This commit is contained in:
@@ -111,6 +111,23 @@ func StoreSecret(c *gin.Context) {
|
||||
|
||||
// CheckUpdateSecretAllowed checks to see if a user has access to the specified secret. If so, the corresponding SafeId is returned
|
||||
func CheckUpdateSecretAllowed(s *models.Secret, user_id int) (int, error) {
|
||||
|
||||
// If user has Admin access then perform update
|
||||
// If user has normal access to the safe the secret is stored in then perform update
|
||||
// If matching secret is found in multiple safes then generate error
|
||||
// If user doesn't have access to the safe the matching secret is in then generate error
|
||||
|
||||
// NO. That is too complicated!
|
||||
|
||||
// Lets try to make this more simple
|
||||
// A user can only be in one group
|
||||
// A group can have permissions on multiple safes
|
||||
|
||||
// If a user is an admin they can do user related functions like create users, groups, assign permissions
|
||||
// But a user has to have a permission that maps the group to the safe in order to perform CRUD operations
|
||||
|
||||
// What does a group being an admin give them? All users in that group can do user related function
|
||||
|
||||
// Query all safes for secrets matching parameters specified
|
||||
matchingSecrets, err := models.SecretsSearchAllSafes(s)
|
||||
if err != nil {
|
||||
@@ -133,14 +150,7 @@ func CheckUpdateSecretAllowed(s *models.Secret, user_id int) (int, error) {
|
||||
return 0, errors.New(errString)
|
||||
} else if len(matchingSecrets) == 1 {
|
||||
log.Printf("CheckUpdateSecretAllowed found a single matching secret :\n'%+v'\n", matchingSecrets[0])
|
||||
// Check if user is admin
|
||||
for _, val := range userSafes {
|
||||
if val.User.Admin || val.AdminGroup {
|
||||
return matchingSecrets[0].SafeId, nil
|
||||
}
|
||||
}
|
||||
|
||||
// If we reach here then user is not admin
|
||||
// Check to see user is allowed to access the safe holding the secret
|
||||
for _, secret := range matchingSecrets {
|
||||
for _, user := range userSafes {
|
||||
@@ -167,19 +177,6 @@ func CheckUpdateSecretAllowed(s *models.Secret, user_id int) (int, error) {
|
||||
return 0, errors.New(errString)
|
||||
}
|
||||
}
|
||||
|
||||
if user.User.Admin || user.AdminGroup {
|
||||
log.Printf("CheckUpdateSecretAllowed found user to be admin, assuming SafeId '%d'\n", user.SafeId)
|
||||
if !matchFound {
|
||||
matchFound = true
|
||||
matchingSafeId = user.SafeId
|
||||
} else {
|
||||
// Found more than one applicable secret, how do we know which one to update?
|
||||
errString := "CheckUpdateSecretAllowed found multiple secrets matching supplied parameters, supply more specific parameters"
|
||||
log.Println(errString)
|
||||
return 0, errors.New(errString)
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
@@ -213,11 +210,14 @@ func UpdateSecret(c *gin.Context) {
|
||||
}
|
||||
*/
|
||||
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
/*
|
||||
user_id, err := token.ExtractTokenID(c)
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": "error determining user"})
|
||||
return
|
||||
}
|
||||
*/
|
||||
user_id := c.GetInt("user-id")
|
||||
|
||||
// Populate fields
|
||||
s := models.Secret{}
|
||||
@@ -226,6 +226,15 @@ func UpdateSecret(c *gin.Context) {
|
||||
s.DeviceName = input.DeviceName
|
||||
s.DeviceCategory = input.DeviceCategory
|
||||
|
||||
// TODO:
|
||||
// Get a list of matching secrets - SecretsSearchAllSafes
|
||||
//secretList, err := models.SecretsSearchAllSafes(&s)
|
||||
// Check if user has access to the safes containing those secrets - something like UserGetSafesAllowed but not quite
|
||||
//allowedSafes, err := models.UserGetSafesAllowed(user_id)
|
||||
// Make sure that the access is not readonly
|
||||
// If user has access to more than one safe containing the secret, generate an error
|
||||
// Otherwise, update the secret
|
||||
|
||||
allowedUpdate, err := CheckUpdateSecretAllowed(&s, int(user_id))
|
||||
if err != nil {
|
||||
c.JSON(http.StatusBadRequest, gin.H{"error": fmt.Sprintf("error determining secret : '%s'", err)})
|
||||
@@ -236,11 +245,6 @@ func UpdateSecret(c *gin.Context) {
|
||||
s.SafeId = allowedUpdate
|
||||
}
|
||||
|
||||
// If user has Admin access then perform update
|
||||
// If user has normal access to the safe the secret is stored in then perform update
|
||||
// If matching secret is found in multiple safes then generate error
|
||||
// If user doesn't have access to the safe the matching secret is in then generate error
|
||||
|
||||
// Query which safes the current user is allowed to access
|
||||
|
||||
/*
|
||||
@@ -319,10 +323,8 @@ func SecretCheckSafeAllowed(user_id int, input StoreInput) int {
|
||||
return safe.SafeId
|
||||
} else if input.SafeId > 0 && safe.SafeId == input.SafeId { // Safe specified by id
|
||||
return safe.SafeId
|
||||
} else if safe.User.Admin || safe.AdminGroup { // User has admin role so they're allowed this safe anyway
|
||||
return safe.SafeId
|
||||
} else {
|
||||
log.Printf("SecretCheckSafeAllowed ")
|
||||
log.Printf("SecretCheckSafeAllowed unexpected\n")
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user