// Update handles PUT
func (ctl *IgnoredController) Update(c *models.Context) {
m := models.IgnoreType{}
err := c.Fill(&m)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
if c.Auth.ProfileID < 1 {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
m.ProfileID = c.Auth.ProfileID
status, err := m.Update()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *MenuController) Delete(c *models.Context, siteID int64) {
// Start :: Auth
site, status, err := models.GetSite(siteID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Use the user ID to check, since the current context is a different site (the root site)
// than the site the owner profile is associated with.
owner, status, err := models.GetProfileSummary(site.ID, site.OwnedByID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
if owner.UserID != c.Auth.UserID {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// End :: Auth
status, err = models.DeleteMenu(siteID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Update handles PUT
func (ctl *ProfileReadController) Update(c *models.Context) {
if c.Auth.ProfileID == 0 {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
rs := models.ReadScopeType{}
err := c.Fill(&rs)
if err != nil {
glog.Errorln(err.Error())
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
itemTypeID, ok := h.ItemTypes[rs.ItemType]
if !ok {
c.RespondWithErrorMessage("Unknown item type", http.StatusBadRequest)
return
}
rs.ItemTypeID = itemTypeID
status, err := models.MarkScopeAsRead(c.Auth.ProfileID, rs)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *UserController) Delete(c *models.Context) {
_, _, itemID, status, err := c.GetItemTypeAndItemID()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
m, status, err := models.GetUser(itemID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
if !models.UserIsOnSite(m.ID, c.Site.ID) {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
status, err = m.Delete()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
audit.Delete(
c.Site.ID,
h.ItemTypes[h.ItemTypeUser],
itemID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}
// Delete handles DELETE
// Note: This only affects explicitly assigned roles and not roles implicitly
// included by criteria
func (ctl *RoleProfileController) Delete(c *models.Context) {
// Validate inputs
var microcosmID int64
if sid, exists := c.RouteVars["microcosm_id"]; exists {
id, err := strconv.ParseInt(sid, 10, 64)
if err != nil {
c.RespondWithErrorMessage("microcosm_id in URL is not a number", http.StatusBadRequest)
return
}
microcosmID = id
}
roleID, err := strconv.ParseInt(c.RouteVars["role_id"], 10, 64)
if err != nil {
c.RespondWithErrorMessage("role_id in URL is not a number", http.StatusBadRequest)
return
}
_, status, err := models.GetRole(c.Site.ID, microcosmID, roleID, c.Auth.ProfileID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
profileID, err := strconv.ParseInt(c.RouteVars["profile_id"], 10, 64)
if err != nil {
c.RespondWithErrorMessage("profile_id in URL is not a number", http.StatusBadRequest)
return
}
m := models.RoleProfileType{}
m.ID = profileID
// Authorisation
perms := models.GetPermission(
models.MakeAuthorisationContext(c, microcosmID, h.ItemTypes[h.ItemTypeMicrocosm], microcosmID),
)
if microcosmID > 0 {
// Related to a Microcosm
if !perms.IsModerator && !c.Auth.IsSiteOwner {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
} else {
// Default role for the site
if !c.Auth.IsSiteOwner {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
}
status, err = m.Delete(roleID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *AuthController) Delete(c *models.Context) {
// Extract access token from request and delete its record
m, status, err := models.GetAccessToken(c.RouteVars["id"])
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("Error retrieving access token: %v", err.Error()),
status,
)
return
}
status, err = m.Delete()
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("Error deleting access token: %v", err.Error()),
status,
)
return
}
audit.Delete(
c.Site.ID,
h.ItemTypes[h.ItemTypeAuth],
m.UserID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *AttachmentController) Delete(c *models.Context) {
itemTypeID, itemID, perms, status, err := ParseItemInfo(c)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
if !perms.IsSiteOwner && !perms.IsModerator && perms.IsOwner {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
fileHash := c.RouteVars["fileHash"]
