rbac system first stage

2026-02-03 21:37:06 +11:00
parent 24bbc5337b
commit d2b1a252ea
38 changed files with 1966 additions and 114 deletions
--- a/internal/rbac/protection_middleware.go
+++ b/internal/rbac/protection_middleware.go
@@ -0,0 +1,101 @@
+package rbac
+
+import (
+	"net/http"
+
+	"git.haelnorr.com/h/golib/cookies"
+	"git.haelnorr.com/h/golib/hws"
+	"git.haelnorr.com/h/oslstats/internal/db"
+	"git.haelnorr.com/h/oslstats/internal/permissions"
+	"git.haelnorr.com/h/oslstats/internal/roles"
+)
+
+// RequirePermission creates middleware that requires a specific permission
+func (c *Checker) RequirePermission(server *hws.Server, permission permissions.Permission) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := db.CurrentUser(r.Context())
+			if user == nil {
+				// Not logged in - redirect to login with page_from
+				cookies.SetPageFrom(w, r, r.URL.Path)
+				http.Redirect(w, r, "/login", http.StatusSeeOther)
+				return
+			}
+
+			has, err := c.UserHasPermission(r.Context(), user, permission)
+			if err != nil {
+				// Log error and return 500
+				server.ThrowError(w, r, hws.HWSError{
+					StatusCode:      http.StatusInternalServerError,
+					Message:         "Permission check failed",
+					Error:           err,
+					Level:           hws.ErrorERROR,
+					RenderErrorPage: true,
+				})
+				return
+			}
+
+			if !has {
+				// User lacks permission - return 403
+				server.ThrowError(w, r, hws.HWSError{
+					StatusCode:      http.StatusForbidden,
+					Message:         "You don't have permission to access this resource",
+					Error:           nil,
+					Level:           hws.ErrorDEBUG,
+					RenderErrorPage: true,
+				})
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// RequireRole creates middleware that requires a specific role
+func (c *Checker) RequireRole(server *hws.Server, role roles.Role) func(http.Handler) http.Handler {
+	return func(next http.Handler) http.Handler {
+		return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+			user := db.CurrentUser(r.Context())
+			if user == nil {
+				// Not logged in - redirect to login
+				cookies.SetPageFrom(w, r, r.URL.Path)
+				http.Redirect(w, r, "/login", http.StatusSeeOther)
+				return
+			}
+
+			has, err := c.UserHasRole(r.Context(), user, role)
+			if err != nil {
+				// Log error and return 500
+				hwserr := hws.HWSError{
+					StatusCode:      http.StatusInternalServerError,
+					Message:         "Role check failed",
+					Error:           err,
+					Level:           hws.ErrorERROR,
+					RenderErrorPage: true,
+				}
+				server.ThrowError(w, r, hwserr)
+				return
+			}
+
+			if !has {
+				// User lacks role - return 403
+				server.ThrowError(w, r, hws.HWSError{
+					StatusCode:      http.StatusForbidden,
+					Message:         "You don't have the required role to access this resource",
+					Error:           nil,
+					Level:           hws.ErrorDEBUG,
+					RenderErrorPage: true,
+				})
+				return
+			}
+
+			next.ServeHTTP(w, r)
+		})
+	}
+}
+
+// RequireAdmin is a convenience middleware for admin-only routes
+func (c *Checker) RequireAdmin(server *hws.Server) func(http.Handler) http.Handler {
+	return c.RequireRole(server, roles.Admin)
+}