From 1b3b2ccb59a3ddeb0019167147e847422c8fec22 Mon Sep 17 00:00:00 2001
From: konrad <konrad@kola-entertainments.de>
Date: Tue, 12 Jun 2018 18:49:56 +0200
Subject: [PATCH] Improved item deletion rights check

---
 models/error.go              | 15 +++++++++++++++
 models/list_items.go         |  2 +-
 routes/api/v1/item_delete.go |  4 ++++
 3 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/models/error.go b/models/error.go
index 2cd0023213..b14655bbe0 100644
--- a/models/error.go
+++ b/models/error.go
@@ -192,3 +192,18 @@ func (err ErrListItemDoesNotExist) Error() string {
 	return fmt.Sprintf("List item does not exist. [ID: %d]", err.ID)
 }
 
+// ErrNeedToBeItemOwner represents an error, where the user is not the owner of that item (used i.e. when deleting a list)
+type ErrNeedToBeItemOwner struct {
+	ItemID int64
+	UserID int64
+}
+
+// IsErrNeedToBeItemOwner checks if an error is a ErrNeedToBeItemOwner.
+func IsErrNeedToBeItemOwner(err error) bool {
+	_, ok := err.(ErrNeedToBeItemOwner)
+	return ok
+}
+
+func (err ErrNeedToBeItemOwner) Error() string {
+	return fmt.Sprintf("You need to be item owner to do that [ItemID: %d, UserID: %d]", err.ItemID, err.UserID)
+}
\ No newline at end of file
diff --git a/models/list_items.go b/models/list_items.go
index 9445598aa0..ff34d3baeb 100644
--- a/models/list_items.go
+++ b/models/list_items.go
@@ -89,7 +89,7 @@ func DeleteListItemByID(itemID int64, doer *User) (err error) {
 
 	// Check if the user hat the right to delete that item
 	if listitem.CreatedByID != doer.ID {
-		return
+		return ErrNeedToBeItemOwner{ItemID:itemID, UserID: doer.ID}
 	}
 
 	_, err = x.ID(itemID).Delete(ListItem{})
diff --git a/routes/api/v1/item_delete.go b/routes/api/v1/item_delete.go
index 2aa8ee7379..384c3892d0 100644
--- a/routes/api/v1/item_delete.go
+++ b/routes/api/v1/item_delete.go
@@ -28,6 +28,10 @@ func DeleteListItemByIDtemByID(c echo.Context) error {
 			return c.JSON(http.StatusNotFound, models.Message{"List item does not exist."})
 		}
 
+		if models.IsErrNeedToBeItemOwner(err) {
+			return c.JSON(http.StatusForbidden, models.Message{"You need to own the list item in order to be able to delete it."})
+		}
+
 		return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
 	}