41 lines
872 B
Go

package arn
import (
"errors"
"github.com/aerogo/aero"
)
// AuthorizeIfLoggedInAndOwnData authorizes the given request if a user is logged in
// and the user ID matches the ID in the request.
func AuthorizeIfLoggedInAndOwnData(ctx aero.Context, userIDParameterName string) error {
err := AuthorizeIfLoggedIn(ctx)
if err != nil {
return err
}
userID := ctx.Session().Get("userId").(string)
if userID != ctx.Get(userIDParameterName) {
return errors.New("Can not modify data from other users")
}
return nil
}
// AuthorizeIfLoggedIn authorizes the given request if a user is logged in.
func AuthorizeIfLoggedIn(ctx aero.Context) error {
if !ctx.HasSession() {
return errors.New("Neither logged in nor in session")
}
userID, ok := ctx.Session().Get("userId").(string)
if !ok || userID == "" {
return errors.New("Not logged in")
}
return nil
}