if fileHash == "" {
c.RespondWithErrorMessage(
fmt.Sprintf("The supplied file hash cannot be zero characters: %s", c.RouteVars["fileHash"]),
http.StatusBadRequest,
)
return
}
metadata, status, err := models.GetMetadata(fileHash)
if err != nil {
if status == http.StatusNotFound {
c.RespondWithErrorMessage(
fmt.Sprintf("File does not have a metadata record"),
http.StatusBadRequest,
)
return
}
c.RespondWithErrorMessage(
fmt.Sprintf("Could not retrieve metadata: %v", err.Error()),
http.StatusBadRequest,
)
return
}
status, err = models.DeleteAttachment(itemTypeID, itemID, fileHash)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("Could not remove attachment: %v", err.Error()),
status,
)
return
}
// Update attach count on attachment_meta
metadata.AttachCount = metadata.AttachCount - 1
status, err = metadata.Update()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Update handles PUT
func (ctl *WatcherController) Update(c *models.Context) {
m := models.WatcherType{}
err := c.Fill(&m)
if err != nil {
glog.Warning(err)
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
itemType := strings.ToLower(m.ItemType)
if itemType != "" {
if _, exists := h.ItemTypes[itemType]; !exists {
glog.Warning(err)
c.RespondWithErrorMessage(
fmt.Sprintf("Watcher could not be saved: Item type not found"),
http.StatusBadRequest,
)
return
}
m.ItemTypeID = h.ItemTypes[itemType]
}
var status int
// watcher must exist to be updated
// Also the returned watcher ID belongs to the authed person by definition
// - no need to check later
m.ID, _, _, _, status, err = models.GetWatcherAndIgnoreStatus(
m.ItemTypeID,
m.ItemID,
c.Auth.ProfileID,
)
if err != nil {
glog.Error(err)
c.RespondWithErrorDetail(err, status)
return
}
// To update we only need id, SendEmail and SendSMS
status, err = m.Update()
if err != nil {
glog.Error(err)
c.RespondWithErrorMessage(
fmt.Sprintf("Could not update watcher: %v", err.Error()),
http.StatusBadRequest,
)
return
}
// Respond
c.RespondWithOK()
}
// UpdateMany handles PUT for the collection
func (ctl *AttributesController) UpdateMany(c *models.Context) {
_, itemTypeID, itemID, status, err := c.GetItemTypeAndItemID()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
ems := []models.AttributeType{}
err = c.Fill(&ems)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
for _, v := range ems {
if strings.Trim(v.Key, " ") == "" {
c.RespondWithErrorMessage(
"key must be supplied with every attribute when updating multiple attributes",
http.StatusBadRequest,
)
return
}
}
perms := models.GetPermission(models.MakeAuthorisationContext(c, 0, itemTypeID, itemID))
if !perms.CanUpdate {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
status, err = models.UpdateManyAttributes(itemTypeID, itemID, ems)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
for _, m := range ems {
audit.Replace(
c.Site.ID,
h.ItemTypes[h.ItemTypeAttribute],
m.ID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
}
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *CommentController) Delete(c *models.Context) {
_, itemTypeID, itemID, status, err := c.GetItemTypeAndItemID()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Start Authorisation
perms := models.GetPermission(
models.MakeAuthorisationContext(
c, 0, itemTypeID, itemID),
)
if !perms.CanDelete {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// End Authorisation
// Partially instantiated type for Id passing
m, status, err := models.GetCommentSummary(c.Site.ID, itemID)
if err != nil {
if status == http.StatusNotFound {
c.RespondWithOK()
return
}
c.RespondWithErrorDetail(err, status)
return
}
// Delete resource
status, err = m.Delete(c.Site.ID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
audit.Delete(
c.Site.ID,
h.ItemTypes[h.ItemTypeComment],
m.ID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *HuddleParticipantController) Delete(c *models.Context) {
huddleID, err := strconv.ParseInt(c.RouteVars["huddle_id"], 10, 64)
if err != nil {
c.RespondWithErrorMessage("huddle_id in URL is not a number", http.StatusBadRequest)
return
}
_, status, err := models.GetHuddle(c.Site.ID, c.Auth.ProfileID, huddleID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
profileID, err := strconv.ParseInt(c.RouteVars["profile_id"], 10, 64)
if err != nil {
c.RespondWithErrorMessage("profile_id in URL is not a number", http.StatusBadRequest)
return
}
// Start Authorisation
perms := models.GetPermission(
models.MakeAuthorisationContext(
