1 files changed, 23 insertions, 10 deletions

diff --git a/pkg/view/settings.go b/pkg/view/settings.go
index bf2dca6..cdd7baa 100644
--- a/pkg/view/settings.go
+++ b/pkg/view/settings.go
@@ -39,23 +39,28 @@ func (self *SettingsView) Index(w http.ResponseWriter, r *http.Request) error {
 		return err
 	}
 
+	user := ext.GetUserFromCtx(r)
+
 	templates.WritePageTemplate(w, &templates.SettingsPage{
 		Settings: s,
 		Users:    users,
-	})
+	}, user.IsAdmin)
 
 	return nil
 }
 
 func (self *SettingsView) User(w http.ResponseWriter, r *http.Request) error {
-	id := r.FormValue("userId")
+	var (
+		id   = r.URL.Query().Get("userId")
+		user = ext.GetUserFromCtx(r)
+	)
 	idValue, err := ParseUint(id)
 	if err != nil {
 		return err
 	}
 
 	if idValue == nil {
-		templates.WritePageTemplate(w, &templates.UserPage{})
+		templates.WritePageTemplate(w, &templates.UserPage{}, user.IsAdmin)
 	} else {
 		user, err := self.userController.Get(r.Context(), *idValue)
 		if err != nil {
@@ -67,7 +72,7 @@ func (self *SettingsView) User(w http.ResponseWriter, r *http.Request) error {
 			Username: user.Username,
 			Path:     user.Path,
 			IsAdmin:  user.IsAdmin,
-		})
+		}, user.IsAdmin)
 	}
 
 	return nil
@@ -87,7 +92,15 @@ func (self *SettingsView) UpsertUser(w http.ResponseWriter, r *http.Request) err
 		return err
 	}
 
-	err = self.userController.Upsert(r.Context(), idValue, username, "", password, isAdmin, path)
+	err = self.userController.Upsert(
+		r.Context(),
+		idValue,
+		username,
+		"",
+		password,
+		isAdmin,
+		path,
+	)
 	if err != nil {
 		return err
 	}
@@ -137,12 +150,12 @@ func (self *SettingsView) Save(w http.ResponseWriter, r *http.Request) error {
 }
 
 func (self *SettingsView) SetMyselfIn(r *ext.Router) {
-	r.GET("/settings/", self.Index)
-	r.POST("/settings/", self.Save)
+	r.GET("/settings", Protect(self.Index))
+	r.POST("/settings", Protect(self.Save))
 
-	r.GET("/users/", self.User)
-	r.GET("/users/delete", self.Delete)
-	r.POST("/users/", self.UpsertUser)
+	r.GET("/users", Protect(self.User))
+	r.GET("/users/delete", Protect(self.Delete))
+	r.POST("/users", Protect(self.UpsertUser))
 }
 
 func ParseUint(id string) (*uint, error) {