Protect GET /trips with a session cookie

When an admin requests /trips, they see all of the trips in the Trips table. When a user requests /trips, they see only their trips.
author: William Carroll <wpcarro@gmail.com> 2020-07-31T09·55+0100
committer: William Carroll <wpcarro@gmail.com> 2020-07-31T09·55+0100
commit: 7d64011cbd6b0d6ce2237de2a3dfcc1f9f81a4c9 (patch)
tree: 4a1fa2035dfc41af54933935f599b74a94ce2f48 /src/Trips.hs
parent: 75437b01b660700a4ba8d7c46b49d1031beb951b (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/src/Trips.hs b/src/Trips.hs
index 55bc6b958d0f..ec52ec58fee9 100644
--- a/src/Trips.hs
+++ b/src/Trips.hs
@@ -22,6 +22,12 @@ delete dbFile tripPK =
       (tripPK |> T.tripPKFields)
 
 -- | Return a list of all of the trips in `dbFile`.
-list :: FilePath -> IO [T.Trip]
-list dbFile = withConnection dbFile $ \conn ->
+listAll :: FilePath -> IO [T.Trip]
+listAll dbFile = withConnection dbFile $ \conn ->
   query_ conn "SELECT username,destination,startDate,endDate,comment FROM Trips"
+
+-- | Return a list of all of the trips in `dbFile`.
+list :: FilePath -> T.Username -> IO [T.Trip]
+list dbFile username = withConnection dbFile $ \conn ->
+  query conn "SELECT username,destination,startDate,endDate,comment FROM Trips WHERE username = ?"
+    (Only username)
author	William Carroll <wpcarro@gmail.com>	2020-07-31T09·55+0100
committer	William Carroll <wpcarro@gmail.com>	2020-07-31T09·55+0100
commit	7d64011cbd6b0d6ce2237de2a3dfcc1f9f81a4c9 (patch)
tree	4a1fa2035dfc41af54933935f599b74a94ce2f48 /src/Trips.hs
parent	75437b01b660700a4ba8d7c46b49d1031beb951b (diff)