FlightScore/PenaltyTracker
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
68034dea7d39343c57a050a44cf9f3ebb4b85e6d
PenaltyTracker/competitions.go
T

253 lines
7.5 KiB
Go
Raw Blame History

package main
import (
"database/sql"
"encoding/json"
"net/http"
"strconv"
)
func registerCompetitionRoutes(mux *http.ServeMux) {
mux.HandleFunc("GET /api/competitions", requireAuth(handleListCompetitions))
mux.HandleFunc("POST /api/competitions", requireAdmin(handleCreateCompetition))
mux.HandleFunc("GET /api/competitions/{id}", requireAuth(handleGetCompetition))
mux.HandleFunc("PATCH /api/competitions/{id}", requireAuth(handleUpdateCompetition))
mux.HandleFunc("DELETE /api/competitions/{id}", requireAdmin(handleDeleteCompetition))
mux.HandleFunc("GET /api/competitions/{id}/members", requireAuth(handleListMembers))
mux.HandleFunc("POST /api/competitions/{id}/members", requireAuth(handleAddMember))
mux.HandleFunc("DELETE /api/competitions/{id}/members/{uid}", requireAuth(handleRemoveMember))
}
func userRole(competitionID, userID int64) (string, error) {
var role string
err := db.QueryRow("SELECT role FROM competition_users WHERE competition_id=? AND user_id=?", competitionID, userID).Scan(&role)
if err == sql.ErrNoRows {
return "", nil
}
return role, err
}
func canAccessCompetition(u *User, competitionID int64) (string, bool) {
if u.IsSystemAdmin {
return "system_admin", true
}
role, err := userRole(competitionID, u.ID)
if err != nil || role == "" {
return "", false
}
return role, true
}
func handleListCompetitions(w http.ResponseWriter, r *http.Request) {
u := userFromCtx(r)
var rows *sql.Rows
var err error
if u.IsSystemAdmin {
rows, err = db.Query("SELECT id,name,allow_any_scorer_edit,created_at FROM competitions ORDER BY created_at DESC")
} else {
rows, err = db.Query(`SELECT c.id,c.name,c.allow_any_scorer_edit,c.created_at,cu.role
FROM competitions c JOIN competition_users cu ON cu.competition_id=c.id
WHERE cu.user_id=? ORDER BY c.created_at DESC`, u.ID)
}
if err != nil {
writeError(w, http.StatusInternalServerError, "db_error")
return
}
defer rows.Close()
out := []Competition{}
for rows.Next() {
var c Competition
var allow int
if u.IsSystemAdmin {
rows.Scan(&c.ID, &c.Name, &allow, &c.CreatedAt)
c.Role = "system_admin"
} else {
rows.Scan(&c.ID, &c.Name, &allow, &c.CreatedAt, &c.Role)
}
c.AllowAnyScorerEdit = allow == 1
out = append(out, c)
}
writeJSON(w, http.StatusOK, out)
}
func handleCreateCompetition(w http.ResponseWriter, r *http.Request) {
var req struct {
Name string `json:"name"`
AllowAnyScorerEdit bool `json:"allow_any_scorer_edit"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid_body")
return
}
if req.Name == "" {
writeError(w, http.StatusBadRequest, "missing_name")
return
}
if len(req.Name) > 200 {
writeError(w, http.StatusBadRequest, "too_long")
return
}
allow := 0
if req.AllowAnyScorerEdit {
allow = 1
}
res, err := db.Exec("INSERT INTO competitions(name,allow_any_scorer_edit) VALUES(?,?)", req.Name, allow)
if err != nil {
writeError(w, http.StatusInternalServerError, "db_error")
return
}
id, _ := res.LastInsertId()
c := Competition{ID: id, Name: req.Name, AllowAnyScorerEdit: req.AllowAnyScorerEdit}
writeJSON(w, http.StatusCreated, c)
}
func handleGetCompetition(w http.ResponseWriter, r *http.Request) {
id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid_id")
return
}
u := userFromCtx(r)
role, ok := canAccessCompetition(u, id)
if !ok {
writeError(w, http.StatusForbidden, "forbidden")
return
}
var c Competition
var allow int
err = db.QueryRow("SELECT id,name,allow_any_scorer_edit,created_at FROM competitions WHERE id=?", id).
