fix: permissions bug related to deleting language mappings

2023-08-10 21:12:56 +03:00 · 2021-01-20 20:49:27 +01:00 · 2021-01-20 20:49:27 +01:00 · 16b683fcbd
commit 16b683fcbd
parent acda62488d
2 changed files with 10 additions and 6 deletions
--- a/routes/settings.go
+++ b/routes/settings.go
@ -115,13 +115,17 @@ func (h *SettingsHandler) DeleteLanguageMapping(w http.ResponseWriter, r *http.R
 		return
 	}
-	mapping := &models.LanguageMapping{
+	if mapping, err := h.languageMappingSrvc.GetById(uint(id)); err != nil || mapping == nil {
-		ID:     uint(id),
+		w.WriteHeader(http.StatusNotFound)
-		UserID: user.ID,
+		templates[conf.SettingsTemplate].Execute(w, h.buildViewModel(r).WithError("mapping not found"))
 		return
 	} else if mapping.UserID != user.ID {
 		w.WriteHeader(http.StatusForbidden)
 		templates[conf.SettingsTemplate].Execute(w, h.buildViewModel(r).WithError("not allowed to delete mapping"))
 		return
 	}
-	err = h.languageMappingSrvc.Delete(mapping)
+	if err := h.languageMappingSrvc.Delete(&models.LanguageMapping{ID: uint(id)}); err != nil {
 	if err != nil {
 		w.WriteHeader(http.StatusInternalServerError)
 		templates[conf.SettingsTemplate].Execute(w, h.buildViewModel(r).WithError("could not delete mapping"))
 		return
--- a/views/settings.tpl.html
+++ b/views/settings.tpl.html
@ -89,7 +89,7 @@
                <form class="float-right" action="settings/language_mappings/delete" method="post">
                    <input type="hidden" id="mapping_id" name="mapping_id" required value="{{ $mapping.ID }}">
                    <button type="submit" class="py-1 px-3 rounded bg-red-500 hover:bg-red-600 text-white text-sm">
-                        Remove
+                        X
                    </button>
                </form>
            </div>