From 0afe641a9e5b003b763d249f504bc98ed724e366 Mon Sep 17 00:00:00 2001
From: Pierre-Olivier Mercier <nemunaire@nemunai.re>
Date: Sat, 10 Sep 2022 00:37:29 +0200
Subject: [PATCH] Don't "leak" other user keys

---
 keys.go | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

diff --git a/keys.go b/keys.go
index cc23ad7..110371e 100644
--- a/keys.go
+++ b/keys.go
@@ -68,6 +68,7 @@ func declareAPIAuthKeysRoutes(router *gin.RouterGroup) {
 
 	keysRoutes := router.Group("/keys/:kid")
 	keysRoutes.Use(keyHandler)
+	keysRoutes.Use(keyOnlyMyHandler)
 
 	keysRoutes.GET("", func(c *gin.Context) {
 		var u *User
@@ -153,6 +154,20 @@ func keyHandler(c *gin.Context) {
 	}
 }
 
+func keyOnlyMyHandler(c *gin.Context) {
+	u := c.MustGet("LoggedUser").(*User)
+	k := c.MustGet("key").(*Key)
+
+	if u.IsAdmin {
+		c.Next()
+	} else if k.IdUser == u.Id {
+		c.Next()
+	} else {
+		c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Key not found."})
+		return
+	}
+}
+
 type Key struct {
 	Id      int64                  `json:"id"`
 	IdUser  int64                  `json:"id_user"`