Protect GET /trips with a session cookie
When an admin requests /trips, they see all of the trips in the Trips table. When a user requests /trips, they see only their trips.
This commit is contained in:
parent
75437b01b6
commit
7d64011cbd
3 changed files with 18 additions and 4 deletions
|
@ -48,6 +48,7 @@ type API =
|
||||||
:> Delete '[JSON] NoContent
|
:> Delete '[JSON] NoContent
|
||||||
-- trips: List
|
-- trips: List
|
||||||
:<|> "trips"
|
:<|> "trips"
|
||||||
|
:> SessionCookie
|
||||||
:> Get '[JSON] [T.Trip]
|
:> Get '[JSON] [T.Trip]
|
||||||
|
|
||||||
-- Miscellaneous
|
-- Miscellaneous
|
||||||
|
|
11
src/App.hs
11
src/App.hs
|
@ -126,8 +126,15 @@ server T.Config{..} = createAccount
|
||||||
liftIO $ Trips.delete dbFile tripPK
|
liftIO $ Trips.delete dbFile tripPK
|
||||||
pure NoContent
|
pure NoContent
|
||||||
|
|
||||||
listTrips :: Handler [T.Trip]
|
listTrips :: T.SessionCookie -> Handler [T.Trip]
|
||||||
listTrips = liftIO $ Trips.list dbFile
|
listTrips cookie = do
|
||||||
|
mAccount <- liftIO $ Auth.accountFromCookie dbFile cookie
|
||||||
|
case mAccount of
|
||||||
|
Nothing -> throwError err401 { errBody = "Your session cookie is invalid. Try logging out and logging back in." }
|
||||||
|
Just T.Account{..} ->
|
||||||
|
case accountRole of
|
||||||
|
T.Admin -> liftIO $ Trips.listAll dbFile
|
||||||
|
_ -> liftIO $ Trips.list dbFile accountUsername
|
||||||
|
|
||||||
login :: T.AccountCredentials
|
login :: T.AccountCredentials
|
||||||
-> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)
|
-> Handler (Headers '[Header "Set-Cookie" SetCookie] NoContent)
|
||||||
|
|
10
src/Trips.hs
10
src/Trips.hs
|
@ -22,6 +22,12 @@ delete dbFile tripPK =
|
||||||
(tripPK |> T.tripPKFields)
|
(tripPK |> T.tripPKFields)
|
||||||
|
|
||||||
-- | Return a list of all of the trips in `dbFile`.
|
-- | Return a list of all of the trips in `dbFile`.
|
||||||
list :: FilePath -> IO [T.Trip]
|
listAll :: FilePath -> IO [T.Trip]
|
||||||
list dbFile = withConnection dbFile $ \conn ->
|
listAll dbFile = withConnection dbFile $ \conn ->
|
||||||
query_ conn "SELECT username,destination,startDate,endDate,comment FROM Trips"
|
query_ conn "SELECT username,destination,startDate,endDate,comment FROM Trips"
|
||||||
|
|
||||||
|
-- | Return a list of all of the trips in `dbFile`.
|
||||||
|
list :: FilePath -> T.Username -> IO [T.Trip]
|
||||||
|
list dbFile username = withConnection dbFile $ \conn ->
|
||||||
|
query conn "SELECT username,destination,startDate,endDate,comment FROM Trips WHERE username = ?"
|
||||||
|
(Only username)
|
||||||
|
|
Loading…
Reference in a new issue