From 23ffb1ec0e718e56d2f45e1ffeeed62e24f7ad84 Mon Sep 17 00:00:00 2001
From: Jacobtread <jacobtread@gmail.com>
Date: Sat, 27 Apr 2024 14:43:07 +1200
Subject: [PATCH] fix: all data permissions

---
 src/routes/players.rs | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/src/routes/players.rs b/src/routes/players.rs
index ecf5ba3..19481a8 100644
--- a/src/routes/players.rs
+++ b/src/routes/players.rs
@@ -435,10 +435,16 @@ impl Serialize for PlayerDataMap {
 ///
 /// `player_id` The ID of the player
 pub async fn all_data(
-    _: AdminAuth,
+    Auth(auth): Auth,
     Path(player_id): Path<PlayerID>,
     Extension(db): Extension<DatabaseConnection>,
 ) -> PlayersRes<PlayerDataMap> {
+    let player: Player = find_player(&db, player_id).await?;
+
+    if !auth.has_permission_over(&player) {
+        return Err(PlayersError::InvalidPermission);
+    }
+
     let data = PlayerData::all(&db, player_id).await?;
     Ok(Json(PlayerDataMap(data)))
 }