diff --git a/backend/app/api/handlers/v1/v1_ctrl_items_attachments.go b/backend/app/api/handlers/v1/v1_ctrl_items_attachments.go index bd1bf633..e055ec63 100644 --- a/backend/app/api/handlers/v1/v1_ctrl_items_attachments.go +++ b/backend/app/api/handlers/v1/v1_ctrl_items_attachments.go @@ -175,7 +175,7 @@ func (ctrl *V1Controller) handleItemAttachmentsHandler(w http.ResponseWriter, r ctx := services.NewContext(r.Context()) switch r.Method { case http.MethodGet: - doc, err := ctrl.svc.Items.AttachmentPath(r.Context(), attachmentID) + doc, err := ctrl.svc.Items.AttachmentPath(r.Context(), ctx.GID, attachmentID) if err != nil { log.Err(err).Msg("failed to get attachment path") return validate.NewRequestError(err, http.StatusInternalServerError) @@ -230,9 +230,9 @@ func (ctrl *V1Controller) handleItemAttachmentsHandler(w http.ResponseWriter, r } attachment.ID = attachmentID - val, err := ctrl.svc.Items.AttachmentUpdate(ctx, ID, &attachment) + val, err := ctrl.svc.Items.AttachmentUpdate(ctx, ctx.GID, ID, &attachment) if err != nil { - log.Err(err).Msg("failed to delete attachment") + log.Err(err).Msg("failed to update attachment") return validate.NewRequestError(err, http.StatusInternalServerError) } diff --git a/backend/internal/core/services/service_items_attachments.go b/backend/internal/core/services/service_items_attachments.go index cef45539..4085d90d 100644 --- a/backend/internal/core/services/service_items_attachments.go +++ b/backend/internal/core/services/service_items_attachments.go @@ -10,8 +10,8 @@ import ( "io" ) -func (svc *ItemService) AttachmentPath(ctx context.Context, attachmentID uuid.UUID) (*ent.Attachment, error) { - attachment, err := svc.repo.Attachments.Get(ctx, attachmentID) +func (svc *ItemService) AttachmentPath(ctx context.Context, gid uuid.UUID, attachmentID uuid.UUID) (*ent.Attachment, error) { + attachment, err := svc.repo.Attachments.Get(ctx, gid, attachmentID) if err != nil { return nil, err } @@ -19,16 +19,16 @@ func (svc *ItemService) AttachmentPath(ctx context.Context, attachmentID uuid.UU return attachment, nil } -func (svc *ItemService) AttachmentUpdate(ctx Context, itemID uuid.UUID, data *repo.ItemAttachmentUpdate) (repo.ItemOut, error) { +func (svc *ItemService) AttachmentUpdate(ctx Context, gid uuid.UUID, itemID uuid.UUID, data *repo.ItemAttachmentUpdate) (repo.ItemOut, error) { // Update Attachment - attachment, err := svc.repo.Attachments.Update(ctx, data.ID, data) + attachment, err := svc.repo.Attachments.Update(ctx, gid, data.ID, data) if err != nil { return repo.ItemOut{}, err } // Update Document attDoc := attachment - _, err = svc.repo.Attachments.Rename(ctx, attDoc.ID, data.Title) + _, err = svc.repo.Attachments.Rename(ctx, gid, attDoc.ID, data.Title) if err != nil { return repo.ItemOut{}, err } @@ -57,7 +57,7 @@ func (svc *ItemService) AttachmentAdd(ctx Context, itemID uuid.UUID, filename st func (svc *ItemService) AttachmentDelete(ctx context.Context, gid uuid.UUID, id uuid.UUID, attachmentID uuid.UUID) error { // Delete the attachment - err := svc.repo.Attachments.Delete(ctx, attachmentID) + err := svc.repo.Attachments.Delete(ctx, gid, id, attachmentID) if err != nil { return err } diff --git a/backend/internal/data/repo/repo_item_attachments.go b/backend/internal/data/repo/repo_item_attachments.go index 12336f05..2517bacd 100644 --- a/backend/internal/data/repo/repo_item_attachments.go +++ b/backend/internal/data/repo/repo_item_attachments.go @@ -256,16 +256,30 @@ func (r *AttachmentRepo) Create(ctx context.Context, itemID uuid.UUID, doc ItemC return attachmentDb, nil } -func (r *AttachmentRepo) Get(ctx context.Context, id uuid.UUID) (*ent.Attachment, error) { +func (r *AttachmentRepo) Get(ctx context.Context, gid uuid.UUID, id uuid.UUID) (*ent.Attachment, error) { return r.db.Attachment. Query(). - Where(attachment.ID(id)). + Where( + attachment.ID(id), + attachment.HasItemWith(item.HasGroupWith(group.ID(gid))), + ). WithItem(). WithThumbnail(). Only(ctx) } -func (r *AttachmentRepo) Update(ctx context.Context, id uuid.UUID, data *ItemAttachmentUpdate) (*ent.Attachment, error) { +func (r *AttachmentRepo) Update(ctx context.Context, gid uuid.UUID, id uuid.UUID, data *ItemAttachmentUpdate) (*ent.Attachment, error) { + // Validate that the attachment belongs to the specified group + _, err := r.db.Attachment.Query(). + Where( + attachment.ID(id), + attachment.HasItemWith(item.HasGroupWith(group.ID(gid))), + ). + Only(ctx) + if err != nil { + return nil, err + } + // TODO: execute within Tx typ := attachment.Type(data.Type) @@ -301,13 +315,19 @@ func (r *AttachmentRepo) Update(ctx context.Context, id uuid.UUID, data *ItemAtt return nil, err } - return r.Get(ctx, updatedAttachment.ID) + return r.Get(ctx, gid, updatedAttachment.ID) } -func (r *AttachmentRepo) Delete(ctx context.Context, id uuid.UUID) error { - doc, error := r.db.Attachment.Get(ctx, id) - if error != nil { - return error +func (r *AttachmentRepo) Delete(ctx context.Context, gid uuid.UUID, itemId uuid.UUID, id uuid.UUID) error { + // Validate that the attachment belongs to the specified group + doc, err := r.db.Attachment.Query(). + Where( + attachment.ID(id), + attachment.HasItemWith(item.HasGroupWith(group.ID(gid))), + ). + Only(ctx) + if err != nil { + return err } all, err := r.db.Attachment.Query().Where(attachment.Path(doc.Path)).All(ctx) @@ -358,7 +378,18 @@ func (r *AttachmentRepo) Delete(ctx context.Context, id uuid.UUID) error { return r.db.Attachment.DeleteOneID(id).Exec(ctx) } -func (r *AttachmentRepo) Rename(ctx context.Context, id uuid.UUID, title string) (*ent.Attachment, error) { +func (r *AttachmentRepo) Rename(ctx context.Context, gid uuid.UUID, id uuid.UUID, title string) (*ent.Attachment, error) { + // Validate that the attachment belongs to the specified group + _, err := r.db.Attachment.Query(). + Where( + attachment.ID(id), + attachment.HasItemWith(item.HasGroupWith(group.ID(gid))), + ). + Only(ctx) + if err != nil { + return nil, err + } + return r.db.Attachment.UpdateOneID(id).SetTitle(title).Save(ctx) }