47 casbin rule for user edit rating

migrations/20240412141011_casbin_user_rating_edit.down.sql

@@ -0,0 +1,3 @@
+-- Add down migration script here
+DELETE FROM casbin_rule
+WHERE ptype = 'p' and v0 = 'group_user' and v1 = '/rating/:id' and v2 = 'PUT';

migrations/20240412141011_casbin_user_rating_edit.up.sql

@@ -0,0 +1,5 @@
+-- Add up migration script here
+INSERT INTO casbin_rule
+(id, ptype, v0, v1, v2, v3, v4, v5)
+VALUES((select max(id) + 1 from casbin_rule cr), 'p', 'group_user', '/rating/:id', 'PUT', '', '', '');
+

src/routes/rating/edit.rs

@@ -5,32 +5,37 @@ use crate::db;
 use actix_web::{put, web, Responder, Result};
 use sqlx::PgPool;
 use std::sync::Arc;
+use serde_valid::Validate;
 
 // workflow
 // add, update, list, get(user_id), ACL,
 // ACL - access to func for a user
 // ACL - access to objects for a user
 
 #[tracing::instrument(name = "User edit rating.")]
-#[put("")]
+#[put("/{id}")]
 pub async fn user_edit_handler(
     path: web::Path<(i32,)>,
     user: web::ReqData<Arc<models::User>>,
     form: web::Json<forms::rating::UserEdit>,
     pg_pool: web::Data<PgPool>,
 ) -> Result<impl Responder> {
+    if let Err(errors) = form.validate() {
+        return Err(JsonResponse::<models::Rating>::build().form_error(errors.to_string()));
+    }
+
     let rate_id = path.0;
     let rating = db::rating::fetch(pg_pool.get_ref(), rate_id)
         .await
         .map_err(|_err| JsonResponse::<models::Rating>::build().internal_server_error(""))
         .and_then(|rating| {
             match rating {
-                Some(rating) => { Ok(rating) },
+                Some(rating) if rating.user_id != user.id => Err(JsonResponse::<models::Rating>::build().not_found("not found")),
+                Some(rating) =>  Ok(rating),
                 None => Err(JsonResponse::<models::Rating>::build().not_found("not found"))
             }
         })?;
 
-    //todo check if form is valid
     //todo add update_model function to form
     //todo add the db saving of the model