c, 0, h.ItemTypes[h.ItemTypeHuddle], huddleID),
)
if !perms.CanDelete {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// End Authorisation
if profileID != c.Auth.ProfileID {
c.RespondWithErrorMessage("Only the participant in question can remove a participant from a huddle", http.StatusBadRequest)
return
}
m := models.HuddleParticipantType{}
m.ID = profileID
status, err = m.Delete(huddleID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *HuddleController) Delete(c *models.Context) {
_, itemTypeID, itemID, status, err := c.GetItemTypeAndItemID()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Start Authorisation
perms := models.GetPermission(
models.MakeAuthorisationContext(
c, 0, itemTypeID, itemID),
)
if !perms.CanDelete {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// End Authorisation
m, status, err := models.GetHuddle(c.Site.ID, c.Auth.ProfileID, itemID)
if err != nil {
if status == http.StatusNotFound {
c.RespondWithOK()
return
}
c.RespondWithErrorDetail(err, status)
return
}
status, err = m.Delete(c.Site.ID, c.Auth.ProfileID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
audit.Delete(
c.Site.ID,
h.ItemTypes[h.ItemTypeHuddle],
m.ID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}
// Update handles PUT
func (ctl *MenuController) Update(c *models.Context, siteID int64) {
ems := []h.LinkType{}
// Start :: Auth
site, status, err := models.GetSite(siteID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Use the user ID to check, since the current context is a different site (the root site)
// than the site the owner profile is associated with.
owner, status, err := models.GetProfileSummary(site.ID, site.OwnedByID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
if owner.UserID != c.Auth.UserID {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// End :: Auth
err = c.Fill(&ems)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
status, err = models.UpdateMenu(siteID, ems)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *AttributeController) Delete(c *models.Context) {
_, itemTypeID, itemID, status, err := c.GetItemTypeAndItemID()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
key := c.RouteVars["key"]
m := models.AttributeType{}
m.Key = key
attributeID, status, err := models.GetAttributeID(itemTypeID, itemID, m.Key)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
m.ID = attributeID
status, err = m.Delete()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
audit.Delete(
c.Site.ID,
h.ItemTypes[h.ItemTypeAttribute],
m.ID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}
// Update handles PUT
func (ctl *MetricsController) Update(c *models.Context) {
// Hard coded to only work for founders.
if c.Auth.UserID != 1 && c.Auth.UserID != 2 {
c.RespondWithErrorMessage(
fmt.Sprintf("Only founders can manually update metrics: %d", c.Auth.UserID),
http.StatusForbidden,
)
return
}
err := models.UpdateMetrics()
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("Error updating metrics: %+v", err),
http.StatusInternalServerError,
)
return
}
c.RespondWithOK()
return
}
// Patch handles PATCH
func (ctl *RoleController) Patch(c *models.Context) {
// Validate inputs
var microcosmID int64
if sid, exists := c.RouteVars["microcosm_id"]; exists {
id, err := strconv.ParseInt(sid, 10, 64)
if err != nil {
c.RespondWithErrorMessage("microcosm_id in URL is not a number", http.StatusBadRequest)
return
}
microcosmID = id
}
roleID, err := strconv.ParseInt(c.RouteVars["role_id"], 10, 64)
if err != nil {
c.RespondWithErrorMessage("microcosm_id in URL is not a number", http.StatusBadRequest)
return
}
patches := []h.PatchType{}
err = c.Fill(&patches)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
status, err := h.TestPatch(patches)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Start Authorisation
ac := models.MakeAuthorisationContext(c, microcosmID, h.ItemTypes[h.ItemTypeMicrocosm], microcosmID)
perms := models.GetPermission(ac)
if microcosmID > 0 {
// Related to a Microcosm
if !perms.IsModerator && !c.Auth.IsSiteOwner {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
} else {
// Default role for the site
if !c.Auth.IsSiteOwner {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
}
// All patches are 'replace'
for _, patch := range patches {
status, err := patch.ScanRawValue()
if !patch.Bool.Valid {
c.RespondWithErrorDetail(err, status)
return
}
switch patch.Path {
case "/moderator":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/moderator requires a bool value", http.StatusBadRequest)
