// Post changes the permissions for this user
func (up *UserPermissions) Post(req *Request) {
// MUST HAS ADMIN
if req.u.Permissions != config.ADMIN {
http.Error(req.w, config.InsufficientPermissions(config.ADMIN, req.u.Permissions).Error(), http.StatusBadRequest)
return
}
// get the user we want to update
q := req.r.URL.Query()
userName := q.Get("user")
if userName == "" {
http.Error(req.w, "user name must be supplied", http.StatusBadRequest)
return
}
perms := q.Get("perms")
if perms == "" {
http.Error(req.w, "perms must be supplied", http.StatusBadRequest)
return
}
uPerms := config.NameToPermissions(perms)
if uPerms == -1 {
http.Error(req.w, fmt.Sprintf("invalid permissions %s", perms), http.StatusBadRequest)
return
}
err := up.pipeline.UpdateConfig(func(conf *config.AppConfig) error {
userToUpdate, err := conf.Provider().GetUser(userName)
if err != nil {
return err
}
// can't update admin's permissions
if userToUpdate.UserName == "admin" {
return fmt.Errorf("updating admin's permissions is not allowed")
}
userToUpdate.Permissions = uPerms
return conf.Provider().PutUser(userToUpdate)
}, req.u)
if err != nil {
http.Error(req.w, err.Error(), http.StatusInternalServerError)
logrus.Error(err)
return
}
// success
}
// Post changes the permissions for this user
func (up *UserPassword) Post(req *Request) {
// MUST HAS ADMIN
if req.u.Permissions != config.ADMIN {
http.Error(req.w, config.InsufficientPermissions(config.ADMIN, req.u.Permissions).Error(), http.StatusBadRequest)
return
}
// get the user we want to update
q := req.r.URL.Query()
userName := q.Get("user")
if userName == "" {
http.Error(req.w, "user name must be supplied", http.StatusBadRequest)
return
}
newPass := q.Get("new")
if newPass == "" {
http.Error(req.w, "new password must be supplied", http.StatusBadRequest)
return
}
err := up.pipeline.UpdateConfig(func(conf *config.AppConfig) error {
userToUpdate, err := conf.Provider().GetUser(userName)
if err != nil {
return err
}
userToUpdate.PasswordHash = config.HashUserPassword(userToUpdate, newPass)
return conf.Provider().PutUser(userToUpdate)
}, req.u)
if err != nil {
http.Error(req.w, err.Error(), http.StatusInternalServerError)
logrus.Error(err)
return
}
// success
}
// wrap the given handler func in a closure that checks for auth first if the
// server is configured to use basic auth
func (s *Server) wrapAuth(h interface{}) http.HandlerFunc {
call := func(w http.ResponseWriter, r *http.Request) {
var u *config.User
var err error
s.pipeline.ViewConfig(func(conf *config.AppConfig) {
u, err = authUser(conf.Provider(), r)
})
req := &Request{
u: u,
r: r,
w: w,
}
switch h := h.(type) {
case Get:
h(req)
case Post:
h(req)
case Put:
h(req)
case Delete:
h(req)
}
}
// check to see if this auther needs
if needsAuth, is := h.(NeedsAuther); is {
needs := needsAuth.NeedsAuth()
return func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Content-Type", "application/json")
w.Header().Add("Access-Control-Allow-Origin", "*")
var u *config.User
var err error
s.pipeline.ViewConfig(func(conf *config.AppConfig) {
u, err = authUser(conf.Provider(), r)
})
// handle error types
if err == InvalidSessionToken {
http.Error(w, err.Error(), INVALID_SESSION_TOKEN)
logrus.Error(err)
return
}
if err == ExpiredSessionToken {
http.Error(w, err.Error(), EXPIRED_SESSION_TOKEN)
logrus.Error(err)
return
}
if err != nil {
if needs == config.READ {
call(w, r)
return
}
http.Error(w, err.Error(), http.StatusUnauthorized)
logrus.Errorf("Permission Denied: %s", err.Error())
return
}
// make sure we have at least the required permissions
if u.Permissions < needs {
http.Error(w, config.InsufficientPermissions(needs, u.Permissions).Error(), http.StatusForbidden)
return
}
// if all is well, pass it on
call(w, r)
}
}
// else auth is not required
return func(w http.ResponseWriter, r *http.Request) {
w.Header().Add("Access-Control-Allow-Origin", "*")
w.Header().Add("Content-Type", "application/json")
call(w, r)
}
}