fix: acl middleware

5617118f · boojack · fa93d0fd · 5617118f · 5617118f · 5617118f
Commit 5617118f authored Jul 28, 2022 by boojack
Show whitespace changes
Inline Side-by-side

Showing with 47 additions and 13 deletions

acl.go server/acl.go +7 -3

memo.go server/memo.go +12 -3

resource.go server/resource.go +16 -4

shortcut.go server/shortcut.go +4 -1

user.go server/user.go +8 -2

No files found.
--- a/server/acl.go
+++ b/server/acl.go
@@ -53,8 +53,12 @@ func removeUserSession(ctx echo.Context) error {

 func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc {
 	return func(ctx echo.Context) error {
-		// Skip auth for some paths.
-		if common.HasPrefixes(ctx.Path(), "/api/auth", "/api/ping", "/api/status", "/api/user/:id") {
+		// Skip auth.
+		if common.HasPrefixes(ctx.Path(), "/api/auth") {
+			return next(ctx)
+		}
+
+		if common.HasPrefixes(ctx.Path(), "/api/ping", "/api/status", "/api/user/:id") && ctx.Request().Method == http.MethodGet {
 			return next(ctx)
 		}

@@ -104,7 +108,7 @@ func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc {

 		userID := ctx.Get(getUserIDContextKey())
 		if userID == nil {
-			return echo.NewHTTPError(http.StatusUnauthorized, "Missing userID in session")
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}

 		return next(ctx)

--- a/server/memo.go
+++ b/server/memo.go
@@ -15,7 +15,10 @@ import (

 func (s *Server) registerMemoRoutes(g *echo.Group) {
 	g.POST("/memo", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		memoCreate := &api.MemoCreate{
 			CreatorID: userID,
 		}
@@ -133,7 +136,10 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
 		}

-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		memoOrganizerUpsert := &api.MemoOrganizerUpsert{
 			MemoID: memoID,
 			UserID: userID,
@@ -207,7 +213,10 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
 	})

 	g.GET("/memo/amount", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		normalRowStatus := api.Normal
 		memoFind := &api.MemoFind{
 			CreatorID: &userID,

--- a/server/resource.go
+++ b/server/resource.go
@@ -14,7 +14,10 @@ import (

 func (s *Server) registerResourceRoutes(g *echo.Group) {
 	g.POST("/resource", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}

 		err := c.Request().ParseMultipartForm(64 << 20)
 		if err != nil {
@@ -61,7 +64,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
 	})

 	g.GET("/resource", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		resourceFind := &api.ResourceFind{
 			CreatorID: &userID,
 		}
@@ -83,7 +89,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
 		}

-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		resourceFind := &api.ResourceFind{
 			ID:        &resourceID,
 			CreatorID: &userID,
@@ -106,7 +115,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
 		}

-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		resourceFind := &api.ResourceFind{
 			ID:        &resourceID,
 			CreatorID: &userID,

--- a/server/shortcut.go
+++ b/server/shortcut.go
@@ -13,7 +13,10 @@ import (

 func (s *Server) registerShortcutRoutes(g *echo.Group) {
 	g.POST("/shortcut", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		shortcutCreate := &api.ShortcutCreate{
 			CreatorID: userID,
 		}

--- a/server/user.go
+++ b/server/user.go
@@ -108,7 +108,10 @@ func (s *Server) registerUserRoutes(g *echo.Group) {
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
 		}
-		currentUserID := c.Get(getUserIDContextKey()).(int)
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		currentUser, err := s.Store.FindUser(&api.UserFind{
 			ID: &currentUserID,
 		})
@@ -156,7 +159,10 @@ func (s *Server) registerUserRoutes(g *echo.Group) {
 	})

 	g.DELETE("/user/:id", func(c echo.Context) error {
-		currentUserID := c.Get(getUserIDContextKey()).(int)
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
+		if !ok {
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
+		}
 		currentUser, err := s.Store.FindUser(&api.UserFind{
 			ID: &currentUserID,
 		})