From ec96b3b039f7e5fe258ec426a0d37da446dbed54 Mon Sep 17 00:00:00 2001
From: Max Hohlfeld <maxhohlfeld@posteo.de>
Date: Mon, 11 Nov 2024 19:50:40 +0100
Subject: [PATCH] fix: permissions for location interaction

---
 src/endpoints/location/delete.rs   | 6 +++---
 src/endpoints/location/get_edit.rs | 4 ++++
 2 files changed, 7 insertions(+), 3 deletions(-)

diff --git a/src/endpoints/location/delete.rs b/src/endpoints/location/delete.rs
index d29cb169..b16b7b45 100644
--- a/src/endpoints/location/delete.rs
+++ b/src/endpoints/location/delete.rs
@@ -17,15 +17,15 @@ pub async fn delete(
         return Err(ApplicationError::Unauthorized);
     }
 
-    let Some(area) = Location::read_by_id(pool.get_ref(), path.id).await? else {
+    let Some(location) = Location::read_by_id(pool.get_ref(), path.id).await? else {
         return Ok(HttpResponse::NotFound().finish());
     };
 
-    if user.role == Role::AreaManager && area.id != user.area_id {
+    if user.role == Role::AreaManager && location.area_id != user.area_id {
         return Err(ApplicationError::Unauthorized);
     }
 
-    Location::delete(pool.get_ref(), area.id).await?;
+    Location::delete(pool.get_ref(), location.id).await?;
 
     Ok(HttpResponse::Ok().finish())
 }
diff --git a/src/endpoints/location/get_edit.rs b/src/endpoints/location/get_edit.rs
index 07a3546b..d3573511 100644
--- a/src/endpoints/location/get_edit.rs
+++ b/src/endpoints/location/get_edit.rs
@@ -22,6 +22,10 @@ pub async fn get(
         return Ok(HttpResponse::NotFound().finish());
     };
 
+    if user.role == Role::AreaManager && location.area_id != user.area_id {
+        return Err(ApplicationError::Unauthorized);
+    }
+
     let mut areas = None;
 
     if user.role == Role::Admin {