Don't "leak" other user keys
This commit is contained in:
parent
ebd09e8270
commit
a3e001db09
15
keys.go
15
keys.go
@ -68,6 +68,7 @@ func declareAPIAuthKeysRoutes(router *gin.RouterGroup) {
|
|||||||
|
|
||||||
keysRoutes := router.Group("/keys/:kid")
|
keysRoutes := router.Group("/keys/:kid")
|
||||||
keysRoutes.Use(keyHandler)
|
keysRoutes.Use(keyHandler)
|
||||||
|
keysRoutes.Use(keyOnlyMyHandler)
|
||||||
|
|
||||||
keysRoutes.GET("", func(c *gin.Context) {
|
keysRoutes.GET("", func(c *gin.Context) {
|
||||||
var u *User
|
var u *User
|
||||||
@ -153,6 +154,20 @@ func keyHandler(c *gin.Context) {
|
|||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func keyOnlyMyHandler(c *gin.Context) {
|
||||||
|
u := c.MustGet("LoggedUser").(*User)
|
||||||
|
k := c.MustGet("key").(*Key)
|
||||||
|
|
||||||
|
if u.IsAdmin {
|
||||||
|
c.Next()
|
||||||
|
} else if k.IdUser == u.Id {
|
||||||
|
c.Next()
|
||||||
|
} else {
|
||||||
|
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Key not found."})
|
||||||
|
return
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
type Key struct {
|
type Key struct {
|
||||||
Id int64 `json:"id"`
|
Id int64 `json:"id"`
|
||||||
IdUser int64 `json:"id_user"`
|
IdUser int64 `json:"id_user"`
|
||||||
|
|||||||
Reference in New Issue
Block a user