fix auth for update_field_handler

phono-server/src/routes/relations_single/update_field_handler.rs

@@ -1,5 +1,13 @@
-use axum::{debug_handler, extract::Path, response::Response};
-use phono_models::{field::Field, presentation::Presentation};
+use axum::{
+    debug_handler,
+    extract::{Path, State},
+    response::Response,
+};
+use phono_models::{
+    accessors::{Accessor, Actor, portal::PortalAccessor},
+    field::Field,
+    presentation::Presentation,
+};
 use serde::Deserialize;
 use sqlx::postgres::types::Oid;
 use uuid::Uuid;
@@ -12,6 +20,7 @@ use crate::{
     navigator::{Navigator, NavigatorPage},
     presentation_form::PresentationForm,
     user::CurrentUser,
+    workspace_pooler::WorkspacePooler,
 };
 
 #[derive(Debug, Deserialize)]
@@ -59,8 +68,9 @@ impl From<FormBody> for PresentationForm {
 /// [`PathParams`].
 #[debug_handler(state = App)]
 pub(super) async fn post(
+    State(mut pooler): State<WorkspacePooler>,
     AppDbConn(mut app_db): AppDbConn,
-    CurrentUser(_user): CurrentUser,
+    CurrentUser(user): CurrentUser,
     navigator: Navigator,
     Path(PathParams {
         portal_id,
@@ -71,8 +81,22 @@ pub(super) async fn post(
 ) -> Result<Response, AppError> {
     // FIXME CSRF
 
-    // FIXME ensure workspace corresponds to rel/portal, and that user has
-    // permission to access/alter both as needed.
+    let mut workspace_client = pooler
+        .acquire_for(
+            workspace_id,
+            crate::workspace_pooler::RoleAssignment::User(user.id),
+        )
+        .await?;
+    PortalAccessor::new()
+        .id(portal_id)
+        .as_actor(Actor::User(user.id))
+        .verify_rel_oid(Oid(rel_oid))
+        .verify_workspace_id(workspace_id)
+        .verify_rel_ownership()
+        .using_workspace_client(&mut workspace_client)
+        .using_app_db(&mut app_db)
+        .fetch_one()
+        .await?;
 
     // Ensure field exists and belongs to portal.
     Field::belonging_to_portal(portal_id)