Don't "leak" other user keys

2022-09-10 00:37:29 +02:00 · 2022-09-10 00:37:29 +02:00 · 0afe641a9e
commit 0afe641a9e
parent 499f8c924f
1 changed files with 15 additions and 0 deletions
--- a/keys.go
+++ b/keys.go
@ -68,6 +68,7 @@ func declareAPIAuthKeysRoutes(router *gin.RouterGroup) {

 	keysRoutes := router.Group("/keys/:kid")
 	keysRoutes.Use(keyHandler)
+	keysRoutes.Use(keyOnlyMyHandler)

 	keysRoutes.GET("", func(c *gin.Context) {
 		var u *User
@ -153,6 +154,20 @@ func keyHandler(c *gin.Context) {
 	}
 }

+func keyOnlyMyHandler(c *gin.Context) {
+	u := c.MustGet("LoggedUser").(*User)
+	k := c.MustGet("key").(*Key)
+
+	if u.IsAdmin {
+		c.Next()
+	} else if k.IdUser == u.Id {
+		c.Next()
+	} else {
+		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Key not found."})
+		return
+	}
+}
+
 type Key struct {
 	Id      int64                  `json:"id"`
 	IdUser  int64                  `json:"id_user"`