Пример #1
0
// Post changes the permissions for this user
func (up *UserPermissions) Post(req *Request) {

	// MUST HAS ADMIN
	if req.u.Permissions != config.ADMIN {
		http.Error(req.w, config.InsufficientPermissions(config.ADMIN, req.u.Permissions).Error(), http.StatusBadRequest)
		return
	}

	// get the user we want to update
	q := req.r.URL.Query()
	userName := q.Get("user")
	if userName == "" {
		http.Error(req.w, "user name must be supplied", http.StatusBadRequest)
		return
	}

	perms := q.Get("perms")
	if perms == "" {
		http.Error(req.w, "perms must be supplied", http.StatusBadRequest)
		return
	}

	uPerms := config.NameToPermissions(perms)
	if uPerms == -1 {
		http.Error(req.w, fmt.Sprintf("invalid permissions %s", perms), http.StatusBadRequest)
		return
	}

	err := up.pipeline.UpdateConfig(func(conf *config.AppConfig) error {
		userToUpdate, err := conf.Provider().GetUser(userName)
		if err != nil {
			return err
		}

		// can't update admin's permissions
		if userToUpdate.UserName == "admin" {
			return fmt.Errorf("updating admin's permissions is not allowed")
		}

		userToUpdate.Permissions = uPerms
		return conf.Provider().PutUser(userToUpdate)

	}, req.u)
	if err != nil {
		http.Error(req.w, err.Error(), http.StatusInternalServerError)
		logrus.Error(err)
		return
	}

	// success
}
Пример #2
0
// Post changes the permissions for this user
func (up *UserPassword) Post(req *Request) {

	// MUST HAS ADMIN
	if req.u.Permissions != config.ADMIN {
		http.Error(req.w, config.InsufficientPermissions(config.ADMIN, req.u.Permissions).Error(), http.StatusBadRequest)
		return
	}

	// get the user we want to update
	q := req.r.URL.Query()
	userName := q.Get("user")
	if userName == "" {
		http.Error(req.w, "user name must be supplied", http.StatusBadRequest)
		return
	}

	newPass := q.Get("new")
	if newPass == "" {
		http.Error(req.w, "new password must be supplied", http.StatusBadRequest)
		return
	}

	err := up.pipeline.UpdateConfig(func(conf *config.AppConfig) error {
		userToUpdate, err := conf.Provider().GetUser(userName)
		if err != nil {
			return err
		}

		userToUpdate.PasswordHash = config.HashUserPassword(userToUpdate, newPass)
		return conf.Provider().PutUser(userToUpdate)

	}, req.u)
	if err != nil {
		http.Error(req.w, err.Error(), http.StatusInternalServerError)
		logrus.Error(err)
		return
	}

	// success
}
Пример #3
0
// wrap the given handler func in a closure that checks for auth first if the
// server is configured to use basic auth
func (s *Server) wrapAuth(h interface{}) http.HandlerFunc {

	call := func(w http.ResponseWriter, r *http.Request) {

		var u *config.User
		var err error

		s.pipeline.ViewConfig(func(conf *config.AppConfig) {
			u, err = authUser(conf.Provider(), r)
		})

		req := &Request{
			u: u,
			r: r,
			w: w,
		}
		switch h := h.(type) {
		case Get:
			h(req)
		case Post:
			h(req)
		case Put:
			h(req)
		case Delete:
			h(req)
		}
	}

	// check to see if this auther needs
	if needsAuth, is := h.(NeedsAuther); is {
		needs := needsAuth.NeedsAuth()

		return func(w http.ResponseWriter, r *http.Request) {
			w.Header().Add("Content-Type", "application/json")
			w.Header().Add("Access-Control-Allow-Origin", "*")
			var u *config.User
			var err error

			s.pipeline.ViewConfig(func(conf *config.AppConfig) {
				u, err = authUser(conf.Provider(), r)
			})

			// handle error types
			if err == InvalidSessionToken {
				http.Error(w, err.Error(), INVALID_SESSION_TOKEN)
				logrus.Error(err)
				return
			}

			if err == ExpiredSessionToken {
				http.Error(w, err.Error(), EXPIRED_SESSION_TOKEN)
				logrus.Error(err)
				return
			}

			if err != nil {
				if needs == config.READ {
					call(w, r)
					return
				}

				http.Error(w, err.Error(), http.StatusUnauthorized)
				logrus.Errorf("Permission Denied: %s", err.Error())
				return
			}

			// make sure we have at least the required permissions
			if u.Permissions < needs {
				http.Error(w, config.InsufficientPermissions(needs, u.Permissions).Error(), http.StatusForbidden)
				return
			}

			// if all is well, pass it on
			call(w, r)
		}
	}

	// else auth is not required
	return func(w http.ResponseWriter, r *http.Request) {
		w.Header().Add("Access-Control-Allow-Origin", "*")
		w.Header().Add("Content-Type", "application/json")
		call(w, r)
	}
}