102 lines
2.9 KiB
Go
102 lines
2.9 KiB
Go
package rbac
|
|
|
|
import (
|
|
"net/http"
|
|
|
|
"git.haelnorr.com/h/golib/cookies"
|
|
"git.haelnorr.com/h/golib/hws"
|
|
"git.haelnorr.com/h/oslstats/internal/db"
|
|
"git.haelnorr.com/h/oslstats/internal/permissions"
|
|
"git.haelnorr.com/h/oslstats/internal/roles"
|
|
)
|
|
|
|
// RequirePermission creates middleware that requires a specific permission
|
|
func (c *Checker) RequirePermission(server *hws.Server, permission permissions.Permission) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
user := db.CurrentUser(r.Context())
|
|
if user == nil {
|
|
// Not logged in - redirect to login with page_from
|
|
cookies.SetPageFrom(w, r, r.URL.Path)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
has, err := c.UserHasPermission(r.Context(), user, permission)
|
|
if err != nil {
|
|
// Log error and return 500
|
|
server.ThrowError(w, r, hws.HWSError{
|
|
StatusCode: http.StatusInternalServerError,
|
|
Message: "Permission check failed",
|
|
Error: err,
|
|
Level: hws.ErrorERROR,
|
|
RenderErrorPage: true,
|
|
})
|
|
return
|
|
}
|
|
|
|
if !has {
|
|
// User lacks permission - return 403
|
|
server.ThrowError(w, r, hws.HWSError{
|
|
StatusCode: http.StatusForbidden,
|
|
Message: "You don't have permission to access this resource",
|
|
Error: nil,
|
|
Level: hws.ErrorDEBUG,
|
|
RenderErrorPage: true,
|
|
})
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// RequireRole creates middleware that requires a specific role
|
|
func (c *Checker) RequireRole(server *hws.Server, role roles.Role) func(http.Handler) http.Handler {
|
|
return func(next http.Handler) http.Handler {
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
user := db.CurrentUser(r.Context())
|
|
if user == nil {
|
|
// Not logged in - redirect to login
|
|
cookies.SetPageFrom(w, r, r.URL.Path)
|
|
http.Redirect(w, r, "/login", http.StatusSeeOther)
|
|
return
|
|
}
|
|
|
|
has, err := c.UserHasRole(r.Context(), user, role)
|
|
if err != nil {
|
|
// Log error and return 500
|
|
hwserr := hws.HWSError{
|
|
StatusCode: http.StatusInternalServerError,
|
|
Message: "Role check failed",
|
|
Error: err,
|
|
Level: hws.ErrorERROR,
|
|
RenderErrorPage: true,
|
|
}
|
|
server.ThrowError(w, r, hwserr)
|
|
return
|
|
}
|
|
|
|
if !has {
|
|
// User lacks role - return 403
|
|
server.ThrowError(w, r, hws.HWSError{
|
|
StatusCode: http.StatusForbidden,
|
|
Message: "You don't have the required role to access this resource",
|
|
Error: nil,
|
|
Level: hws.ErrorDEBUG,
|
|
RenderErrorPage: true,
|
|
})
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
}
|
|
|
|
// RequireAdmin is a convenience middleware for admin-only routes
|
|
func (c *Checker) RequireAdmin(server *hws.Server) func(http.Handler) http.Handler {
|
|
return c.RequireRole(server, roles.Admin)
|
|
}
|