Refactor permissions checks to avoid questions/works leaks between promotions/groups/start-availability
Thanks-To François Dautrême <francois.dautreme@epita.fr>
This commit is contained in:
parent
bf5b0e88dd
commit
f675047ce8
3 changed files with 57 additions and 53 deletions
41
questions.go
41
questions.go
|
|
@ -39,7 +39,7 @@ func declareAPIAuthQuestionsRoutes(router *gin.RouterGroup) {
|
|||
c.JSON(http.StatusOK, questions)
|
||||
}
|
||||
} else {
|
||||
if (!s.Shown || s.Direct != nil) && !u.IsAdmin {
|
||||
if s.Direct != nil && !u.IsAdmin {
|
||||
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not accessible"})
|
||||
return
|
||||
}
|
||||
|
|
@ -62,24 +62,7 @@ func declareAPIAuthQuestionsRoutes(router *gin.RouterGroup) {
|
|||
questionsRoutes.Use(questionHandler)
|
||||
|
||||
questionsRoutes.GET("", func(c *gin.Context) {
|
||||
q := c.MustGet("question").(*Question)
|
||||
u := c.MustGet("LoggedUser").(*User)
|
||||
|
||||
if !u.IsAdmin {
|
||||
s, err := getSurvey(int(q.IdSurvey))
|
||||
if err != nil {
|
||||
log.Println("Unable to getSurvey:", err)
|
||||
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during survey retrieval. Please try again later."})
|
||||
return
|
||||
}
|
||||
|
||||
if !s.Shown || (s.Direct != nil && *s.Direct != q.Id) {
|
||||
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not authorized"})
|
||||
return
|
||||
}
|
||||
}
|
||||
|
||||
c.JSON(http.StatusOK, q)
|
||||
c.JSON(http.StatusOK, c.MustGet("question").(*Question))
|
||||
})
|
||||
|
||||
declareAPIAuthProposalsRoutes(questionsRoutes)
|
||||
|
|
@ -171,6 +154,8 @@ func declareAPIAdminUserQuestionsRoutes(router *gin.RouterGroup) {
|
|||
}
|
||||
|
||||
func questionHandler(c *gin.Context) {
|
||||
u := c.MustGet("LoggedUser").(*User)
|
||||
|
||||
var survey *Survey
|
||||
if s, ok := c.Get("survey"); ok {
|
||||
survey = s.(*Survey)
|
||||
|
|
@ -190,6 +175,15 @@ func questionHandler(c *gin.Context) {
|
|||
c.AbortWithStatusJSON(http.StatusNotFound, gin.H{"errmsg": "Question not found"})
|
||||
return
|
||||
}
|
||||
|
||||
s, err := getSurvey(int(question.IdSurvey))
|
||||
if err != nil {
|
||||
log.Println("Unable to getSurvey:", err)
|
||||
c.AbortWithStatusJSON(http.StatusInternalServerError, gin.H{"errmsg": "An error occurs during survey retrieval. Please try again later."})
|
||||
return
|
||||
}
|
||||
|
||||
survey = s
|
||||
} else {
|
||||
question, err = survey.GetQuestion(qid)
|
||||
if err != nil {
|
||||
|
|
@ -198,6 +192,15 @@ func questionHandler(c *gin.Context) {
|
|||
}
|
||||
}
|
||||
|
||||
if !u.IsAdmin && (!survey.checkUserAccessToSurvey(u) || (survey.Direct != nil && *survey.Direct != question.Id)) {
|
||||
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not authorized"})
|
||||
return
|
||||
}
|
||||
if !u.IsAdmin && survey.StartAvailability.After(time.Now()) {
|
||||
c.AbortWithStatusJSON(http.StatusForbidden, gin.H{"errmsg": "Not accessible yet"})
|
||||
return
|
||||
}
|
||||
|
||||
c.Set("question", question)
|
||||
|
||||
c.Next()
|
||||
|
|
|
|||
Reference in a new issue