Check access to attachments

2018-09-27 18:24:33 +02:00 · 2018-09-27 18:24:33 +02:00 · 9b0c425390
commit 9b0c425390
parent 5f7abc2187
4 changed files with 23 additions and 7 deletions
--- a/crm/rest/router.go
+++ b/crm/rest/router.go
@ -23,7 +23,7 @@ func MountRoutes(jwtAuth auth.TokenEncoder) func(chi.Router) {
 	return func(r chi.Router) {
 		// Protect all _private_ routes
 		r.Group(func(r chi.Router) {
-			r.Use(auth.AuthenticationMiddlewareValidOnly)
+			r.Use(auth.MiddlewareValidOnly)

 			handlers.NewField(field).MountRoutes(r)
 			handlers.NewModule(module).MountRoutes(r)
--- a/internal/auth/middleware.go
+++ b/internal/auth/middleware.go
@ -6,7 +6,7 @@ import (
 	"net/http"
 )

-func AuthenticationMiddlewareValidOnly(next http.Handler) http.Handler {
+func MiddlewareValidOnly(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		var ctx = r.Context()

@ -18,3 +18,16 @@ func AuthenticationMiddlewareValidOnly(next http.Handler) http.Handler {
 		next.ServeHTTP(w, r)
 	})
 }
+
+func MiddlewareValidOnly404(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		var ctx = r.Context()
+
+		if !GetIdentityFromContext(ctx).Valid() {
+			w.WriteHeader(http.StatusForbidden)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
--- a/sam/rest/handlers/attachment_custom.go
+++ b/sam/rest/handlers/attachment_custom.go
@ -27,9 +27,9 @@ func NewAttachmentDownloadable(ah AttachmentAPI) *Attachment {
 		if err != nil {
 			switch true {
 			case err.Error() == "crust.sam.repository.AttachmentNotFound":
-				http.Error(w, "Attachment not found", 404)
+				w.WriteHeader(http.StatusNotFound)
 			default:
-				http.Error(w, err.Error(), 500)
+				http.Error(w, err.Error(), http.StatusInternalServerError)
 			}
 		} else if dl, ok := f.(Downloadable); ok {
 			if dl.Download() {
@ -38,7 +38,7 @@ func NewAttachmentDownloadable(ah AttachmentAPI) *Attachment {

 			http.ServeContent(w, r, dl.Name(), dl.ModTime(), dl.Content())
 		} else {
-			http.Error(w, "Got incompatible type from controller", 500)
+			http.Error(w, "Got incompatible type from controller", http.StatusInternalServerError)
 		}
 	}

--- a/sam/rest/router.go
+++ b/sam/rest/router.go
@ -9,11 +9,14 @@ import (
 func MountRoutes() func(chi.Router) {
 	// Initialize handers & controllers.
 	return func(r chi.Router) {
-		handlers.NewAttachmentDownloadable(Attachment{}.New()).MountRoutes(r)
+		r.Group(func(r chi.Router) {
+			r.Use(auth.MiddlewareValidOnly404)
+			handlers.NewAttachmentDownloadable(Attachment{}.New()).MountRoutes(r)
+		})

 		// Protect all _private_ routes
 		r.Group(func(r chi.Router) {
-			r.Use(auth.AuthenticationMiddlewareValidOnly)
+			r.Use(auth.MiddlewareValidOnly)

 			handlers.NewChannel(Channel{}.New()).MountRoutes(r)
 			handlers.NewMessage(Message{}.New()).MountRoutes(r)