From fd511e703e7446410dc8943d5a74cc441a5d4f6b Mon Sep 17 00:00:00 2001
From: Mitja Zivkovic <mitjaz@gmail.com>
Date: Mon, 25 Feb 2019 21:54:36 +0100
Subject: [PATCH] add(messaging): check service access permissions

---
 messaging/rest/middleware.go          | 18 ++++++++++++++++++
 messaging/rest/router.go              |  1 +
 messaging/service/permissions_test.go |  7 ++++++-
 3 files changed, 25 insertions(+), 1 deletion(-)
 create mode 100644 messaging/rest/middleware.go

diff --git a/messaging/rest/middleware.go b/messaging/rest/middleware.go
new file mode 100644
index 000000000..fab9c08cc
--- /dev/null
+++ b/messaging/rest/middleware.go
@@ -0,0 +1,18 @@
+package rest
+
+import (
+	"net/http"
+
+	"github.com/crusttech/crust/messaging/service"
+)
+
+func middlewareAllowedAccess(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		if !service.DefaultPermissions.With(r.Context()).CanAccessMessaging() {
+			http.Error(w, http.StatusText(http.StatusForbidden), http.StatusForbidden)
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
diff --git a/messaging/rest/router.go b/messaging/rest/router.go
index b77728c2d..1cea96d27 100644
--- a/messaging/rest/router.go
+++ b/messaging/rest/router.go
@@ -18,6 +18,7 @@ func MountRoutes() func(chi.Router) {
 		// Protect all _private_ routes
 		r.Group(func(r chi.Router) {
 			r.Use(auth.MiddlewareValidOnly)
+			r.Use(middlewareAllowedAccess)
 
 			handlers.NewChannel(Channel{}.New()).MountRoutes(r)
 			handlers.NewMessage(Message{}.New()).MountRoutes(r)
diff --git a/messaging/service/permissions_test.go b/messaging/service/permissions_test.go
index ac53cc9e0..bc2366e3a 100644
--- a/messaging/service/permissions_test.go
+++ b/messaging/service/permissions_test.go
@@ -42,7 +42,12 @@ func TestPermissions(t *testing.T) {
 	ctx = auth.SetIdentityToContext(ctx, user)
 
 	// Generate services.
-	channelSvc := Channel().With(ctx)
+	channelSvc := (&channel{
+		usr: systemService.User(),
+		evl: Event(),
+		prm: Permissions(),
+	}).With(ctx)
+
 	permissionsSvc := Permissions().With(ctx)
 	systemPermissionSvc := systemService.Permissions().With(ctx)