// authoriseReader returns error if the path/resource is not authorised
func authoriseReader(c router.Context, r ResourceModel) error {
user := c.Get("current_user").(*users.User)
if c.Path() == "/stories/create" && user.CanSubmit() {
return nil
}
if c.Path() == "/comments/create" && user.CanComment() {
return nil
}
// Allow upvotes and downvotes
if strings.HasSuffix(c.Path(), "/upvote") && user.CanUpvote() {
return nil
}
if strings.HasSuffix(c.Path(), "/downvote") && user.CanDownvote() {
return nil
}
if r != nil {
if r.OwnedBy(user.Id) {
return nil
}
}
return fmt.Errorf("Path and Resource not authorized:%s %v", c.Path(), r)
}
// Resource authorises the path and resource for the current user
// if model is nil it is ignored and permission granted
func Resource(c router.Context, r ResourceModel) error {
// If not public path, check based on user role
user := c.Get("current_user").(*users.User)
switch user.Role {
case users.RoleAdmin:
return authoriseAdmin(c, r)
default:
return authoriseReader(c, r)
}
}
// Resource authorises the path and resource for the current user
// if model is nil it is ignored and permission granted
func Resource(c router.Context, r ResourceModel) error {
// Short circuit evaluation if this is a public path
if publicPath(c.Path()) {
return nil
}
user := c.Get("current_user").(*users.User)
switch user.Role {
case users.RoleAdmin:
return nil
case users.RoleEditor:
if r.OwnedBy(user.Id) {
return nil
}
}
return fmt.Errorf("Path and Resource not authorized:%s %v", c.Path(), r)
}
// CurrentUser returns the saved user (or an empty anon user) for the current session cookie
// Strictly speaking this should be authenticate.User
func CurrentUser(context router.Context) *users.User {
// First check if the user has already been set on context, if so return it
if context.Get("current_user") != nil {
return context.Get("current_user").(*users.User)
}
// Start with an anon user by default (role 0, id 0)
user := &users.User{}
// Build the session from the secure cookie, or create a new one
session, err := auth.Session(context.Writer(), context.Request())
if err != nil {
context.Logf("#error problem retrieving session")
return user
}
// Fetch the current user record if we have one recorded in the session
var id int64
ids := session.Get(auth.SessionUserKey)
if len(ids) > 0 {
id, err = strconv.ParseInt(ids, 10, 64)
if err != nil {
context.Logf("#error Error decoding session user key:%s\n", err)
return user
}
}
if id != 0 {
u, err := users.Find(id)
if err != nil {
context.Logf("#info User not found from session id:%d\n", id)
return user
}
user = u
}
return user
}
// Resource authorises the path and resource for the current user
// if model is nil it is ignored and permission granted
func Resource(c router.Context, r ResourceModel) error {
// Short circuit evaluation if this is a public path
if publicPath(c.Path()) {
return nil
}
user := c.Get("current_user").(*users.User)
switch user.Role {
case users.RoleAdmin:
return nil
case users.RoleCustomer:
// RoleCustomer should have access to /files
if c.Path() == "/files" {
return nil
}
// RoleCustomer should have access to /files/x/delete if file is owned by them
if strings.HasPrefix(c.Path(), "/files") {
if r != nil && r.OwnedBy(user.Id) {
return nil
}
}
// RoleCustomer should have access to /users/x/update if they are that user
if strings.HasPrefix(c.Path(), "/users") {
if r != nil && r.OwnedBy(user.Id) {
return nil
}
}
}
return fmt.Errorf("Path and Resource not authorized:%s %v", c.Path(), r)
}