Admin pages: Make admin check independent of the session id

3bae62ec · Robert Czechowski · ce621a4f · 3bae62ec
Commit 3bae62ec authored May 14, 2020 by Robert Czechowski
--- a/src/core.rs
+++ b/src/core.rs
@@ -1050,10 +1050,9 @@ pub fn teacher_infos<T: MedalConnection>(conn: &T, session_token: &str, teacher_
 }

 pub fn admin_index<T: MedalConnection>(conn: &T, session_token: &str) -> MedalValueResult {
-    let session = conn.get_session(&session_token).ensure_logged_in().ok_or(MedalError::NotLoggedIn)?;
-    if session.id != 1 {
-        return Err(MedalError::AccessDenied);
-    }
+    conn.get_session(&session_token)
+        .ensure_logged_in().ok_or(MedalError::NotLoggedIn)?
+        .ensure_admin().ok_or(MedalError::AccessDenied)?;

    let data = json_val::Map::new();
    Ok(("admin".to_string(), data))
@@ -1068,10 +1067,9 @@ pub fn admin_search_users<T: MedalConnection>(conn: &T, session_token: &str,
                                               Option<String>))
                                              -> MedalValueResult
 {
-    let session = conn.get_session(&session_token).ensure_logged_in().ok_or(MedalError::NotLoggedIn)?;
-    if session.id != 1 {
-        return Err(MedalError::AccessDenied);
-    }
+    conn.get_session(&session_token)
+        .ensure_logged_in().ok_or(MedalError::NotLoggedIn)?
+        .ensure_admin().ok_or(MedalError::AccessDenied)?;

    let mut data = json_val::Map::new();

@@ -1094,10 +1092,9 @@ pub fn admin_search_users<T: MedalConnection>(conn: &T, session_token: &str,
 }

 pub fn admin_show_user<T: MedalConnection>(conn: &T, user_id: i32, session_token: &str) -> MedalValueResult {
-    let session = conn.get_session(&session_token).ensure_logged_in().ok_or(MedalError::NotLoggedIn)?;
-    if session.id != 1 {
-        return Err(MedalError::AccessDenied);
-    }
+    let session = conn.get_session(&session_token)
+        .ensure_logged_in().ok_or(MedalError::NotLoggedIn)?
+        .ensure_admin().ok_or(MedalError::AccessDenied)?;

    let mut data = json_val::Map::new();

@@ -1135,10 +1132,9 @@ pub fn admin_delete_user<T: MedalConnection>(conn: &T, user_id: i32, session_tok
 }

 pub fn admin_show_group<T: MedalConnection>(conn: &T, group_id: i32, session_token: &str) -> MedalValueResult {
-    let session = conn.get_session(&session_token).ensure_logged_in().ok_or(MedalError::NotLoggedIn)?;
-    if session.id != 1 {
-        return Err(MedalError::AccessDenied);
-    }
+    conn.get_session(&session_token)
+        .ensure_logged_in().ok_or(MedalError::NotLoggedIn)?
+        .ensure_admin().ok_or(MedalError::AccessDenied)?;

    let group = conn.get_group_complete(group_id).unwrap(); // TODO handle error