admin page updates
This commit is contained in:
@@ -14,7 +14,7 @@ import (
|
||||
)
|
||||
|
||||
// LoadPermissionsMiddleware loads user permissions into context after authentication
|
||||
// MUST run AFTER auth.Authenticate() middleware
|
||||
// MUST run AFTER auth.Authenticate() middleware and LoadPreviewRoleMiddleware
|
||||
func (c *Checker) LoadPermissionsMiddleware() hws.Middleware {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
@@ -34,17 +34,38 @@ func (c *Checker) LoadPermissionsMiddleware() hws.Middleware {
|
||||
return
|
||||
}
|
||||
|
||||
// Check if we're in preview mode
|
||||
previewRole := contexts.GetPreviewRole(r.Context())
|
||||
|
||||
var roles_ []*db.Role
|
||||
var perms []*db.Permission
|
||||
if err := db.WithTxFailSilently(r.Context(), c.conn, func(ctx context.Context, tx bun.Tx) error {
|
||||
var err error
|
||||
roles_, err = user.GetRoles(ctx, tx)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "user.GetRoles")
|
||||
}
|
||||
perms, err = user.GetPermissions(ctx, tx)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "user.GetPermissions")
|
||||
|
||||
if previewRole != nil {
|
||||
// In preview mode: use the preview role instead of user's roles
|
||||
role, err := db.GetRoleWithPermissions(ctx, tx, previewRole.ID)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "db.GetRoleWithPermissions")
|
||||
}
|
||||
if role != nil {
|
||||
roles_ = []*db.Role{role}
|
||||
// Convert []Permission to []*Permission
|
||||
perms = make([]*db.Permission, len(role.Permissions))
|
||||
for i := range role.Permissions {
|
||||
perms[i] = &role.Permissions[i]
|
||||
}
|
||||
}
|
||||
} else {
|
||||
// Normal mode: use user's actual roles and permissions
|
||||
roles_, err = user.GetRoles(ctx, tx)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "user.GetRoles")
|
||||
}
|
||||
perms, err = user.GetPermissions(ctx, tx)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "user.GetPermissions")
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}); err != nil {
|
||||
|
||||
@@ -33,6 +33,9 @@ func (c *Checker) UserHasPermission(ctx context.Context, user *db.User, permissi
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Check if we're in preview mode
|
||||
previewRole := contexts.GetPreviewRole(ctx)
|
||||
|
||||
// Try cache first
|
||||
cache := contexts.Permissions(ctx)
|
||||
if cache != nil {
|
||||
@@ -44,7 +47,14 @@ func (c *Checker) UserHasPermission(ctx context.Context, user *db.User, permissi
|
||||
}
|
||||
}
|
||||
|
||||
// Fallback to database
|
||||
// If in preview mode, DO NOT fallback to database - use ONLY preview role permissions
|
||||
// This ensures admins cannot bypass preview mode restrictions
|
||||
if previewRole != nil {
|
||||
// Not in cache and in preview mode = permission denied
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Not in preview mode: fallback to database for actual user permissions
|
||||
var has bool
|
||||
if err := db.WithTxFailSilently(ctx, c.conn, func(ctx context.Context, tx bun.Tx) error {
|
||||
var err error
|
||||
@@ -65,6 +75,9 @@ func (c *Checker) UserHasRole(ctx context.Context, user *db.User, role roles.Rol
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Check if we're in preview mode
|
||||
previewRole := contexts.GetPreviewRole(ctx)
|
||||
|
||||
cache := contexts.Permissions(ctx)
|
||||
if cache != nil {
|
||||
if has, exists := cache.Roles[role]; exists {
|
||||
@@ -72,13 +85,20 @@ func (c *Checker) UserHasRole(ctx context.Context, user *db.User, role roles.Rol
|
||||
}
|
||||
}
|
||||
|
||||
// Fallback to database
|
||||
// If in preview mode, DO NOT fallback to database - use ONLY preview role
|
||||
// This ensures admins cannot bypass preview mode restrictions
|
||||
if previewRole != nil {
|
||||
// Not in cache and in preview mode = role not assigned
|
||||
return false, nil
|
||||
}
|
||||
|
||||
// Not in preview mode: fallback to database for actual user roles
|
||||
var has bool
|
||||
if err := db.WithTxFailSilently(ctx, c.conn, func(ctx context.Context, tx bun.Tx) error {
|
||||
var err error
|
||||
has, err = user.HasRole(ctx, tx, role)
|
||||
if err != nil {
|
||||
return errors.Wrap(err, "user.HasPermission")
|
||||
return errors.Wrap(err, "user.HasRole")
|
||||
}
|
||||
return nil
|
||||
}); err != nil {
|
||||
|
||||
96
internal/rbac/preview_middleware.go
Normal file
96
internal/rbac/preview_middleware.go
Normal file
@@ -0,0 +1,96 @@
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
"strconv"
|
||||
|
||||
"git.haelnorr.com/h/golib/hws"
|
||||
"git.haelnorr.com/h/oslstats/internal/contexts"
|
||||
"git.haelnorr.com/h/oslstats/internal/db"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/uptrace/bun"
|
||||
)
|
||||
|
||||
// LoadPreviewRoleMiddleware loads the preview role from the session cookie if present
|
||||
// and adds it to the request context. This must run after authentication but before
|
||||
// the RBAC cache middleware.
