fix ownership for question handlers

internal/controllers/http_controllers/question/question.go

@@ -48,6 +48,15 @@ func (r *Question) CreateQuestion(ctx *fiber.Ctx) error {
 	if err := ctx.BodyParser(&req); err != nil {
 		return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data")
 	}
+
+	isOwner, err := r.dal.QuizRepo.CheckQuizOwner(ctx.Context(), accountID, req.QuizId)
+	if err != nil {
+		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
+	}
+	if !isOwner {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner")
+	}
+
 	if utf8.RuneCountInString(req.Title) >= 512 {
 		return ctx.Status(fiber.StatusUnprocessableEntity).SendString("title field should have less then 512 chars")
 	}
@@ -120,6 +129,11 @@ type GetQuestionListResp struct {
 // GetQuestionList handler for paginated list question
 // todo нужна проверка на то что квиз принадлежит пользователю, не помешает
 func (r *Question) GetQuestionList(ctx *fiber.Ctx) error {
+	accountID, ok := middleware.GetAccountId(ctx)
+	if !ok {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required")
+	}
+
 	var req GetQuestionListReq
 	if err := ctx.BodyParser(&req); err != nil {
 		return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data")
@@ -142,6 +156,15 @@ func (r *Question) GetQuestionList(ctx *fiber.Ctx) error {
 			"'test','none','file', 'button','select','checkbox'")
 	}
 
+	isOwner, err := r.dal.QuizRepo.CheckQuizOwner(ctx.Context(), accountID, req.QuizId)
+	if err != nil {
+		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
+	}
+
+	if !isOwner {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner")
+	}
+
 	res, cnt, err := r.dal.QuestionRepo.GetQuestionList(ctx.Context(),
 		req.Limit,
 		req.Page*req.Limit,
@@ -182,6 +205,11 @@ type UpdateResp struct {
 // UpdateQuestion handler for update question
 // todo нужна проверка на то что квиз принадлежит пользователю, не помешает
 func (r *Question) UpdateQuestion(ctx *fiber.Ctx) error {
+	accountID, ok := middleware.GetAccountId(ctx)
+	if !ok {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required")
+	}
+
 	var req UpdateQuestionReq
 	if err := ctx.BodyParser(&req); err != nil {
 		return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data")
@@ -191,6 +219,15 @@ func (r *Question) UpdateQuestion(ctx *fiber.Ctx) error {
 		return ctx.Status(fiber.StatusFailedDependency).SendString("need id of question for update")
 	}
 
+	isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id)
+	if err != nil {
+		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
+	}
+
+	if !isOwner {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner")
+	}
+
 	if utf8.RuneCountInString(req.Title) >= 512 {
 		return ctx.Status(fiber.StatusUnprocessableEntity).SendString("title field should have less then 512 chars")
 	}
@@ -261,6 +298,11 @@ type CopyQuestionReq struct {
 // CopyQuestion handler for copy question
 // todo копирование может происходить с чужого опроса? если нет тоже проверку надо делать на принадлежность
 func (r *Question) CopyQuestion(ctx *fiber.Ctx) error {
+	accountID, ok := middleware.GetAccountId(ctx)
+	if !ok {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required")
+	}
+
 	var req CopyQuestionReq
 	if err := ctx.BodyParser(&req); err != nil {
 		return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data")
@@ -270,6 +312,15 @@ func (r *Question) CopyQuestion(ctx *fiber.Ctx) error {
 		return ctx.Status(fiber.StatusFailedDependency).SendString("no id provided")
 	}
 
+	isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id)
+	if err != nil {
+		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
+	}
+
+	if !isOwner {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner")
+	}
+
 	question, err := r.dal.QuestionRepo.CopyQuestion(ctx.Context(), req.Id, req.QuizId)
 	if err != nil {
 		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
@@ -290,6 +341,11 @@ type GetQuestionHistoryReq struct {
 // GetQuestionHistory handler for history of quiz
 // todo нужна проверка на то что квиз принадлежит пользователю, не помешает
 func (r *Question) GetQuestionHistory(ctx *fiber.Ctx) error {
+	accountID, ok := middleware.GetAccountId(ctx)
+	if !ok {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("account id is required")
+	}
+
 	var req GetQuestionHistoryReq
 	if err := ctx.BodyParser(&req); err != nil {
 		return ctx.Status(fiber.StatusBadRequest).SendString("Invalid request data")
@@ -299,6 +355,15 @@ func (r *Question) GetQuestionHistory(ctx *fiber.Ctx) error {
 		return ctx.Status(fiber.StatusFailedDependency).SendString("no id provided")
 	}
 
+	isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id)
+	if err != nil {
+		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
+	}
+
+	if !isOwner {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner")
+	}
+
 	history, err := r.dal.QuestionRepo.QuestionHistory(ctx.Context(), req.Id, req.Limit, req.Page*req.Limit)
 	if err != nil {
 		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
@@ -332,6 +397,14 @@ func (r *Question) DeleteQuestion(ctx *fiber.Ctx) error {
 		return ctx.Status(fiber.StatusFailedDependency).SendString("id for deleting question is required")
 	}
 
+	isOwner, err := r.dal.QuestionRepo.CheckQuestionOwner(ctx.Context(), accountID, req.Id)
+	if err != nil {
+		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())
+	}
+	if !isOwner {
+		return ctx.Status(fiber.StatusUnauthorized).SendString("not the owner")
+	}
+
 	deleted, err := r.dal.QuestionRepo.DeleteQuestion(ctx.Context(), req.Id)
 	if err != nil {
 		return ctx.Status(fiber.StatusInternalServerError).SendString(err.Error())