Protect GET /trips with a session cookie

When an admin requests /trips, they see all of the trips in the Trips
table. When a user requests /trips, they see only their trips.
This commit is contained in:
William Carroll 2020-07-31 10:55:10 +01:00
parent 75437b01b6
commit 7d64011cbd
3 changed files with 18 additions and 4 deletions

View file

@ -48,6 +48,7 @@ type API =
:> Delete '[JSON] NoContent :> Delete '[JSON] NoContent
-- trips: List -- trips: List
:<|> "trips" :<|> "trips"
:> SessionCookie
:> Get '[JSON] [T.Trip] :> Get '[JSON] [T.Trip]
-- Miscellaneous -- Miscellaneous

View file

@ -126,8 +126,15 @@ server T.Config{..} = createAccount
liftIO $ Trips.delete dbFile tripPK liftIO $ Trips.delete dbFile tripPK
pure NoContent pure NoContent
listTrips :: Handler [T.Trip] listTrips :: T.SessionCookie -> Handler [T.Trip]
listTrips = liftIO $ Trips.list dbFile listTrips cookie = do
mAccount <- liftIO $ Auth.accountFromCookie dbFile cookie
case mAccount of
Nothing -> throwError err401 { errBody = "Your session cookie is invalid. Try logging out and logging back in." }
Just T.Account{..} ->
case accountRole of
T.Admin -> liftIO $ Trips.listAll dbFile
_ -> liftIO $ Trips.list dbFile accountUsername
login :: T.AccountCredentials login :: T.AccountCredentials
-> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent) -> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)

View file

@ -22,6 +22,12 @@ delete dbFile tripPK =
(tripPK |> T.tripPKFields) (tripPK |> T.tripPKFields)
-- | Return a list of all of the trips in `dbFile`. -- | Return a list of all of the trips in `dbFile`.
list :: FilePath -> IO [T.Trip] listAll :: FilePath -> IO [T.Trip]
list dbFile = withConnection dbFile $ \conn -> listAll dbFile = withConnection dbFile $ \conn ->
query_ conn "SELECT username,destination,startDate,endDate,comment FROM Trips" query_ conn "SELECT username,destination,startDate,endDate,comment FROM Trips"
-- | Return a list of all of the trips in `dbFile`.
list :: FilePath -> T.Username -> IO [T.Trip]
list dbFile username = withConnection dbFile $ \conn ->
query conn "SELECT username,destination,startDate,endDate,comment FROM Trips WHERE username = ?"
(Only username)