fix: acl middleware

2024-09-21 06:55:55 +08:00 · 2022-07-28 20:09:25 +08:00 · 2022-07-28 20:09:25 +08:00 · 5617118fa8
parent fa93d0fd6e
commit 5617118fa8
5 changed files with 47 additions and 13 deletions
--- a/server/acl.go
+++ b/server/acl.go
@ -53,8 +53,12 @@ func removeUserSession(ctx echo.Context) error {
 func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc {
 	return func(ctx echo.Context) error {
-		// Skip auth for some paths.
+		// Skip auth.
-		if common.HasPrefixes(ctx.Path(), "/api/auth", "/api/ping", "/api/status", "/api/user/:id") {
+		if common.HasPrefixes(ctx.Path(), "/api/auth") {
 			return next(ctx)
 		}
 		if common.HasPrefixes(ctx.Path(), "/api/ping", "/api/status", "/api/user/:id") && ctx.Request().Method == http.MethodGet {
 			return next(ctx)
 		}
@ -104,7 +108,7 @@ func aclMiddleware(s *Server, next echo.HandlerFunc) echo.HandlerFunc {
 		userID := ctx.Get(getUserIDContextKey())
 		if userID == nil {
-			return echo.NewHTTPError(http.StatusUnauthorized, "Missing userID in session")
+			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		return next(ctx)
--- a/server/memo.go
+++ b/server/memo.go
@ -15,7 +15,10 @@ import (
 func (s *Server) registerMemoRoutes(g *echo.Group) {
 	g.POST("/memo", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		memoCreate := &api.MemoCreate{
 			CreatorID: userID,
 		}
@ -133,7 +136,10 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("memoId"))).SetInternal(err)
 		}
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		memoOrganizerUpsert := &api.MemoOrganizerUpsert{
 			MemoID: memoID,
 			UserID: userID,
@ -207,7 +213,10 @@ func (s *Server) registerMemoRoutes(g *echo.Group) {
 	})
 	g.GET("/memo/amount", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		normalRowStatus := api.Normal
 		memoFind := &api.MemoFind{
 			CreatorID: &userID,
--- a/server/resource.go
+++ b/server/resource.go
@ -14,7 +14,10 @@ import (
 func (s *Server) registerResourceRoutes(g *echo.Group) {
 	g.POST("/resource", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		err := c.Request().ParseMultipartForm(64 << 20)
 		if err != nil {
@ -61,7 +64,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
 	})
 	g.GET("/resource", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		resourceFind := &api.ResourceFind{
 			CreatorID: &userID,
 		}
@ -83,7 +89,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
 		}
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		resourceFind := &api.ResourceFind{
 			ID:        &resourceID,
 			CreatorID: &userID,
@ -106,7 +115,10 @@ func (s *Server) registerResourceRoutes(g *echo.Group) {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("resourceId"))).SetInternal(err)
 		}
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		resourceFind := &api.ResourceFind{
 			ID:        &resourceID,
 			CreatorID: &userID,
--- a/server/shortcut.go
+++ b/server/shortcut.go
@ -13,7 +13,10 @@ import (
 func (s *Server) registerShortcutRoutes(g *echo.Group) {
 	g.POST("/shortcut", func(c echo.Context) error {
-		userID := c.Get(getUserIDContextKey()).(int)
+		userID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		shortcutCreate := &api.ShortcutCreate{
 			CreatorID: userID,
 		}
--- a/server/user.go
+++ b/server/user.go
@ -108,7 +108,10 @@ func (s *Server) registerUserRoutes(g *echo.Group) {
 		if err != nil {
 			return echo.NewHTTPError(http.StatusBadRequest, fmt.Sprintf("ID is not a number: %s", c.Param("id"))).SetInternal(err)
 		}
-		currentUserID := c.Get(getUserIDContextKey()).(int)
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		currentUser, err := s.Store.FindUser(&api.UserFind{
 			ID: &currentUserID,
 		})
@ -156,7 +159,10 @@ func (s *Server) registerUserRoutes(g *echo.Group) {
 	})
 	g.DELETE("/user/:id", func(c echo.Context) error {
-		currentUserID := c.Get(getUserIDContextKey()).(int)
+		currentUserID, ok := c.Get(getUserIDContextKey()).(int)
 		if !ok {
 			return echo.NewHTTPError(http.StatusUnauthorized, "Missing user in session")
 		}
 		currentUser, err := s.Store.FindUser(&api.UserFind{
 			ID: &currentUserID,
 		})