Scan(&c.ID, &c.Name, &allow, &c.CreatedAt)
if err != nil {
writeError(w, http.StatusNotFound, "not_found")
return
}
c.AllowAnyScorerEdit = allow == 1
c.Role = role
writeJSON(w, http.StatusOK, c)
}
func handleUpdateCompetition(w http.ResponseWriter, r *http.Request) {
id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid_id")
return
}
u := userFromCtx(r)
role, ok := canAccessCompetition(u, id)
if !ok || (role != "system_admin" && role != "chief_scorer") {
writeError(w, http.StatusForbidden, "forbidden")
return
}
var req struct {
Name *string `json:"name"`
AllowAnyScorerEdit *bool `json:"allow_any_scorer_edit"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid_body")
return
}
if req.Name != nil {
db.Exec("UPDATE competitions SET name=? WHERE id=?", *req.Name, id)
}
if req.AllowAnyScorerEdit != nil {
v := 0
if *req.AllowAnyScorerEdit {
v = 1
}
db.Exec("UPDATE competitions SET allow_any_scorer_edit=? WHERE id=?", v, id)
}
hub.broadcast(id, "competition_updated", nil)
w.WriteHeader(http.StatusNoContent)
}
func handleDeleteCompetition(w http.ResponseWriter, r *http.Request) {
id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid_id")
return
}
db.Exec("DELETE FROM competitions WHERE id=?", id)
w.WriteHeader(http.StatusNoContent)
}
func handleListMembers(w http.ResponseWriter, r *http.Request) {
id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid_id")
return
}
u := userFromCtx(r)
if _, ok := canAccessCompetition(u, id); !ok {
writeError(w, http.StatusForbidden, "forbidden")
return
}
rows, err := db.Query(`SELECT u.id,u.username,u.display_name,cu.role
FROM competition_users cu JOIN users u ON u.id=cu.user_id
WHERE cu.competition_id=? ORDER BY cu.role,u.username`, id)
if err != nil {
writeError(w, http.StatusInternalServerError, "db_error")
return
}
defer rows.Close()
out := []CompetitionUser{}
for rows.Next() {
var m CompetitionUser
rows.Scan(&m.UserID, &m.Username, &m.DisplayName, &m.Role)
out = append(out, m)
}
writeJSON(w, http.StatusOK, out)
}
func handleAddMember(w http.ResponseWriter, r *http.Request) {
id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid_id")
return
}
u := userFromCtx(r)
role, ok := canAccessCompetition(u, id)
if !ok || (role != "system_admin" && role != "chief_scorer") {
writeError(w, http.StatusForbidden, "forbidden")
return
}
var req struct {
UserID int64 `json:"user_id"`
Role string `json:"role"`
}
if err := json.NewDecoder(r.Body).Decode(&req); err != nil {
writeError(w, http.StatusBadRequest, "invalid_body")
return
}
if req.Role != "chief_scorer" && req.Role != "scorer" {
writeError(w, http.StatusBadRequest, "invalid_role")
return
}
_, err = db.Exec("INSERT OR REPLACE INTO competition_users(competition_id,user_id,role) VALUES(?,?,?)", id, req.UserID, req.Role)
if err != nil {
writeError(w, http.StatusInternalServerError, "db_error")
return
}
w.WriteHeader(http.StatusNoContent)
}
func handleRemoveMember(w http.ResponseWriter, r *http.Request) {
id, err := strconv.ParseInt(r.PathValue("id"), 10, 64)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid_id")
return
}
uid, err := strconv.ParseInt(r.PathValue("uid"), 10, 64)
if err != nil {
writeError(w, http.StatusBadRequest, "invalid_id")
return
}
u := userFromCtx(r)
role, ok := canAccessCompetition(u, id)
if !ok || (role != "system_admin" && role != "chief_scorer") {
writeError(w, http.StatusForbidden, "forbidden")
return
}
db.Exec("DELETE FROM competition_users WHERE competition_id=? AND user_id=?", id, uid)
w.WriteHeader(http.StatusNoContent)
}
Reference in New Issue View Git Blame Copy Permalink