fix REST API permission checks (#209)

2025-09-15 07:11:15 +00:00 · 2024-01-31 21:14:36 +01:00
parent 81e696fc7d
commit 1b4b5ff161
14 changed files with 239 additions and 26 deletions
--- a/internal/domain/context.go
+++ b/internal/domain/context.go
@@ -3,6 +3,7 @@ package domain
 import (
 	"context"
 	"fmt"
+	"github.com/sirupsen/logrus"

 	"github.com/gin-gonic/gin"
 )
@@ -72,3 +73,29 @@ func GetUserInfo(ctx context.Context) *ContextUserInfo {

 	return DefaultContextUserInfo()
 }
+
+func ValidateUserAccessRights(ctx context.Context, requiredUser UserIdentifier) error {
+	sessionUser := GetUserInfo(ctx)
+
+	if sessionUser.IsAdmin {
+		return nil // Admins can do everything
+	}
+
+	if sessionUser.Id == requiredUser {
+		return nil // User can access own data
+	}
+
+	logrus.Warnf("insufficient permissions for %s (want %s), stack: %s", sessionUser.Id, requiredUser, GetStackTrace())
+	return fmt.Errorf("insufficient permissions")
+}
+
+func ValidateAdminAccessRights(ctx context.Context) error {
+	sessionUser := GetUserInfo(ctx)
+
+	if sessionUser.IsAdmin {
+		return nil
+	}
+
+	logrus.Warnf("insufficient admin permissions for %s, stack: %s", sessionUser.Id, GetStackTrace())
+	return fmt.Errorf("insufficient permissions")
+}