return
}
case "/banned":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/banned requires a bool value", http.StatusBadRequest)
return
}
case "/read":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/read requires a bool value", http.StatusBadRequest)
return
}
case "/create":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/create requires a bool value", http.StatusBadRequest)
return
}
case "/update":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/update requires a bool value", http.StatusBadRequest)
return
}
case "/delete":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/delete requires a bool value", http.StatusBadRequest)
return
}
case "/closeOwn":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/closeOwn requires a bool value", http.StatusBadRequest)
return
}
case "/openOwn":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/openOwn requires a bool value", http.StatusBadRequest)
return
}
case "/readOthers":
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/readOthers requires a bool value", http.StatusBadRequest)
return
}
default:
c.RespondWithErrorMessage("Invalid patch operation path", http.StatusBadRequest)
return
}
}
// End Authorisation
m, status, err := models.GetRole(c.Site.ID, microcosmID, roleID, c.Auth.ProfileID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
status, err = m.Patch(ac, patches)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
audit.Update(
c.Site.ID,
h.ItemTypes[h.ItemTypeRole],
m.ID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}
// UpdateMany handles PUT on the collection
func (ctl *AttendeesController) UpdateMany(c *models.Context) {
// Verify event_id is a positive integer
eventID, err := strconv.ParseInt(c.RouteVars["event_id"], 10, 64)
if err != nil {
glog.Errorln(err.Error())
c.RespondWithErrorMessage(
fmt.Sprintf("The supplied event ID ('%s') is not a number.", c.RouteVars["event_id"]),
http.StatusBadRequest,
)
return
}
ems := []models.AttendeeType{}
err = c.Fill(&ems)
if err != nil {
glog.Errorln(err.Error())
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
// Start : Authorisation
perms := models.GetPermission(
models.MakeAuthorisationContext(
c, 0, h.ItemTypes[h.ItemTypeEvent], eventID),
)
if !perms.CanCreate {
c.RespondWithErrorDetail(
e.New(c.Site.ID, c.Auth.ProfileID, "attendees.go::UpdateMany", e.NoCreate, "Not authorized to create attendee: CanCreate false"),
http.StatusForbidden,
)
return
}
// Everyone can set self to any status. Event/site owners can set people to any status apart from 'attending'.
// Also check that profile exists on site.
if perms.IsOwner || perms.IsModerator || perms.IsSiteOwner {
for _, m := range ems {
if m.ProfileID != c.Auth.ProfileID && m.RSVP == "yes" {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
_, status, err := models.GetProfileSummary(c.Site.ID, m.ProfileID)
if err != nil {
c.RespondWithErrorMessage(h.NoAuthMessage, status)
return
}
}
} else {
for _, m := range ems {
if m.ProfileID != c.Auth.ProfileID {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
_, status, err := models.GetProfileSummary(c.Site.ID, m.ProfileID)
if err != nil {
c.RespondWithErrorMessage(h.NoAuthMessage, status)
return
}
}
}
// End : Authorisation
t := time.Now()
// Populate where applicable from auth and context
for i := range ems {
ems[i].EventID = eventID
ems[i].Meta.CreatedByID = c.Auth.ProfileID
ems[i].Meta.Created = t
ems[i].Meta.EditedNullable = pq.NullTime{Time: t, Valid: true}
ems[i].Meta.EditedByNullable = sql.NullInt64{Int64: c.Auth.ProfileID, Valid: true}
}
status, err := models.UpdateManyAttendees(c.Site.ID, ems)
if err != nil {
glog.Error(err)
c.RespondWithErrorDetail(err, status)
return
}
for _, m := range ems {
if m.RSVP == "yes" {
go models.SendUpdatesForNewAttendeeInAnEvent(c.Site.ID, m)
// The new attendee should be following the event now
go models.RegisterWatcher(
m.ProfileID,
h.UpdateTypes[h.UpdateTypeEventReminder],
m.EventID,
h.ItemTypes[h.ItemTypeEvent],
c.Site.ID,
)
}
audit.Replace(
c.Site.ID,
h.ItemTypes[h.ItemTypeAttendee],
m.ID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
}
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *WatcherController) Delete(c *models.Context) {
_, _, itemID, status, err := c.GetItemTypeAndItemID()
if itemID != 0 {
m, status, err := models.GetWatcher(itemID, c.Site.ID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Check ownership
