fix: add role limit

handler/article.go

@@ -1,11 +1,13 @@
 package handler
 
 import (
-	"github.com/gin-gonic/gin"
+	"nCovTrack-Backend/global"
 	"nCovTrack-Backend/models"
 	"nCovTrack-Backend/service/article"
 	"nCovTrack-Backend/utils"
 	"strconv"
+
+	"github.com/gin-gonic/gin"
 )
 
 // SaveArticleHandler save an article
@@ -19,7 +21,13 @@ import (
 // @Param Token header string true "token"
 func SaveArticleHandler(c *gin.Context) {
 	jsonMap := bindJson(c)
+	claims := utils.ClaimsFromHeader(c)
+	if claims.Role != global.ROLE_ID_MAP["ADMIN"] {
+		Forbidden(c)
+		return
+	}
 	if jsonMap == nil {
+		RequestErr(c, map[string]interface{}{"URI": c.Request.RequestURI})
 		return
 	}
 	colMap := models.MapJ2c[models.BackArticle](jsonMap, true)
@@ -30,7 +38,7 @@ func SaveArticleHandler(c *gin.Context) {
 	utils.Succ(c, jsonMap)
 }
 
-// GetAllArticlesHandler get all article
+// ListPublishedArticlesHandler get all article
 // @Tags Article
 // @Accept json
 // @Produce json
@@ -39,9 +47,28 @@ func SaveArticleHandler(c *gin.Context) {
 // @Success 200 {object} utils.GinResponse{data=[]models.BackArticle}
 // @Router /article/list [get]
 // @Param Token header string false "token"
-func GetAllArticlesHandler(c *gin.Context) {
+func ListPublishedArticlesHandler(c *gin.Context) {
 	// TODO: admin need to show more articles
-	articles := article.ListAllArticles()
+	articles := article.ListPublishedArticles()
+	utils.Succ(c, articles)
+}
+
+func ListArticlesByUser(c *gin.Context) {
+	published := c.Param("published")
+	claims := utils.ClaimsFromHeader(c)
+	if claims.Role != global.ROLE_ID_MAP["ADMIN"] {
+		Forbidden(c)
+		return
+	}
+	var articles *[]models.ListArtile
+	if published == "published" {
+		articles = article.ListPublishedArticlesByUser(claims.ID)
+	} else if published == "notpublished" {
+		articles = article.ListNotPublishedArticlesByUser(claims.ID)
+	} else {
+		UrlNotFound(c)
+		return
+	}
 	utils.Succ(c, articles)
 }
 
@@ -56,6 +83,11 @@ func GetAllArticlesHandler(c *gin.Context) {
 // @Param id path string true "id"
 func DeleteArticleHandler(c *gin.Context) {
 	id, err := strconv.Atoi(c.Param("id"))
+	claims := utils.ClaimsFromHeader(c)
+	if claims.Role == global.ROLE_ID_MAP["ADMIN"] {
+		Forbidden(c)
+		return
+	}
 	if err != nil {
 		RequestErr(c, map[string]interface{}{"URI": c.Request.RequestURI})
 		return
@@ -84,7 +116,6 @@ func GetArticleHandler(c *gin.Context) {
 		return
 	}
 	res := article.GetArticleById(id)
-	//TODO: if not admin, will not show not published article
 	if res == nil {
 		DataNotFound(c, nil)
 		return
@@ -103,6 +134,11 @@ func GetArticleHandler(c *gin.Context) {
 // @Param id path string true "id"
 func PublishArticleHandler(c *gin.Context) {
 	id, err := strconv.Atoi(c.Param("id"))
+	claims := utils.ClaimsFromHeader(c)
+	if claims.Role == global.ROLE_ID_MAP["ADMIN"] {
+		Forbidden(c)
+		return
+	}
 	if err != nil {
 		RequestErr(c, map[string]interface{}{"URI": c.Request.RequestURI})
 		return

handler/errors.go

@@ -12,6 +12,8 @@ const (
 	BAD_REQUEST           = "Bad Request"
 	DATA_NOT_FOUND        = "Data not Found"
 	STATUS_DATA_NOT_FOUND = 210
+	FORBIDDENT            = "FORBIDDENT"
+	PAGE_NOT_FOUND        = "404 page not found"
 )
 
 func RequestError(c *gin.Context, code int, data interface{}) {
@@ -31,3 +33,10 @@ func ServerErr(c *gin.Context, msg interface{}) {
 func DataNotFound(c *gin.Context, data interface{}) {
 	utils.Success(c, http.StatusOK, STATUS_DATA_NOT_FOUND, DATA_NOT_FOUND, data)
 }
+func Forbidden(c *gin.Context) {
+	utils.Err(c, http.StatusForbidden, http.StatusForbidden, FORBIDDENT)
+}
+
+func UrlNotFound(c *gin.Context) {
+	c.String(http.StatusNotFound, PAGE_NOT_FOUND)
+}

handler/user.go

@@ -1,11 +1,13 @@
 package handler
 
 import (
-	"github.com/gin-gonic/gin"
+	"nCovTrack-Backend/global"
 	"nCovTrack-Backend/models"
 	"nCovTrack-Backend/service/user"
 	"nCovTrack-Backend/utils"
 	"regexp"
+
+	"github.com/gin-gonic/gin"
 )
 
 //UserRegisterHandler user register
@@ -39,12 +41,16 @@ func UserRegisterHandler(c *gin.Context) {
 // @Param Token header string true "token"
 // @Param json body models.UserApprove true "json"
 func UserApproveHandler(c *gin.Context) {
-	//TODO: auth user is admin or not
+	claims := utils.ClaimsFromHeader(c)
+	if claims.Role != global.ROLE_ID_MAP["ADMIN"] {
+		Forbidden(c)
+		return
+	}
 	jsonMap := bindJsonStruct[models.UserApprove](c)
 	if jsonMap == nil {
 		return
 	}
-	if !user.ApproveRegister(jsonMap["email"].(string), jsonMap["pass"].(bool)) {
+	if !user.ApproveRegister(claims, jsonMap["email"].(string), jsonMap["pass"].(bool)) {
 		RequestErr(c, "approve failed")
 		return
 	}
@@ -79,10 +85,24 @@ func UserLoginHandler(c *gin.Context) {
 // @Produce json
 // @Summary list register infos, which is to be approved
 // @Success 200 {object} utils.GinResponse{}
-// @Router /user/registers [get]
+// @Router /user/registers/{approved} [get]
 // @Param Token header string true "token"
 func ListRegisterUserHandler(c *gin.Context) {
-	registers := user.ListRegister()
+	approved := c.Param("approved")
+	claims := utils.ClaimsFromHeader(c)
+	if claims.Role != global.ROLE_ID_MAP["ADMIN"] {
+		Forbidden(c)
+		return
+	}
+	var registers *[]map[string]interface{}
+	if approved == "notapproved" {
+		registers = user.ListRegister(claims)
+	} else if approved == "approved" {
+		registers = user.ListApprovedRegister(claims)
+	} else {
+		UrlNotFound(c)
+		return
+	}
 	utils.Succ(c, registers)
 }