ami/tl-vikunja
1
0
Fork 0
Code Activity

Added right check for namespaces

Browse Source
This commit is contained in:
konrad
2018-07-12 13:43:42 +02:00
committed by kolaente
parent fb4fa25f2f
commit bae9c7f35e
3 changed files with 38 additions and 33 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
routes/api/v1/namespace_show.go
View File

@ -30,18 +30,7 @@ func ShowNamespace(c echo.Context) error {
// "500":
// "$ref": "#/responses/Message"
namespace, err := getNamespace(c)
if err != nil {
if models.IsErrNamespaceDoesNotExist(err) {
return c.JSON(http.StatusNotFound, models.Message{"Namespace not found."})
}
if models.IsErrUserDoesNotHaveAccessToNamespace(err) {
return c.JSON(http.StatusForbidden, models.Message{"You don't have access to this namespace."})
}
return c.JSON(http.StatusInternalServerError, models.Message{"An error occured."})
}
return c.JSON(http.StatusOK, namespace)
return echo.NewHTTPError(http.StatusNotImplemented)
}
func getNamespace(c echo.Context) (namespace models.Namespace, err error) {
@ -64,8 +53,7 @@ func getNamespace(c echo.Context) (namespace models.Namespace, err error) {
if err != nil {
return
}
err = user.HasNamespaceAccess(&namespace)
if err != nil {
if !namespace.CanRead(&user) {
return
}

16
routes/crud/read_one.go
View File

@ -1,7 +1,6 @@
package crud
import (
"fmt"
"git.kolaente.de/konrad/list/models"
"github.com/labstack/echo"
"net/http"
@ -16,9 +15,6 @@ func (c *WebHandler) ReadOneWeb(ctx echo.Context) error {
return echo.NewHTTPError(http.StatusBadRequest, "Invalid ID.")
}
// TODO check rights
//c.CObject.CanRead(doer)
// Get our object
err = c.CObject.ReadOne(id)
if err != nil {
@ -30,10 +26,18 @@ func (c *WebHandler) ReadOneWeb(ctx echo.Context) error {
return echo.NewHTTPError(http.StatusNotFound)
}
fmt.Println(err)
return echo.NewHTTPError(http.StatusInternalServerError, "An error occured.")
}
// Check rights
// We can only check the rights on a full object, which is why we need to check it afterwards
currentUser, err := models.GetCurrentUser(ctx)
if err != nil {
return echo.NewHTTPError(http.StatusInternalServerError, "Could not determine the current user.")
}
if !c.CObject.CanRead(&currentUser) {
return echo.NewHTTPError(http.StatusForbidden, "You don't have the right to see this")
}
return ctx.JSON(http.StatusOK, c.CObject)
}