gravitl/netmaker
1
1
Fork 0
mirror of https://github.com/gravitl/netmaker.git synced 2024-09-20 15:26:04 +08:00
Code Issues Packages Projects Releases Wiki Activity

use new role id for user apis

Browse source
This commit is contained in:
abhishek9686 2024-07-07 13:19:46 +05:30
parent 34bcff2b1d
commit 78da9fa901
2 changed files with 28 additions and 11 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
controllers/user.go
View file

@ -786,22 +786,22 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
} }
if !ismaster && !selfUpdate { if !ismaster && !selfUpdate {
if caller.IsAdmin && user.IsSuperAdmin { if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.SuperAdminRole {
slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username) slog.Error("non-superadmin user", "caller", caller.UserName, "attempted to update superadmin user", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden")) logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
return return
} }
if !caller.IsAdmin && !caller.IsSuperAdmin { if caller.PlatformRoleID != models.AdminRole && caller.PlatformRoleID != models.SuperAdminRole {
slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username) slog.Error("operation not allowed", "caller", caller.UserName, "attempted to update user", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden")) logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("cannot update superadmin user"), "forbidden"))
return return
} }
if caller.IsAdmin && user.IsAdmin { if caller.PlatformRoleID == models.AdminRole && user.PlatformRoleID == models.AdminRole {
slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username) slog.Error("admin user cannot update another admin", "caller", caller.UserName, "attempted to update admin user", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden")) logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("admin user cannot update another admin"), "forbidden"))
return return
} }
if caller.IsAdmin && userchange.IsAdmin { if caller.PlatformRoleID == models.AdminRole && userchange.PlatformRoleID == models.AdminRole {
err = errors.New("admin user cannot update role of an another user to admin") err = errors.New("admin user cannot update role of an another user to admin")
slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err) slog.Error("failed to update user", "caller", caller.UserName, "attempted to update user", username, "error", err)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden")) logic.ReturnErrorResponse(w, r, logic.FormatError(err, "forbidden"))
@ -810,7 +810,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
} }
if !ismaster && selfUpdate { if !ismaster && selfUpdate {
if user.IsAdmin != userchange.IsAdmin || user.IsSuperAdmin != userchange.IsSuperAdmin { if user.PlatformRoleID != userchange.PlatformRoleID {
slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username) slog.Error("user cannot change his own role", "caller", caller.UserName, "attempted to update user role", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden")) logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("user not allowed to self assign role"), "forbidden"))
return return
@ -818,7 +818,7 @@ func updateUser(w http.ResponseWriter, r *http.Request) {
} }
} }
if ismaster { if ismaster {
if !user.IsSuperAdmin && userchange.IsSuperAdmin { if user.PlatformRoleID != models.SuperAdminRole && userchange.PlatformRoleID == models.SuperAdminRole {
slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username) slog.Error("operation not allowed", "caller", logic.MasterUser, "attempted to update user role to superadmin", username)
logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden")) logic.ReturnErrorResponse(w, r, logic.FormatError(errors.New("attempted to update user role to superadmin"), "forbidden"))
return return
@ -863,6 +863,12 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal")) logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
} }
callerUserRole, err := logic.GetRole(caller.PlatformRoleID)
if err != nil {
slog.Error("failed to get role ", "role", callerUserRole.ID, "error", err)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
username := params["username"] username := params["username"]
user, err := logic.GetUser(username) user, err := logic.GetUser(username)
if err != nil { if err != nil {
@ -871,14 +877,20 @@ func deleteUser(w http.ResponseWriter, r *http.Request) {
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal")) logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return return
} }
if user.IsSuperAdmin { userRole, err := logic.GetRole(user.PlatformRoleID)
if err != nil {
slog.Error("failed to get role ", "role", userRole.ID, "error", err)
logic.ReturnErrorResponse(w, r, logic.FormatError(err, "internal"))
return
}
if userRole.ID == models.SuperAdminRole {
slog.Error( slog.Error(
"failed to delete user: ", "user", username, "error", "superadmin cannot be deleted") "failed to delete user: ", "user", username, "error", "superadmin cannot be deleted")
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal")) logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("superadmin cannot be deleted"), "internal"))
return return
} }
if !caller.IsSuperAdmin { if callerUserRole.ID != models.SuperAdminRole {
if caller.IsAdmin && user.IsAdmin { if callerUserRole.ID == models.AdminRole && userRole.ID == models.AdminRole {
slog.Error( slog.Error(
"failed to delete user: ", "user", username, "error", "admin cannot delete another admin user, including oneself") "failed to delete user: ", "user", username, "error", "admin cannot delete another admin user, including oneself")
logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("admin cannot delete another admin user, including oneself"), "internal")) logic.ReturnErrorResponse(w, r, logic.FormatError(fmt.Errorf("admin cannot delete another admin user, including oneself"), "internal"))

9
logic/auth.go
View file

@ -235,7 +235,7 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
user.Password = userchange.Password user.Password = userchange.Password
} }
user.IsAdmin = userchange.IsAdmin user.PlatformRoleID = userchange.PlatformRoleID
err := ValidateUser(user) err := ValidateUser(user)
if err != nil { if err != nil {
@ -259,12 +259,17 @@ func UpdateUser(userchange, user *models.User) (*models.User, error) {
// ValidateUser - validates a user model // ValidateUser - validates a user model
func ValidateUser(user *models.User) error { func ValidateUser(user *models.User) error {
// check if role is valid
_, err := GetRole(user.PlatformRoleID)
if err != nil {
return err
}
v := validator.New() v := validator.New()
_ = v.RegisterValidation("in_charset", func(fl validator.FieldLevel) bool { _ = v.RegisterValidation("in_charset", func(fl validator.FieldLevel) bool {
isgood := user.NameInCharSet() isgood := user.NameInCharSet()
return isgood return isgood
}) })
err := v.Struct(user) err = v.Struct(user)
if err != nil { if err != nil {
for _, e := range err.(validator.ValidationErrors) { for _, e := range err.(validator.ValidationErrors) {