From 1bd832f8397eea49ba30442a023cde453701deea Mon Sep 17 00:00:00 2001
From: Nathan Coad <nathan@thecoads.com>
Date: Thu, 11 Jan 2024 12:07:46 +1100
Subject: [PATCH] add checks for readonly access when update/delete secret

---
 controllers/storeSecrets.go | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/controllers/storeSecrets.go b/controllers/storeSecrets.go
index e0a5c98..9426710 100644
--- a/controllers/storeSecrets.go
+++ b/controllers/storeSecrets.go
@@ -294,6 +294,14 @@ func UpdateSecret(c *gin.Context) {
 		// Update secret
 		//log.Printf("secretList[0]: %v\n", secretList[0])
 
+		// Check for readonly access
+		if secretList[0].Permission.ReadOnly {
+			errString := "read-only access unable to update secret"
+			log.Printf("UpdateSecret %s\n", errString)
+			c.JSON(http.StatusBadRequest, gin.H{"error": errString})
+			return
+		}
+
 		s.SecretId = secretList[0].SecretId
 
 		// check for empty fields in the update request and update from the existing record
@@ -373,6 +381,14 @@ func DeleteSecret(c *gin.Context) {
 		// Delete secret
 		log.Printf("secretList[0]: %v\n", secretList[0])
 
+		// Check for readonly access
+		if secretList[0].Permission.ReadOnly {
+			errString := "read-only access unable to delete secret"
+			log.Printf("DeleteSecret %s\n", errString)
+			c.JSON(http.StatusBadRequest, gin.H{"error": errString})
+			return
+		}
+
 		s.SecretId = secretList[0].SecretId
 
 		// check for empty fields in the update request and update from the existing record