if c.Auth.ProfileID != m.ProfileID {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// Delete resource
status, err = m.Delete()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Fill from query string
m := models.WatcherType{}
itemID, itemType, status, err := h.GetItemAndItemType(c.Request.URL.Query())
if _, exists := h.ItemTypes[itemType]; !exists {
c.RespondWithErrorMessage(
fmt.Sprintf("Watcher could not be deleted: Item type not found"),
http.StatusBadRequest,
)
return
}
m.ItemTypeID = h.ItemTypes[itemType]
m.ID, _, _, _, status, err = models.GetWatcherAndIgnoreStatus(
m.ItemTypeID,
itemID,
c.Auth.ProfileID,
)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Get watcher item to delete it
m, status, err = models.GetWatcher(m.ID, c.Site.ID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Delete resource
status, err = m.Delete()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
c.RespondWithOK()
}
// Patch handles PATCH
func (ctl *EventController) Patch(c *models.Context) {
_, itemTypeID, itemID, status, err := c.GetItemTypeAndItemID()
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
patches := []h.PatchType{}
err = c.Fill(&patches)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("The post data is invalid: %v", err.Error()),
http.StatusBadRequest,
)
return
}
status, err = h.TestPatch(patches)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Start Authorisation
ac := models.MakeAuthorisationContext(c, 0, itemTypeID, itemID)
perms := models.GetPermission(ac)
if !perms.CanUpdate {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// All patches are 'replace'
for _, patch := range patches {
status, err := patch.ScanRawValue()
if !patch.Bool.Valid {
c.RespondWithErrorDetail(err, status)
return
}
switch patch.Path {
case "/meta/flags/sticky":
// Only super users' can sticky and unsticky
if !perms.IsModerator {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/meta/flags/sticky requires a bool value", http.StatusBadRequest)
return
}
case "/meta/flags/open":
// Only super users' and item owners can open and close
if !(perms.IsModerator || perms.IsOwner) {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/meta/flags/open requires a bool value", http.StatusBadRequest)
return
}
case "/meta/flags/deleted":
// Only super users' can undelete, but super users' and owners can delete
if !patch.Bool.Valid {
c.RespondWithErrorMessage("/meta/flags/deleted requires a bool value", http.StatusBadRequest)
return
}
if (patch.Bool.Bool == false && !(perms.IsModerator || perms.IsOwner)) || !perms.IsModerator {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
case "/meta/flags/moderated":
if !perms.IsModerator {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
default:
c.RespondWithErrorMessage("Invalid patch operation path", http.StatusBadRequest)
return
}
}
// End Authorisation
m, status, err := models.GetEvent(c.Site.ID, itemID, c.Auth.ProfileID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
status, err = m.Patch(ac, patches)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
audit.Update(
c.Site.ID,
h.ItemTypes[h.ItemTypeEvent],
m.ID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}
// Delete handles DELETE
func (ctl *AttendeeController) Delete(c *models.Context) {
// Validate inputs
eventID, err := strconv.ParseInt(c.RouteVars["event_id"], 10, 64)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("The supplied event_id ('%s') is not a number.", c.RouteVars["event_id"]),
http.StatusBadRequest,
)
return
}
profileID, err := strconv.ParseInt(c.RouteVars["profile_id"], 10, 64)
if err != nil {
c.RespondWithErrorMessage(
fmt.Sprintf("The supplied profile_id ('%s') is not a number.", c.RouteVars["profile_id"]),
http.StatusBadRequest,
)
return
}
attendeeID, status, err := models.GetAttendeeID(eventID, profileID)
if err != nil {
c.RespondWithOK()
return
}
// Start Authorisation
perms := models.GetPermission(
models.MakeAuthorisationContext(
c, 0, h.ItemTypes[h.ItemTypeAttendee], attendeeID),
)
if !perms.CanDelete {
c.RespondWithErrorMessage(h.NoAuthMessage, http.StatusForbidden)
return
}
// End Authorisation
m, status, err := models.GetAttendee(c.Site.ID, attendeeID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
// Delete resource
status, err = m.Delete(c.Site.ID)
if err != nil {
c.RespondWithErrorDetail(err, status)
return
}
audit.Replace(
c.Site.ID,
h.ItemTypes[h.ItemTypeAttendee],
attendeeID,
c.Auth.ProfileID,
time.Now(),
c.IP,
)
c.RespondWithOK()
}