SynLotto/website
1
0
Fork 0
Code Issues 19 Pull Requests Actions Packages Projects 5 Releases Wiki Activity

Feature: Add account-protected route to mark notifications as read

Browse Source 
- Created /account/notifications/read endpoint secured by session middleware
- Ensured users can only mark their own notifications as read
- Updated dropdown links to point to /account/notifications/read?id={id}
- Improved notification security by matching user_id in DB update
- Added redirect flow to full notifications page after marking read
- Logged DB errors to assist debugging
This commit is contained in:
Ross Healy
2025-04-01 22:12:41 +01:00
parent 1e372da57d
commit 06e647d00f
5 changed files with 74 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
handlers/notifications.go
View File

@@ -3,9 +3,11 @@ package handlers
import ( import (
"database/sql" "database/sql"
"net/http" "net/http"
"strconv"
"text/template" "text/template"
"synlotto-website/helpers" "synlotto-website/helpers"
"synlotto-website/storage"
) )
func NotificationsHandler(db *sql.DB) http.HandlerFunc { func NotificationsHandler(db *sql.DB) http.HandlerFunc {
@@ -18,7 +20,7 @@ func NotificationsHandler(db *sql.DB) http.HandlerFunc {
ParseFiles( ParseFiles(
"templates/layout.html", "templates/layout.html",
"templates/topbar.html", "templates/topbar.html",
"templates/notifications/index.html", "templates/account/notifications/index.html",
)) ))
err := tmpl.ExecuteTemplate(w, "layout", context) err := tmpl.ExecuteTemplate(w, "layout", context)
@@ -27,3 +29,29 @@ func NotificationsHandler(db *sql.DB) http.HandlerFunc {
} }
} }
} }
func MarkNotificationReadHandler(db *sql.DB) http.HandlerFunc {
return func(w http.ResponseWriter, r *http.Request) {
notificationIDStr := r.URL.Query().Get("id")
notificationID, err := strconv.Atoi(notificationIDStr)
if err != nil {
http.Error(w, "Invalid notification ID", http.StatusBadRequest)
return
}
session, _ := helpers.GetSession(w, r)
userID, ok := session.Values["user_id"].(int)
if !ok {
http.Error(w, "Unauthorized", http.StatusUnauthorized)
return
}
err = storage.MarkNotificationAsRead(db, userID, notificationID)
if err != nil {
http.Error(w, "Failed to update", http.StatusInternalServerError)
return
}
http.Redirect(w, r, "/account/notifications", http.StatusSeeOther)
}
}

1
main.go
View File

@@ -68,6 +68,7 @@ func setupAccountRoutes(mux *http.ServeMux, db *sql.DB) {
mux.HandleFunc("/signup", middleware.Auth(false)(handlers.Signup)) mux.HandleFunc("/signup", middleware.Auth(false)(handlers.Signup))
mux.HandleFunc("/account/tickets/add_ticket", handlers.AddTicket(db)) mux.HandleFunc("/account/tickets/add_ticket", handlers.AddTicket(db))
mux.HandleFunc("/account/tickets/my_tickets", handlers.GetMyTickets(db)) mux.HandleFunc("/account/tickets/my_tickets", handlers.GetMyTickets(db))
mux.HandleFunc("/account/notifications/read", middleware.Auth(true)(handlers.MarkNotificationReadHandler(db)))
} }
func setupResultRoutes(mux *http.ServeMux, db *sql.DB) { func setupResultRoutes(mux *http.ServeMux, db *sql.DB) {

23
storage/notifications.go
View File

@@ -2,6 +2,7 @@ package storage
import ( import (
"database/sql" "database/sql"
"fmt"
"log" "log"
"synlotto-website/models" "synlotto-website/models"
@@ -45,3 +46,25 @@ func GetRecentNotifications(db *sql.DB, userID int, limit int) []models.Notifica
return notifications return notifications
} }
func MarkNotificationAsRead(db *sql.DB, userID int, notificationID int) error {
result, err := db.Exec(`
UPDATE notifications
SET is_read = TRUE
WHERE id = ? AND user_id = ?
`, notificationID, userID)
if err != nil {
return err
}
rowsAffected, err := result.RowsAffected()
if err != nil {
return err
}
if rowsAffected == 0 {
return fmt.Errorf("no matching notification found or not owned by user")
}
return nil
}

12
templates/account/notifications/read.html Normal file
View File

@@ -0,0 +1,12 @@
{{ define "notifications_read" }}
<div class="container py-4">
<h2 class="mb-3">Notification</h2>
<div class="card">
<div class="card-body">
<h5 class="card-title">{{ .Notification.Title }}</h5>
<p class="card-text">{{ .Notification.Message }}</p>
<a href="/account/notifications" class="btn btn-primary mt-3">Back to Notifications</a>
</div>
</div>
</div>
{{ end }}

16
templates/topbar.html
View File

@@ -51,13 +51,15 @@
{{ $total := len .Notifications }} {{ $total := len .Notifications }}
{{ range $i, $n := .Notifications }} {{ range $i, $n := .Notifications }}
<li class="px-3 py-2"> <li class="px-3 py-2">
<div class="d-flex align-items-start"> <a href="/account/notifications/read?id={{ $n.ID }}" class="text-decoration-none text-dark d-block">
<i class="bi bi-info-circle text-primary me-2 fs-4"></i> <div class="d-flex align-items-start">
<div> <i class="bi bi-info-circle text-primary me-2 fs-4"></i>
<div class="fw-semibold">{{ $n.Title }}</div> <div>
<small class="text-muted">{{ $n.Message }}</small> <div class="fw-semibold">{{ $n.Title }}</div>
<small class="text-muted">{{ $n.Message }}</small>
</div>
</div> </div>
</div> </a>
</li> </li>
{{ if lt (add $i 1) $total }} {{ if lt (add $i 1) $total }}
<li> <li>
@@ -71,7 +73,7 @@
<li> <li>
<hr class="dropdown-divider"> <hr class="dropdown-divider">
</li> </li>
<li class="text-center"><a href="/notifications" class="dropdown-item">View all notifications</a></li> <li class="text-center"><a href="/account/notifications" class="dropdown-item">View all notifications</a></li>
</ul> </ul>
</div> </div>