fix REST API permission checks (#209)

2025-08-25 14:31:14 +00:00 · 2024-01-31 21:14:36 +01:00
parent 81e696fc7d
commit 1b4b5ff161
14 changed files with 239 additions and 26 deletions
--- a/internal/app/api/v0/handlers/middleware_authentication.go
+++ b/internal/app/api/v0/handlers/middleware_authentication.go
@@ -58,6 +58,31 @@ func (h authenticationHandler) LoggedIn(scopes ...Scope) gin.HandlerFunc {
 	}
 }

+// UserIdMatch checks if the user id in the session matches the user id in the request. If not, the request is aborted.
+func (h authenticationHandler) UserIdMatch(idParameter string) gin.HandlerFunc {
+	return func(c *gin.Context) {
+		session := h.Session.GetData(c)
+
+		if session.IsAdmin {
+			c.Next() // Admins can do everything
+			return
+		}
+
+		sessionUserId := domain.UserIdentifier(session.UserIdentifier)
+		requestUserId := domain.UserIdentifier(Base64UrlDecode(c.Param(idParameter)))
+
+		if sessionUserId != requestUserId {
+			// Abort the request with the appropriate error code
+			c.Abort()
+			c.JSON(http.StatusForbidden, model.Error{Code: http.StatusForbidden, Message: "not enough permissions"})
+			return
+		}
+
+		// Continue down the chain to handler etc
+		c.Next()
+	}
+}
+
 func UserHasScopes(session SessionData, scopes ...Scope) bool {
 	// No scopes give, so the check should succeed
 	if len(scopes) == 0 {