From 9b0c425390ffbc702ccd2428563d6a6d052d5693 Mon Sep 17 00:00:00 2001 From: Denis Arh Date: Thu, 27 Sep 2018 18:24:33 +0200 Subject: [PATCH] Check access to attachments --- crm/rest/router.go | 2 +- internal/auth/middleware.go | 15 ++++++++++++++- sam/rest/handlers/attachment_custom.go | 6 +++--- sam/rest/router.go | 7 +++++-- 4 files changed, 23 insertions(+), 7 deletions(-) diff --git a/crm/rest/router.go b/crm/rest/router.go index 36e19c369..df1c65239 100644 --- a/crm/rest/router.go +++ b/crm/rest/router.go @@ -23,7 +23,7 @@ func MountRoutes(jwtAuth auth.TokenEncoder) func(chi.Router) { return func(r chi.Router) { // Protect all _private_ routes r.Group(func(r chi.Router) { - r.Use(auth.AuthenticationMiddlewareValidOnly) + r.Use(auth.MiddlewareValidOnly) handlers.NewField(field).MountRoutes(r) handlers.NewModule(module).MountRoutes(r) diff --git a/internal/auth/middleware.go b/internal/auth/middleware.go index 1bc32cc94..31c480307 100644 --- a/internal/auth/middleware.go +++ b/internal/auth/middleware.go @@ -6,7 +6,7 @@ import ( "net/http" ) -func AuthenticationMiddlewareValidOnly(next http.Handler) http.Handler { +func MiddlewareValidOnly(next http.Handler) http.Handler { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { var ctx = r.Context() @@ -18,3 +18,16 @@ func AuthenticationMiddlewareValidOnly(next http.Handler) http.Handler { next.ServeHTTP(w, r) }) } + +func MiddlewareValidOnly404(next http.Handler) http.Handler { + return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { + var ctx = r.Context() + + if !GetIdentityFromContext(ctx).Valid() { + w.WriteHeader(http.StatusForbidden) + return + } + + next.ServeHTTP(w, r) + }) +} diff --git a/sam/rest/handlers/attachment_custom.go b/sam/rest/handlers/attachment_custom.go index 11d1b14a6..9fd84606e 100644 --- a/sam/rest/handlers/attachment_custom.go +++ b/sam/rest/handlers/attachment_custom.go @@ -27,9 +27,9 @@ func NewAttachmentDownloadable(ah AttachmentAPI) *Attachment { if err != nil { switch true { case err.Error() == "crust.sam.repository.AttachmentNotFound": - http.Error(w, "Attachment not found", 404) + w.WriteHeader(http.StatusNotFound) default: - http.Error(w, err.Error(), 500) + http.Error(w, err.Error(), http.StatusInternalServerError) } } else if dl, ok := f.(Downloadable); ok { if dl.Download() { @@ -38,7 +38,7 @@ func NewAttachmentDownloadable(ah AttachmentAPI) *Attachment { http.ServeContent(w, r, dl.Name(), dl.ModTime(), dl.Content()) } else { - http.Error(w, "Got incompatible type from controller", 500) + http.Error(w, "Got incompatible type from controller", http.StatusInternalServerError) } } diff --git a/sam/rest/router.go b/sam/rest/router.go index 7ba1e678a..f1dfd9289 100644 --- a/sam/rest/router.go +++ b/sam/rest/router.go @@ -9,11 +9,14 @@ import ( func MountRoutes() func(chi.Router) { // Initialize handers & controllers. return func(r chi.Router) { - handlers.NewAttachmentDownloadable(Attachment{}.New()).MountRoutes(r) + r.Group(func(r chi.Router) { + r.Use(auth.MiddlewareValidOnly404) + handlers.NewAttachmentDownloadable(Attachment{}.New()).MountRoutes(r) + }) // Protect all _private_ routes r.Group(func(r chi.Router) { - r.Use(auth.AuthenticationMiddlewareValidOnly) + r.Use(auth.MiddlewareValidOnly) handlers.NewChannel(Channel{}.New()).MountRoutes(r) handlers.NewMessage(Message{}.New()).MountRoutes(r)