3 files changed, 28 insertions, 22 deletions
diff --git a/ufund-api/src/main/java/com/ufund/api/ufundapi/model/User.java b/ufund-api/src/main/java/com/ufund/api/ufundapi/model/User.java
index 1e182a6..61293b9 100644
--- a/ufund-api/src/main/java/com/ufund/api/ufundapi/model/User.java
+++ b/ufund-api/src/main/java/com/ufund/api/ufundapi/model/User.java
@@ -7,40 +7,35 @@ import com.fasterxml.jackson.annotation.JsonProperty;
 
 public class User {
 
-    @JsonProperty("username")
-    private final String username;
-    @JsonProperty("passwordHash")
-    private int passwordHash;
-    @JsonProperty("basket")
-    private final List<Need> basket;
-
-    /**
-     * Create a new user
-     * 
-     * @param username The name of the user
-     */
-    public User(String username) {
-        this.username = username;
-        basket = new ArrayList<>();
+    public enum UserType {
+        HELPER,
+        MANAGER
     }
 
+    @JsonProperty("username") private final String username;
+    @JsonProperty("passwordHash") private int passwordHash;
+    @JsonProperty("basket") private final List<Need> basket;
+    @JsonProperty("type") private final UserType type;
+
     /**
      * Create a new user
      * 
      * @param username   The name of the user
      * @param basket A basket to copy from
      */
-    public User(@JsonProperty("username") String username, @JsonProperty("passwordHash") int passwordHash, @JsonProperty("basket") List<Need> basket) {
+    public User(@JsonProperty("username") String username, @JsonProperty("passwordHash") int passwordHash, @JsonProperty("basket") List<Need> basket, @JsonProperty("type") UserType userType) {
         this.username = username;
         this.basket = basket;
         this.passwordHash = passwordHash;
+        this.type = userType;
     }
 
     public static User create(String username, String password) {
         return new User(
                 username,
                 password.hashCode(),
-                new ArrayList<>()
+                new ArrayList<>(),
+                UserType.HELPER
         );
     }
 
@@ -65,7 +60,11 @@ public class User {
     }
 
     public User withoutPasswordHash() {
-        return new User(this.username, 0, this.basket);
+        return new User(this.username, 0, this.basket, this.type);
+    }
+
+    public UserType getType() {
+        return type;
     }
 
 }
diff --git a/ufund-api/src/main/java/com/ufund/api/ufundapi/persistence/CupboardFileDAO.java b/ufund-api/src/main/java/com/ufund/api/ufundapi/persistence/CupboardFileDAO.java
index c4aaca3..521acae 100644
--- a/ufund-api/src/main/java/com/ufund/api/ufundapi/persistence/CupboardFileDAO.java
+++ b/ufund-api/src/main/java/com/ufund/api/ufundapi/persistence/CupboardFileDAO.java
@@ -22,7 +22,7 @@ public class CupboardFileDAO implements CupboardDAO {
         this.filename = filename;
         this.objectMapper = objectMapper;
         needs = new TreeMap<>();
-        load();  // load the heroes from the file
+        load();
     }
 
     private synchronized static int nextId() {
diff --git a/ufund-api/src/main/java/com/ufund/api/ufundapi/service/AuthService.java b/ufund-api/src/main/java/com/ufund/api/ufundapi/service/AuthService.java
index 591d891..5a1a492 100644
--- a/ufund-api/src/main/java/com/ufund/api/ufundapi/service/AuthService.java
+++ b/ufund-api/src/main/java/com/ufund/api/ufundapi/service/AuthService.java
@@ -1,5 +1,6 @@
 package com.ufund.api.ufundapi.service;
 
+import com.ufund.api.ufundapi.model.User;
 import com.ufund.api.ufundapi.model.UserAuth;
 import com.ufund.api.ufundapi.persistence.UserAuthDAO;
 import org.springframework.stereotype.Component;
@@ -20,13 +21,19 @@ public class AuthService {
     /**
      * Check if the provided key has access to the provided user.
      *
-     * @param username The username of the user trying to be accessed.
+     * @param targetUsername The targetUsername of the user trying to be accessed.
      * @param key The api key obtained by the client from logging in.
      * @throws IllegalAccessException Thrown if access was denied to the user.
      */
-    public void authenticate(String username, String key) throws IllegalAccessException, IOException {
+    public void authenticate(String targetUsername, String key) throws IllegalAccessException, IOException {
         var userAuth = userAuthDAO.getUserAuth(key);
-        if (userAuth == null || !userAuth.getUsername().equals(username)) {
+        if (userAuth == null) {
+            throw new IllegalAccessException("Unauthenticated");
+        }
+
+        var username = userAuth.getUsername();
+        var userType = userService.getUser(username).getType();
+        if (!username.equals(targetUsername) && userType != User.UserType.MANAGER) {
             throw new IllegalAccessException("Unauthorized");
         }
     }