adding can_get_user middleware

dsullivan7 · dsullivan7 · commit 460ae76c250d · 2025-02-05T17:37:53.000-05:00
diff --git a/src/handlers/authorization.rs b/src/handlers/authorization.rs
@@ -1,7 +1,7 @@
 use anyhow::anyhow;
 use axum::{
     body::Body,
-    extract::{Request, State},
+    extract::{Path, Request, State},
     http::Response,
     middleware::Next,
     Extension,
@@ -44,3 +44,49 @@ pub async fn can_list_users(
 
     Err(errors::ServerError::Unauthorized)
 }
+
+pub async fn can_get_user(
+    State(state): State<AppState>,
+    Extension(claims): Extension<Claims>,
+    Path(user_id): Path<String>,
+    req: Request,
+    next: Next,
+) -> Result<Response<Body>, errors::ServerError> {
+    let conn = &*state.conn.clone();
+    let authorization = state.authorization.clone();
+
+    let user_actor = User::find()
+        .filter(models::user::Column::Auth0Id.eq(claims.sub.to_owned()))
+        .one(conn)
+        .await
+        .map_err(|err| errors::ServerError::Internal(anyhow!(err)))?
+        .ok_or(errors::ServerError::Unauthorized)?;
+
+    let user_resource: models::user::Model = (|| -> Result<_, errors::ServerError> {
+        if user_id == "me" {
+            return Ok(User::find()
+                .filter(models::user::Column::Auth0Id.eq(claims.sub.to_owned()))
+                .one(conn));
+        }
+        let user_id_uuid = uuid::Uuid::parse_str(user_id.as_str())
+            .map_err(|err| errors::ServerError::InvalidUUID(anyhow!(err)))?;
+        Ok(User::find_by_id(user_id_uuid).one(conn))
+    })()?
+    .await
+    .map_err(|err| errors::ServerError::Internal(anyhow!(err)))?
+    .ok_or(errors::ServerError::NotFound)?;
+
+    let is_authorized = authorization.can_get_user(
+        AuthzUser {
+            user_id: user_actor.user_id.to_owned(),
+            role: user_actor.role.to_owned(),
+        },
+        user_resource.user_id.to_owned(),
+    );
+
+    if is_authorized {
+        return Ok(next.run(req).await);
+    }
+
+    Err(errors::ServerError::Unauthorized)
+}
diff --git a/src/handlers/routes.rs b/src/handlers/routes.rs
@@ -35,7 +35,13 @@ pub fn router(app_state: AppState) -> Router {
                     authorization_middleware::can_list_users,
                 )),
             )
-            .route("/users/{user_id}", get(users::get_user))
+            .route(
+                "/users/{user_id}",
+                get(users::get_user).layer(middleware::from_fn_with_state(
+                    app_state.clone(),
+                    authorization_middleware::can_get_user,
+                )),
+            )
             .route("/users", post(users::create_user))
             .route("/users/{user_id}", put(users::modify_user))
             .route("/users/{user_id}", delete(users::delete_user))
diff --git a/src/handlers/users_test.rs b/src/handlers/users_test.rs
@@ -33,6 +33,8 @@ mod tests {
         };
 
         let conn = MockDatabase::new(DatabaseBackend::Postgres)
+            .append_query_results(vec![vec![user_db.clone()]])
+            .append_query_results(vec![vec![user_db.clone()]])
             .append_query_results(vec![vec![user_db.clone()]])
             .into_connection();
 
