// Post changes the permissions for this user func (up *UserPermissions) Post(req *Request) { // MUST HAS ADMIN if req.u.Permissions != config.ADMIN { http.Error(req.w, config.InsufficientPermissions(config.ADMIN, req.u.Permissions).Error(), http.StatusBadRequest) return } // get the user we want to update q := req.r.URL.Query() userName := q.Get("user") if userName == "" { http.Error(req.w, "user name must be supplied", http.StatusBadRequest) return } perms := q.Get("perms") if perms == "" { http.Error(req.w, "perms must be supplied", http.StatusBadRequest) return } uPerms := config.NameToPermissions(perms) if uPerms == -1 { http.Error(req.w, fmt.Sprintf("invalid permissions %s", perms), http.StatusBadRequest) return } err := up.pipeline.UpdateConfig(func(conf *config.AppConfig) error { userToUpdate, err := conf.Provider().GetUser(userName) if err != nil { return err } // can't update admin's permissions if userToUpdate.UserName == "admin" { return fmt.Errorf("updating admin's permissions is not allowed") } userToUpdate.Permissions = uPerms return conf.Provider().PutUser(userToUpdate) }, req.u) if err != nil { http.Error(req.w, err.Error(), http.StatusInternalServerError) logrus.Error(err) return } // success }
// Post changes the permissions for this user func (up *UserPassword) Post(req *Request) { // MUST HAS ADMIN if req.u.Permissions != config.ADMIN { http.Error(req.w, config.InsufficientPermissions(config.ADMIN, req.u.Permissions).Error(), http.StatusBadRequest) return } // get the user we want to update q := req.r.URL.Query() userName := q.Get("user") if userName == "" { http.Error(req.w, "user name must be supplied", http.StatusBadRequest) return } newPass := q.Get("new") if newPass == "" { http.Error(req.w, "new password must be supplied", http.StatusBadRequest) return } err := up.pipeline.UpdateConfig(func(conf *config.AppConfig) error { userToUpdate, err := conf.Provider().GetUser(userName) if err != nil { return err } userToUpdate.PasswordHash = config.HashUserPassword(userToUpdate, newPass) return conf.Provider().PutUser(userToUpdate) }, req.u) if err != nil { http.Error(req.w, err.Error(), http.StatusInternalServerError) logrus.Error(err) return } // success }
// wrap the given handler func in a closure that checks for auth first if the // server is configured to use basic auth func (s *Server) wrapAuth(h interface{}) http.HandlerFunc { call := func(w http.ResponseWriter, r *http.Request) { var u *config.User var err error s.pipeline.ViewConfig(func(conf *config.AppConfig) { u, err = authUser(conf.Provider(), r) }) req := &Request{ u: u, r: r, w: w, } switch h := h.(type) { case Get: h(req) case Post: h(req) case Put: h(req) case Delete: h(req) } } // check to see if this auther needs if needsAuth, is := h.(NeedsAuther); is { needs := needsAuth.NeedsAuth() return func(w http.ResponseWriter, r *http.Request) { w.Header().Add("Content-Type", "application/json") w.Header().Add("Access-Control-Allow-Origin", "*") var u *config.User var err error s.pipeline.ViewConfig(func(conf *config.AppConfig) { u, err = authUser(conf.Provider(), r) }) // handle error types if err == InvalidSessionToken { http.Error(w, err.Error(), INVALID_SESSION_TOKEN) logrus.Error(err) return } if err == ExpiredSessionToken { http.Error(w, err.Error(), EXPIRED_SESSION_TOKEN) logrus.Error(err) return } if err != nil { if needs == config.READ { call(w, r) return } http.Error(w, err.Error(), http.StatusUnauthorized) logrus.Errorf("Permission Denied: %s", err.Error()) return } // make sure we have at least the required permissions if u.Permissions < needs { http.Error(w, config.InsufficientPermissions(needs, u.Permissions).Error(), http.StatusForbidden) return } // if all is well, pass it on call(w, r) } } // else auth is not required return func(w http.ResponseWriter, r *http.Request) { w.Header().Add("Access-Control-Allow-Origin", "*") w.Header().Add("Content-Type", "application/json") call(w, r) } }