diff --git a/server/acl.go b/server/acl.go index 97ab517b..82d47b2a 100644 --- a/server/acl.go +++ b/server/acl.go @@ -53,8 +53,12 @@ func removeUserSession(ctx echo.Context) error { func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc { return func(ctx echo.Context) error { - // Skip auth for some paths. - if common.HasPrefixes(ctx.Path(), "/api/auth", "/api/ping", "/api/status", "/api/user/:id") { + // Skip auth. + if common.HasPrefixes(ctx.Path(), "/api/auth") { + return next(ctx) + } + + if common.HasPrefixes(ctx.Path(), "/api/ping", "/api/status", "/api/user/:id") && ctx.Request().Method == http.MethodGet { return next(ctx) } @@ -104,7 +108,7 @@ func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc { userID := ctx.Get(getUserIDContextKey()) if userID == nil { - return echo.NewHTTPError(http.StatusUnauthorized, "Missing userID in session") + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") } return next(ctx) diff --git a/server/memo.go b/server/memo.go index 8c49c872..62b90586 100644 --- a/server/memo.go +++ b/server/memo.go @@ -15,7 +15,10 @@ import ( func (s *Server) registerMemoRoutes(g *echo.Group) { g.POST("/memo", func(c echo.Context) error { - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } memoCreate := &api.MemoCreate{ CreatorID: userID, } @@ -133,7 +136,10 @@ func (s *Server) registerMemoRoutes(g *echo.Group) { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err) } - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } memoOrganizerUpsert := &api.MemoOrganizerUpsert{ MemoID: memoID, UserID: userID, @@ -207,7 +213,10 @@ func (s *Server) registerMemoRoutes(g *echo.Group) { }) g.GET("/memo/amount", func(c echo.Context) error { - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } normalRowStatus := api.Normal memoFind := &api.MemoFind{ CreatorID: &userID, diff --git a/server/resource.go b/server/resource.go index 9a1140d0..41298668 100644 --- a/server/resource.go +++ b/server/resource.go @@ -14,7 +14,10 @@ import ( func (s *Server) registerResourceRoutes(g *echo.Group) { g.POST("/resource", func(c echo.Context) error { - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } err := c.Request().ParseMultipartForm(64 << 20) if err != nil { @@ -61,7 +64,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) { }) g.GET("/resource", func(c echo.Context) error { - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } resourceFind := &api.ResourceFind{ CreatorID: &userID, } @@ -83,7 +89,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err) } - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } resourceFind := &api.ResourceFind{ ID: &resourceID, CreatorID: &userID, @@ -106,7 +115,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err) } - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } resourceFind := &api.ResourceFind{ ID: &resourceID, CreatorID: &userID, diff --git a/server/shortcut.go b/server/shortcut.go index 3a8acb05..fab14e89 100644 --- a/server/shortcut.go +++ b/server/shortcut.go @@ -13,7 +13,10 @@ import ( func (s *Server) registerShortcutRoutes(g *echo.Group) { g.POST("/shortcut", func(c echo.Context) error { - userID := c.Get(getUserIDContextKey()).(int) + userID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } shortcutCreate := &api.ShortcutCreate{ CreatorID: userID, } diff --git a/server/user.go b/server/user.go index 5df2793e..4e499cbe 100644 --- a/server/user.go +++ b/server/user.go @@ -108,7 +108,10 @@ func (s *Server) registerUserRoutes(g *echo.Group) { if err != nil { return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err) } - currentUserID := c.Get(getUserIDContextKey()).(int) + currentUserID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } currentUser, err := s.Store.FindUser(&api.UserFind{ ID: ¤tUserID, }) @@ -156,7 +159,10 @@ func (s *Server) registerUserRoutes(g *echo.Group) { }) g.DELETE("/user/:id", func(c echo.Context) error { - currentUserID := c.Get(getUserIDContextKey()).(int) + currentUserID, ok := c.Get(getUserIDContextKey()).(int) + if !ok { + return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session") + } currentUser, err := s.Store.FindUser(&api.UserFind{ ID: ¤tUserID, })