Skip to content

Commit 92f3aa8

Browse files
jnschaefferjnschaeffer
authored
Add permissions checks to assignments (#173)
This commit adds permissions checks to role assignments. Rather than define new actions here, we just use the already-defined actions for role management. Signed-off-by: John Schaeffer <[email protected]>
1 parent 5a66391 commit 92f3aa8

File tree

1 file changed

+63
-6
lines changed

1 file changed

+63
-6
lines changed

internal/api/assignments.go

Lines changed: 63 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -29,21 +29,40 @@ func (r *Router) assignmentCreate(c echo.Context) error {
2929
return echo.NewHTTPError(http.StatusBadRequest, "error parsing request body").SetInternal(err)
3030
}
3131

32-
subjID, err := gidx.Parse(reqBody.SubjectID)
32+
assigneeID, err := gidx.Parse(reqBody.SubjectID)
3333
if err != nil {
3434
return echo.NewHTTPError(http.StatusBadRequest, "error parsing subject ID").SetInternal(err)
3535
}
3636

37-
subjResource, err := r.engine.NewResourceFromID(subjID)
37+
assigneeResource, err := r.engine.NewResourceFromID(assigneeID)
3838
if err != nil {
3939
return echo.NewHTTPError(http.StatusBadRequest, "error creating resource").SetInternal(err)
4040
}
4141

42+
subjectResource, err := r.currentSubject(c)
43+
if err != nil {
44+
return err
45+
}
46+
47+
roleResource, err := r.engine.NewResourceFromID(roleID)
48+
if err != nil {
49+
return echo.NewHTTPError(http.StatusBadRequest, "error getting resource").SetInternal(err)
50+
}
51+
52+
resource, err := r.engine.GetRoleResource(ctx, roleResource, "")
53+
if err != nil {
54+
return echo.NewHTTPError(http.StatusInternalServerError, "error getting resource").SetInternal(err)
55+
}
56+
57+
if err := r.checkActionWithResponse(ctx, subjectResource, actionRoleUpdate, resource); err != nil {
58+
return err
59+
}
60+
4261
role := types.Role{
4362
ID: roleID,
4463
}
4564

46-
_, err = r.engine.AssignSubjectRole(ctx, subjResource, role)
65+
_, err = r.engine.AssignSubjectRole(ctx, assigneeResource, role)
4766
if err != nil {
4867
return echo.NewHTTPError(http.StatusInternalServerError, "error creating resource").SetInternal(err)
4968
}
@@ -66,6 +85,25 @@ func (r *Router) assignmentsList(c echo.Context) error {
6685
ctx, span := tracer.Start(c.Request().Context(), "api.assignmentCreate", trace.WithAttributes(attribute.String("role_id", roleIDStr)))
6786
defer span.End()
6887

88+
subjectResource, err := r.currentSubject(c)
89+
if err != nil {
90+
return err
91+
}
92+
93+
roleResource, err := r.engine.NewResourceFromID(roleID)
94+
if err != nil {
95+
return echo.NewHTTPError(http.StatusBadRequest, "error getting resource").SetInternal(err)
96+
}
97+
98+
resource, err := r.engine.GetRoleResource(ctx, roleResource, "")
99+
if err != nil {
100+
return echo.NewHTTPError(http.StatusInternalServerError, "error getting resource").SetInternal(err)
101+
}
102+
103+
if err := r.checkActionWithResponse(ctx, subjectResource, actionRoleGet, resource); err != nil {
104+
return err
105+
}
106+
69107
role := types.Role{
70108
ID: roleID,
71109
}
@@ -110,21 +148,40 @@ func (r *Router) assignmentDelete(c echo.Context) error {
110148
return echo.NewHTTPError(http.StatusBadRequest, "error parsing request body").SetInternal(err)
111149
}
112150

113-
subjID, err := gidx.Parse(reqBody.SubjectID)
151+
assigneeID, err := gidx.Parse(reqBody.SubjectID)
114152
if err != nil {
115153
return echo.NewHTTPError(http.StatusBadRequest, "error parsing subject ID").SetInternal(err)
116154
}
117155

118-
subjResource, err := r.engine.NewResourceFromID(subjID)
156+
assigneeResource, err := r.engine.NewResourceFromID(assigneeID)
119157
if err != nil {
120158
return echo.NewHTTPError(http.StatusBadRequest, "error parsing resource type from subject").SetInternal(err)
121159
}
122160

161+
subjectResource, err := r.currentSubject(c)
162+
if err != nil {
163+
return err
164+
}
165+
166+
roleResource, err := r.engine.NewResourceFromID(roleID)
167+
if err != nil {
168+
return echo.NewHTTPError(http.StatusBadRequest, "error getting resource").SetInternal(err)
169+
}
170+
171+
resource, err := r.engine.GetRoleResource(ctx, roleResource, "")
172+
if err != nil {
173+
return echo.NewHTTPError(http.StatusInternalServerError, "error getting resource").SetInternal(err)
174+
}
175+
176+
if err := r.checkActionWithResponse(ctx, subjectResource, actionRoleUpdate, resource); err != nil {
177+
return err
178+
}
179+
123180
role := types.Role{
124181
ID: roleID,
125182
}
126183

127-
_, err = r.engine.UnassignSubjectRole(ctx, subjResource, role)
184+
_, err = r.engine.UnassignSubjectRole(ctx, assigneeResource, role)
128185
if err != nil {
129186
return echo.NewHTTPError(http.StatusInternalServerError, "error deleting assignment").SetInternal(err)
130187
}

0 commit comments

Comments
 (0)