|
||||
func LoadPreviewRoleMiddleware(s *hws.Server, conn *bun.DB) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
// Check if there's a preview role in the cookie
|
||||
roleID := getPreviewRoleCookie(r)
|
||||
if roleID == 0 {
|
||||
// No preview role, continue normally
|
||||
next.ServeHTTP(w, r)
|
||||
return
|
||||
}
|
||||
|
||||
// Load the preview role from the database
|
||||
var previewRole *db.Role
|
||||
if ok := db.WithReadTx(s, w, r, conn, func(ctx context.Context, tx bun.Tx) (bool, error) {
|
||||
var err error
|
||||
previewRole, err = db.GetRoleByID(ctx, tx, roleID)
|
||||
if err != nil {
|
||||
return false, errors.Wrap(err, "db.GetRoleByID")
|
||||
}
|
||||
if previewRole == nil {
|
||||
// Role doesn't exist anymore, clear the cookie
|
||||
ClearPreviewRoleCookie(w)
|
||||
return true, nil
|
||||
}
|
||||
return true, nil
|
||||
}); !ok {
|
||||
return
|
||||
}
|
||||
|
||||
// If role was found, add it to context
|
||||
if previewRole != nil {
|
||||
ctx := contexts.WithPreviewRole(r.Context(), previewRole)
|
||||
r = r.WithContext(ctx)
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
// SetPreviewRoleCookie sets the preview role ID in a session cookie
|
||||
func SetPreviewRoleCookie(w http.ResponseWriter, roleID int, ssl bool) {
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "preview_role",
|
||||
Value: strconv.Itoa(roleID),
|
||||
Path: "/",
|
||||
MaxAge: 0, // Session cookie - expires when browser closes or session times out
|
||||
HttpOnly: true,
|
||||
Secure: ssl,
|
||||
SameSite: http.SameSiteLaxMode,
|
||||
})
|
||||
}
|
||||
|
||||
// getPreviewRoleCookie retrieves the preview role ID from the cookie
|
||||
// Returns 0 if not present or invalid
|
||||
func getPreviewRoleCookie(r *http.Request) int {
|
||||
if r == nil {
|
||||
return 0
|
||||
}
|
||||
cookie, err := r.Cookie("preview_role")
|
||||
if err != nil {
|
||||
return 0
|
||||
}
|
||||
roleID, err := strconv.Atoi(cookie.Value)
|
||||
if err != nil {
|
||||
return 0
|
||||
}
|
||||
return roleID
|
||||
}
|
||||
|
||||
// ClearPreviewRoleCookie removes the preview role cookie
|
||||
func ClearPreviewRoleCookie(w http.ResponseWriter) {
|
||||
http.SetCookie(w, &http.Cookie{
|
||||
Name: "preview_role",
|
||||
Value: "",
|
||||
Path: "/",
|
||||
MaxAge: -1,
|
||||
})
|
||||
}
|
||||
@@ -1,6 +1,7 @@
|
||||
package rbac
|
||||
|
||||
import (
|
||||
"context"
|
||||
"net/http"
|
||||
|
||||
"git.haelnorr.com/h/golib/cookies"
|
||||
@@ -10,6 +11,7 @@ import (
|
||||
"git.haelnorr.com/h/oslstats/internal/roles"
|
||||
"git.haelnorr.com/h/oslstats/internal/throw"
|
||||
"github.com/pkg/errors"
|
||||
"github.com/uptrace/bun"
|
||||
)
|
||||
|
||||
// RequirePermission creates middleware that requires a specific permission
|
||||
@@ -72,3 +74,39 @@ func (c *Checker) RequireRole(s *hws.Server, role roles.Role) func(http.Handler)
|
||||
func (c *Checker) RequireAdmin(server *hws.Server) func(http.Handler) http.Handler {
|
||||
return c.RequireRole(server, roles.Admin)
|
||||
}
|
||||
|
||||
// RequireActualAdmin checks if the user's ACTUAL role is admin, ignoring preview mode
|
||||
// This is used for critical operations like stopping preview mode
|
||||
func (c *Checker) RequireActualAdmin(s *hws.Server) func(http.Handler) http.Handler {
|
||||
return func(next http.Handler) http.Handler {
|
||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||
user := db.CurrentUser(r.Context())
|
||||
if user == nil {
|
||||
// Not logged in - redirect to login
|
||||
cookies.SetPageFrom(w, r, r.URL.Path)
|
||||
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
||||
return
|
||||
}
|
||||
|
||||
// Check user's ACTUAL role in database, bypassing preview mode
|
||||
var hasAdmin bool
|
||||
if ok := db.WithReadTx(s, w, r, c.conn, func(ctx context.Context, tx bun.Tx) (bool, error) {
|
||||
var err error
|
||||
hasAdmin, err = user.HasRole(ctx, tx, roles.Admin)
|
||||
if err != nil {
|
||||
return false, errors.Wrap(err, "user.HasRole")
|
||||
}
|
||||
return true, nil
|
||||
}); !ok {
|
||||
return
|
||||
}
|
||||
|
||||
if !hasAdmin {
|
||||
throw.Forbidden(s, w, r, "You don't have the required role to access this resource", errors.New("missing admin role"))
|
||||
return
|
||||
}
|
||||
|
||||
next.ServeHTTP(w, r)
|
||||
})
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user