fix REST API permission checks (#209)

2025-11-03 23:56:18 +00:00 · 2024-01-31 21:14:36 +01:00
parent 81e696fc7d
commit 1b4b5ff161
14 changed files with 239 additions and 26 deletions
--- a/internal/domain/context.go
+++ b/internal/domain/context.go
@@ -3,6 +3,7 @@ package domain
 import (
 	"context"
 	"fmt"
+	"github.com/sirupsen/logrus"

 	"github.com/gin-gonic/gin"
 )
@@ -72,3 +73,29 @@ func GetUserInfo(ctx context.Context) *ContextUserInfo {

 	return DefaultContextUserInfo()
 }
+
+func ValidateUserAccessRights(ctx context.Context, requiredUser UserIdentifier) error {
+	sessionUser := GetUserInfo(ctx)
+
+	if sessionUser.IsAdmin {
+		return nil // Admins can do everything
+	}
+
+	if sessionUser.Id == requiredUser {
+		return nil // User can access own data
+	}
+
+	logrus.Warnf("insufficient permissions for %s (want %s), stack: %s", sessionUser.Id, requiredUser, GetStackTrace())
+	return fmt.Errorf("insufficient permissions")
+}
+
+func ValidateAdminAccessRights(ctx context.Context) error {
+	sessionUser := GetUserInfo(ctx)
+
+	if sessionUser.IsAdmin {
+		return nil
+	}
+
+	logrus.Warnf("insufficient admin permissions for %s, stack: %s", sessionUser.Id, GetStackTrace())
+	return fmt.Errorf("insufficient permissions")
+}
--- a/internal/domain/errors.go
+++ b/internal/domain/errors.go
@@ -1,6 +1,18 @@
 package domain

-import "errors"
+import (
+	"errors"
+	"runtime"
+)

 var ErrNotFound = errors.New("record not found")
 var ErrNotUnique = errors.New("record not unique")
+
+// GetStackTrace returns a stack trace of the current goroutine. The stack trace has at most 1024 bytes.
+func GetStackTrace() string {
+	b := make([]byte, 1024)
+	n := runtime.Stack(b, false)
+	s := string(b[:n])
+
+	return s
+}