1 files changed, 47 insertions, 1 deletions

diff --git a/customer/controller.go b/customer/controller.go
index 9381c45..ae6101f 100644
--- a/customer/controller.go
+++ b/customer/controller.go
@@ -31,6 +31,15 @@ func handleGetSingleCustomer (ctx *gin.Context) {
 		return
 	}
 
+	uId, ok := ctx.Get("UserID")
+	if !ok {
+		ctx.Error(e.ErrUnauthorized)
+		ctx.Abort()
+		return
+	}
+
+	userId := uId.(uint)
+
 	var customer Customer
 
 	err = getCustomer(&customer, uint(id))
@@ -40,6 +49,12 @@ func handleGetSingleCustomer (ctx *gin.Context) {
 		return
 	}
 
+	if customer.UserID != userId {
+		ctx.Error(e.ErrForbidden)
+		ctx.Abort()
+		return
+	}
+
 	ctx.JSON(http.StatusOK, gin.H{
 		"message": "success",
 		"data": customer,
@@ -49,7 +64,16 @@ func handleGetSingleCustomer (ctx *gin.Context) {
 func handleGetCustomers (ctx *gin.Context) {
 	var customers []Customer
 
-	err := getCustomers(&customers)
+	uId, ok := ctx.Get("UserID")
+	if !ok {
+		ctx.Error(e.ErrUnauthorized)
+		ctx.Abort()
+		return
+	}
+
+	userId := uId.(uint)
+
+	err := getCustomers(&customers, userId)
 	if err != nil {
 		ctx.Error(err)
 		ctx.Abort()
@@ -66,6 +90,17 @@ func handleSaveCustomer (ctx *gin.Context) {
 	var customer Customer
 	ctx.Bind(&customer)
 
+	uId, ok := ctx.Get("UserID")
+	if !ok {
+		ctx.Error(e.ErrUnauthorized)
+		ctx.Abort()
+		return
+	}
+
+	userId := uId.(uint)
+	customer.UserID = userId
+	customer.Contact.UserID = userId
+
 	err := customer.upsert()
 	if err != nil {
 		ctx.Error(err)
@@ -89,6 +124,17 @@ func handleDelCustomer (ctx *gin.Context) {
 	var customer Customer
 	customer.ID = uint(id)
 
+	uId, ok := ctx.Get("UserID")
+	if !ok {
+		ctx.Error(e.ErrUnauthorized)
+		ctx.Abort()
+		return
+	}
+
+	userId := uId.(uint)
+	customer.UserID = userId
+
+	// TODO: if userid and customer's user id don't match, dont delete
 	err = customer.del()
 	if err != nil {
 		ctx.Error(err)