
     state: State<AppState>,
 ) -> super::JsonResult<EmptyResponse> {
-    HouseholdMembers::delete_by_id((household, user.model.id))
+    HouseholdMembers::delete_by_id((household.id, user.model.id))
         .exec(&state.db)
         .await?;
 
-    let Some(household) = Household::find_by_id(household)
+    let Some(household) = Household::find_by_id(household.id)
         .one(&state.db)
         .await? else {
         return Ok(Json(EmptyResponse {}));
diff --git a/src/routes/mod.rs b/src/routes/mod.rs
index 661e9d8..2a41fdf 100644
--- a/src/routes/mod.rs
+++ b/src/routes/mod.rs
@@ -181,7 +181,7 @@ pub(crate) fn router(api_allowed: Option<HeaderValue>) -> Router<AppState> {
                 .layer(mk_service(vec![Method::GET, Method::POST])),
         )
         .route(
-            "/household/:id",
+            "/household/:house_id",
             put(household::add_member)
                 .delete(household::leave)
                 .layer(mk_service(vec![Method::PUT, Method::DELETE])),