allow user to move secret between safes

2024-01-12 12:55:49 +11:00
parent a3333cebb6
commit 083fb0ebe1
3 changed files with 101 additions and 22 deletions
--- a/controllers/storeSecrets.go
+++ b/controllers/storeSecrets.go
@@ -229,7 +229,7 @@ func CheckUpdateSecretAllowed(s *models.Secret, user_id int) (int, error) {
 func UpdateSecret(c *gin.Context) {
 	var err error
 	var input SecretInput
-	var user_id int
+	var UserId int

 	if err := c.ShouldBindJSON(&input); err != nil {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "UpdateSecret error binding to input JSON : " + err.Error()})
@@ -260,7 +260,7 @@ func UpdateSecret(c *gin.Context) {
 		c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
 		return
 	} else {
-		user_id = val.(int)
+		UserId = val.(int)
 		//log.Printf("user_id: %v\n", user_id)
 	}

@@ -271,10 +271,12 @@ func UpdateSecret(c *gin.Context) {
 	s.DeviceName = input.DeviceName
 	s.DeviceCategory = input.DeviceCategory

-	secretList, err := models.SecretsGetAllowed(&s, user_id)
+	secretList, err := models.SecretsGetAllowed(&s, UserId)

 	if err != nil {
-		c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("error determining secret : '%s'", err)})
+		errString := fmt.Sprintf("error determining secret : '%s'", err)
+		log.Printf("UpdateSecret %s\n", errString)
+		c.JSON(http.StatusBadRequest, gin.H{"error": errString})
 		return
 	}

@@ -293,6 +295,39 @@ func UpdateSecret(c *gin.Context) {
 			return
 		}

+		// Check for correct safe
+		if input.SafeId > 0 {
+			if input.SafeId != secretList[0].Secret.SafeId {
+
+				// Check if user has access to the new safe
+				allowedSafes, err := models.UserGetSafesAllowed(UserId)
+				if err != nil {
+					errString := fmt.Sprintf("error determining allowed safes : '%s'", err)
+					log.Printf("UpdateSecret %s\n", errString)
+					c.JSON(http.StatusBadRequest, gin.H{"error": errString})
+					return
+				}
+
+				allowedFound := false
+				for i := range allowedSafes {
+					if allowedSafes[i].SafeId == input.SafeId {
+						allowedFound = true
+						break
+					}
+				}
+
+				if !allowedFound {
+					errString := "secret cannot be moved into inaccessible safe"
+					log.Printf("UpdateSecret %s\n", errString)
+					c.JSON(http.StatusBadRequest, gin.H{"error": errString})
+					return
+				}
+
+				log.Printf("UpdateSecret moving secret id '%d' into safe id '%d'\n", secretList[0].SecretId, input.SafeId)
+				s.SafeId = input.SafeId
+			}
+		}
+
 		s.SecretId = secretList[0].SecretId

 		// check for empty fields in the update request and update from the existing record