diff --git a/server/apiLinstromNotes.go b/server/apiLinstromNotes.go index 41ebe60..b6ea1c5 100644 --- a/server/apiLinstromNotes.go +++ b/server/apiLinstromNotes.go @@ -58,7 +58,45 @@ func linstromGetNote(w http.ResponseWriter, r *http.Request) { } func linstromUpdateNote(w http.ResponseWriter, r *http.Request) {} -func linstromNewNote(w http.ResponseWriter, r *http.Request) {} +func linstromNewNote(w http.ResponseWriter, r *http.Request) { + store := StorageFromRequest(r) + actorId, ok := ActorIdFromRequest(r) + log := hlog.FromRequest(r) + + if !ok { + other.HttpErr( + w, + HttpErrIdNotAuthenticated, + "Needs a valid session to create new notes", + http.StatusUnauthorized, + ) + return + } + + newNote := linstromNote{} + err := jsonapi.UnmarshalPayload(r.Body, &newNote) + if err != nil { + log.Warn().Err(err).Msg("Failed to unmarshal body") + other.HttpErr(w, HttpErrIdBadRequest, "bad body", http.StatusBadRequest) + return + } + + if newNote.AuthorId != actorId { + log.Debug(). + Str("actor-id", actorId). + Str("target-id", newNote.AuthorId). + Msg("Blocking attempt at creating a note for a different account") + other.HttpErr( + w, + HttpErrIdNotAllowed, + "creating a note for someone else is not allowed", + http.StatusForbidden, + ) + return + } + + _, _ = store.CreateNote() +} func linstromDeleteNote(w http.ResponseWriter, r *http.Request) {} // Reactions diff --git a/server/constants.go b/server/constants.go index 49d6f85..8783939 100644 --- a/server/constants.go +++ b/server/constants.go @@ -19,4 +19,5 @@ const ( HttpErrIdAlreadyExists HttpErrIdNotFound HttpErrIdConversionFailure + HttpErrIdNotAllowed ) diff --git a/storage/notes.go b/storage/notes.go index ea9566d..1525ea3 100644 --- a/storage/notes.go +++ b/storage/notes.go @@ -122,6 +122,7 @@ func (s *Storage) UpdateNote(note *Note) error { } func (s *Storage) CreateNote() (*Note, error) { + defer util.Untrace(util.Trace(&log.Logger)) // TODO: Think of good arguments and implement me panic("not implemented") }