Validate device creation.
Update our uuid package to the latest, which is now based on the GitHub
fork instead of the Google Code. Also, update our api package to its latest
version, which now needs the pqarrays package as a dependency.
We fleshed out the validateDeviceCreation. We now pass in the scopes we have
(for broad access control) and the user ID (for fine-grained access control).
This helper returns the first error it encounters, though it should probably
return a slice so we can return multiple errors all at once.
Before we even decode the request to create a Device, let's check if the user is
even logged in. If we can't ascertain that or they're not, there's no point in
even consuming the memory necessary to read the request, because we know we're
not going to use it anyways.
Finally actually validate the devices we're creating, and return an appropriate
error for each error we can get.
Also, the api.CheckScopes helper function now takes the scopes passed in as a
string slice, and we have an api.GetScopes helper function to retrieve the
scopes associated with the request. Let's not keep parsing that.
We need two new scopes to control access for device creation; ScopeImport lets
users import devices in and is pretty much admin access.
ScopeCreateOtherUserDevices allows a user to create Devices that are owned by
another user.
7 "code.secondbit.org/api.hg"
8 "code.secondbit.org/ducky/devices.hg"
10 "golang.org/x/net/context"
13 type createRequest struct {
14 Devices []DeviceChange `json:"devices"`
17 func handleCreateDevices(ctx context.Context, w http.ResponseWriter, r *http.Request) {
21 userID, err := api.AuthUser(r)
23 if err == api.ErrUserIDNotSet {
24 api.Encode(w, r, http.StatusUnauthorized, Response{Errors: api.AccessDeniedError})
27 api.Encode(w, r, http.StatusForbidden, Response{Errors: api.AccessDeniedError})
31 err = api.Decode(r, &req)
33 api.Encode(w, r, http.StatusBadRequest, Response{Errors: api.InvalidFormatError})
37 devicesToCreate := createDevicesFromChanges(req.Devices)
38 passedScopes := api.GetScopes(r)
39 for _, device := range devicesToCreate {
40 err := validateDeviceCreation(device, passedScopes, userID)
44 var requestErr api.RequestError
46 case errUnauthorizedLastSeen:
47 requestErr.Slug = api.RequestErrAccessDenied
48 requestErr.Field = "/lastSeen"
49 case errUnauthorizedCreated:
50 requestErr.Slug = api.RequestErrAccessDenied
51 requestErr.Field = "/created"
52 case errUnauthorizedOwner:
53 requestErr.Slug = api.RequestErrAccessDenied
54 requestErr.Field = "/owner"
55 case errInvalidDeviceType:
56 requestErr.Slug = api.RequestErrInvalidValue
57 requestErr.Field = "/type"
58 case errDeviceNameTooShort:
59 requestErr.Slug = api.RequestErrInsufficient
60 requestErr.Field = "/name"
61 case errDeviceNameTooLong:
62 requestErr.Slug = api.RequestErrOverflow
63 requestErr.Field = "/name"
65 if requestErr.Slug != "" {
66 api.Encode(w, r, http.StatusBadRequest, Response{Errors: []api.RequestError{requestErr}})
69 api.Encode(w, r, http.StatusInternalServerError, Response{Errors: api.ActOfGodError})
71 createdDevices, err := devices.CreateMany(devicesToCreate, ctx)
73 // BUG(paddy): we should filter out non-internal errors here and expose better error responses
74 log.Printf("Error creating devices: %+v\n", err)
75 api.Encode(w, r, http.StatusInternalServerError, Response{Errors: api.ActOfGodError})
78 for _, device := range createdDevices {
79 resp.Devices = append(resp.Devices, apiDeviceFromCore(device, api.CheckScopes(passedScopes, ScopeViewPushToken.ID)))
81 api.Encode(w, r, http.StatusCreated, resp)