Re-enable auth requirements for all resources

parent 36469fde
......@@ -27,7 +27,7 @@ func (r *BudgetResource) DeleteParams() []*restful.Parameter {
// Post processes an incoming POST (create) request
func (r *BudgetResource) Delete(context smolder.APIContext, request *restful.Request, response *restful.Response) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.Budget).ID != 1 {
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
......
......@@ -39,7 +39,7 @@ func (r *BudgetResource) PostParams() []*restful.Parameter {
// Post processes an incoming POST (create) request
func (r *BudgetResource) Post(context smolder.APIContext, data interface{}, request *restful.Request, response *restful.Response) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.Budget).ID != 1 {
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
......
......@@ -17,7 +17,7 @@ type PaymentPutStruct struct {
// PutAuthRequired returns true because all requests need authentication
func (r *PaymentResource) PutAuthRequired() bool {
return false
return true
}
// PutDoc returns the description of this API endpoint
......@@ -32,6 +32,15 @@ func (r *PaymentResource) PutParams() []*restful.Parameter {
// Put processes an incoming PUT (update) request
func (r *PaymentResource) Put(context smolder.APIContext, data interface{}, request *restful.Request, response *restful.Response) {
auth, err := context.Authentication(request)
if err != nil || (auth.(db.User).ID != 1) { // && auth.(db.User).ID != project.UserID) {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
"PaymentResource PUT"))
return
}
ctx := context.(*db.APIContext)
resp := PaymentResponse{}
resp.Init(context)
......@@ -44,16 +53,6 @@ func (r *PaymentResource) Put(context smolder.APIContext, data interface{}, requ
return
}
/* auth, err := context.Authentication(request)
if err != nil || (auth.(db.User).ID != 1 && auth.(db.User).ID != project.UserID) {
smolder.ErrorResponseHandler(request, response, smolder.NewErrorResponse(
http.StatusUnauthorized,
false,
"Admin permission required for this operation",
"ProjectResource PUT"))
return
} */
pps := data.(*PaymentPostStruct)
payment.Code = pps.Payment.Code
payment.Pending = pps.Payment.Pending
......
......@@ -45,7 +45,7 @@ func (r *ProjectResource) PostParams() []*restful.Parameter {
// Post processes an incoming POST (create) request
func (r *ProjectResource) Post(context smolder.APIContext, data interface{}, request *restful.Request, response *restful.Response) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.Project).ID != 1 {
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
......
package searches
import (
"net/http"
"gitlab.techcultivation.org/sangha/sangha/db"
"github.com/emicklei/go-restful"
......@@ -9,7 +11,7 @@ import (
// GetAuthRequired returns true because all requests need authentication
func (r *SearchesResource) GetAuthRequired() bool {
return false
return true
}
// GetByIDsAuthRequired returns true because all requests need authentication
......@@ -49,6 +51,15 @@ func (r *SearchesResource) GetByIDs(context smolder.APIContext, request *restful
// Get sends out items matching the query parameters
func (r *SearchesResource) Get(context smolder.APIContext, request *restful.Request, response *restful.Response, params map[string][]string) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
"SearchesResource GET"))
return
}
resp := SearchResponse{}
resp.Init(context)
......
package statistics
import (
"net/http"
"gitlab.techcultivation.org/sangha/sangha/db"
"github.com/emicklei/go-restful"
......@@ -9,7 +11,7 @@ import (
// GetAuthRequired returns true because all requests need authentication
func (r *StatisticsResource) GetAuthRequired() bool {
return false
return true
}
// GetByIDsAuthRequired returns true because all requests need authentication
......@@ -33,6 +35,15 @@ func (r *StatisticsResource) GetParams() []*restful.Parameter {
// Get sends out items matching the query parameters
func (r *StatisticsResource) Get(context smolder.APIContext, request *restful.Request, response *restful.Response, params map[string][]string) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
"StatisticsResource GET"))
return
}
resp := StatisticsResponse{}
resp.Init(context)
......
......@@ -14,7 +14,7 @@ import (
// GetAuthRequired returns true because all requests need authentication
func (r *TransactionResource) GetAuthRequired() bool {
return false
return true
}
// GetByIDsAuthRequired returns true because all requests need authentication
......@@ -45,6 +45,15 @@ func (r *TransactionResource) GetParams() []*restful.Parameter {
// GetByIDs sends out all items matching a set of IDs
func (r *TransactionResource) GetByIDs(context smolder.APIContext, request *restful.Request, response *restful.Response, ids []string) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
"TransactionResource GET"))
return
}
resp := TransactionResponse{}
resp.Init(context)
......@@ -64,11 +73,19 @@ func (r *TransactionResource) GetByIDs(context smolder.APIContext, request *rest
// Get sends out items matching the query parameters
func (r *TransactionResource) Get(context smolder.APIContext, request *restful.Request, response *restful.Response, params map[string][]string) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
"TransactionResource GET"))
return
}
ctx := context.(*db.APIContext)
resp := TransactionResponse{}
resp.Init(context)
var err error
var transactions []db.Transaction
if len(params["project"]) > 0 {
......
......@@ -38,6 +38,15 @@ func (r *TransactionResource) PostParams() []*restful.Parameter {
// Post processes an incoming POST (create) request
func (r *TransactionResource) Post(context smolder.APIContext, data interface{}, request *restful.Request, response *restful.Response) {
auth, err := context.Authentication(request)
if err != nil || auth.(db.User).ID != 1 {
smolder.ErrorResponseHandler(request, response, err, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Admin permission required for this operation",
"TransactionResource POST"))
return
}
ctx := context.(*db.APIContext)
ups := data.(*TransactionPostStruct)
log.Printf("Got transaction request: %+v\n", ups)
......
......@@ -17,7 +17,7 @@ type TransactionPutStruct struct {
// PutAuthRequired returns true because all requests need authentication
func (r *TransactionResource) PutAuthRequired() bool {
return false
return true
}
// PutDoc returns the description of this API endpoint
......
......@@ -37,7 +37,16 @@ func (r *UserResource) GetByIDs(context smolder.APIContext, request *restful.Req
resp := UserResponse{}
resp.Init(context)
auth, _ := context.Authentication(request)
for _, id := range ids {
if auth == nil || (auth.(db.User).ID != 1 && auth.(db.User).UUID != id) {
smolder.ErrorResponseHandler(request, response, nil, smolder.NewErrorResponse(
http.StatusUnauthorized,
"Auth permission required for this operation",
"UserResource GET"))
return
}
user, err := context.(*db.APIContext).GetUserByUUID(id)
if err != nil {
r.NotFound(request, response)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment