gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2024-09-20 07:16:06 +08:00
Code Issues Packages Projects Releases Wiki Activity

use new role id for user apis

Browse source
This commit is contained in:
abhishek9686 2024-07-07 13:19:46 +05:30
parent 34bcff2b1d
commit 78da9fa901
2 changed files with 28 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
controllers/user.go
View file

@ -786,22 +786,22 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
}
if !ismaster && !selfUpdate {
if caller.IsAdmin && user.IsSuperAdmin {
if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
return
}
if !caller.IsAdmin && !caller.IsSuperAdmin {
if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
return
}
if caller.IsAdmin && user.IsAdmin {
if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
return
}
if caller.IsAdmin && userchange.IsAdmin {
if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
err = errors.New("admin user cannot update role of an another user to admin")
slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
@ -810,7 +810,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
}
if !ismaster && selfUpdate {
if user.IsAdmin != userchange.IsAdmin || user.IsSuperAdmin != userchange.IsSuperAdmin {
if user.PlatformRoleID != userchange.PlatformRoleID {
slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
return
@ -818,7 +818,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
}
}
if ismaster {
if !user.IsSuperAdmin && userchange.IsSuperAdmin {
if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
return
@ -863,6 +863,12 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
if err != nil {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
}
callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
if err != nil {
slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
username := params["username"]
user, err := logic.GetUser(username)
if err != nil {
@ -871,14 +877,20 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
if user.IsSuperAdmin {
userRole, err := logic.GetRole(user.PlatformRoleID)
if err != nil {
slog.Error("failed to get role ", "role", userRole.ID, "error", err)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
if userRole.ID == models.SuperAdminRole {
slog.Error(
"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"))
return
}
if !caller.IsSuperAdmin {
if caller.IsAdmin && user.IsAdmin {
if callerUserRole.ID != models.SuperAdminRole {
if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
slog.Error(
"failed to delete user: ", "user", username, "error", "admin cannot delete another admin user, including oneself")
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("admin cannot delete another admin user, including oneself"), "internal"))

9
logic/auth.go
View file

@ -235,7 +235,7 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
user.Password = userchange.Password
}
user.IsAdmin = userchange.IsAdmin
user.PlatformRoleID = userchange.PlatformRoleID
err := ValidateUser(user)
if err != nil {
@ -259,12 +259,17 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
// ValidateUser - validates a user model
func ValidateUser(user *models.User) error {
// check if role is valid
_, err := GetRole(user.PlatformRoleID)
if err != nil {
return err
}
v := validator.New()
_ = v.RegisterValidation("in_charset", func(fl validator.FieldLevel) bool {
isgood := user.NameInCharSet()
return isgood
})
err := v.Struct(user)
err = v.Struct(user)
if err != nil {
for _, e := range err.(validator.ValidationErrors) {