diff --git a/src/db/doll.rs b/src/db/doll.rs index fcedf40..1e153ef 100644 --- a/src/db/doll.rs +++ b/src/db/doll.rs @@ -112,7 +112,11 @@ pub async fn create(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Resul } /// editing a doll_profile will also unarchive it -pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result<()> { +pub async fn edit( + db: &mut DbHook, + bound_account_id: &Uuid, + doll: CreateDollProfile<'_>, +) -> sqlx::Result<()> { sqlx::query!( r#" update doll_profiles @@ -132,7 +136,7 @@ pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result< chassis_color = $14, archived_at = null, updated_at = current_timestamp - where id = $15 + where id = $15 and bound_to_id = $16 "#, doll.microchip_id, doll.name, @@ -149,6 +153,7 @@ pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result< doll.chassis_id, doll.chassis_color, doll.id, + bound_account_id ) .execute(&mut **db) .await?; @@ -164,7 +169,7 @@ pub async fn edit(db: &mut DbHook, doll: CreateDollProfile<'_>) -> sqlx::Result< /// the account holder to "re-create" one with this ID. /// /// A period of time after which deleted accounts will have their IDs freed is to be set. -pub async fn delete(trx: &mut TrxHook<'_>, id: i32) -> sqlx::Result<()> { +pub async fn delete(trx: &mut TrxHook<'_>, id: i32, bound_account_id: &Uuid) -> sqlx::Result<()> { sqlx::query!( r#" update doll_profiles @@ -184,9 +189,10 @@ pub async fn delete(trx: &mut TrxHook<'_>, id: i32) -> sqlx::Result<()> { chassis_color = null, updated_at = current_timestamp, archived_at = current_timestamp - where id = $1 + where id = $1 and bound_to_id = $2 "#, - id + id, + bound_account_id ) .execute(&mut **trx) .await?; @@ -206,7 +212,7 @@ pub async fn delete_all_from_account(trx: &mut TrxHook<'_>, from: &Uuid) -> sqlx .fetch_all(&mut **trx) .await?; for tag in tags { - delete(trx, tag.id).await?; + delete(trx, tag.id, from).await?; } // 2. unlink archived tags from the account diff --git a/src/routes/account.rs b/src/routes/account.rs index cc2e05f..0244ac0 100644 --- a/src/routes/account.rs +++ b/src/routes/account.rs @@ -244,20 +244,24 @@ pub async fn export_data( pub async fn ask_delete( mut db: DollTagsDb, id: i32, - _user: User, + user: User, meta: CommonTemplateState, ) -> PageResult { let db_tag = doll::get(&mut *db, id, "", false).await?; if let Some(tag) = db_tag { - Ok(Template::render( - "tag/delete", - context! { - meta, - tag, - }, - ) - .into()) + if tag.bound_to_id != user.id { + Ok(Redirect::to(uri!("/account", index)).into()) + } else { + Ok(Template::render( + "tag/delete", + context! { + meta, + tag, + }, + ) + .into()) + } } else { Ok(Redirect::to(uri!("/account", index)).into()) } @@ -271,7 +275,7 @@ pub async fn confirm_delete( client_ip: IpAddr, ) -> PageResult { let mut trx = db.begin().await?; - doll::delete(&mut trx, id).await?; + doll::delete(&mut trx, id, &user.id).await?; trx.commit().await?; warn!( diff --git a/src/routes/form/register_tag.rs b/src/routes/form/register_tag.rs index 79620f9..8720764 100644 --- a/src/routes/form/register_tag.rs +++ b/src/routes/form/register_tag.rs @@ -80,7 +80,7 @@ impl From for FakeContext { pub async fn show_edit_tag( mut db: DollTagsDb, id: &str, - _user: User, + user: User, meta: CommonTemplateState, ) -> PageResult { let normalized_id = match id_public_to_db(id) { @@ -88,7 +88,13 @@ pub async fn show_edit_tag( None => return Ok(Redirect::to(uri!("/account", account::index)).into()), }; let tag = match doll::get(&mut *db, normalized_id, "", true).await? { - Some(v) => v, + Some(v) => { + if v.bound_to_id != user.id { + return Ok(Redirect::to(uri!("/account", account::index)).into()); + } + + v + } None => return Ok(Redirect::to(uri!("/account", account::index)).into()), }; @@ -290,6 +296,7 @@ pub async fn handle_edit_tag( doll::edit( &mut *db, + &user.id, CreateDollProfile { id, microchip_id,