auth fix for /details

artem-streltsov · Sep 17, 2024 · 8f804c7 · 8f804c7
1 parent ad85df9
commit 8f804c7
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/internal/handlers/handlers.go b/internal/handlers/handlers.go
@@ -610,6 +610,13 @@ func (h *Handler) deleteURLHandler(w http.ResponseWriter, r *http.Request) {
 }
 
 func (h *Handler) urlDetailsHandler(w http.ResponseWriter, r *http.Request) {
+	session, _ := h.store.Get(r, "session")
+	user, ok := session.Values["user"].(*database.User)
+	if !ok {
+		http.Redirect(w, r, "/login", http.StatusSeeOther)
+		return
+	}
+
 	urlID, err := strconv.ParseInt(strings.TrimPrefix(r.URL.Path, "/details/"), 10, 64)
 	if err != nil {
 		http.Error(w, "Invalid URL ID", http.StatusBadRequest)
@@ -622,6 +629,11 @@ func (h *Handler) urlDetailsHandler(w http.ResponseWriter, r *http.Request) {
 		return
 	}
 
+	if url.UserID != user.ID {
+		http.Error(w, "Unauthorized", http.StatusForbidden)
+		return
+	}
+
 	shortURL := fmt.Sprintf("http://%s/r/%s", r.Host, url.Key)
 	qrCode, err := qrcode.Encode(shortURL, qrcode.Medium, 256)
 	if err != nil {