diff --git a/endpoints/closerewardfund.go b/endpoints/closerewardfund.go index 49cbbda..6d2986e 100644 --- a/endpoints/closerewardfund.go +++ b/endpoints/closerewardfund.go @@ -29,14 +29,20 @@ func CloseRewardFund(w http.ResponseWriter, r *http.Request) { return } + if claims == nil { + w.WriteHeader(401) + return + } + if claims.Privileges > AdminPlus { + w.WriteHeader(403) + return + } + var fund RewardFund var modified int64 - if claims != nil && claims.Privileges <= AdminPlus && req.Close { + if req.Close { Db.Table("reward_funds").Find(&fund, req.ID) modified = Db.Delete(&fund).RowsAffected - } else { - w.WriteHeader(403) - return } var resp SuccessResponse diff --git a/endpoints/createqueue.go b/endpoints/createqueue.go index 73661e6..9867140 100644 --- a/endpoints/createqueue.go +++ b/endpoints/createqueue.go @@ -32,25 +32,29 @@ func CreateQueue(w http.ResponseWriter, r *http.Request) { return } + if claims == nil { + w.WriteHeader(401) + return + } + if claims.Privileges > Admin { + w.WriteHeader(403) + return + } + var resp CreateQueueResponse - if claims != nil && claims.Privileges <= Admin { - var specificQueue Queue - Db.Table("queues").First(&specificQueue, "name = ?", req.Name) + var specificQueue Queue + Db.Table("queues").First(&specificQueue, "name = ?", req.Name) - if specificQueue.ID != 0 { - resp.ID = specificQueue.ID - } else { - queue := Queue{ - Name: req.Name, - } + if specificQueue.ID != 0 { + resp.ID = specificQueue.ID + } else { + queue := Queue{ + Name: req.Name, + } - Db.Create(&queue) + Db.Create(&queue) - resp.ID = queue.ID - } - } else { - w.WriteHeader(403) - return + resp.ID = queue.ID } err = json.NewEncoder(w).Encode(resp) diff --git a/endpoints/createrewardfund.go b/endpoints/createrewardfund.go index 4091432..67316cc 100644 --- a/endpoints/createrewardfund.go +++ b/endpoints/createrewardfund.go @@ -85,26 +85,31 @@ func CreateRewardFund(resp http.ResponseWriter, req *http.Request) { return } - if claims != nil && claims.Privileges <= Admin { - Db.Create(&rewardFund) - Db.Create(&joinRecord) + if claims == nil { + resp.WriteHeader(401) + return + } + if claims.Privileges > Admin { + resp.WriteHeader(403) + return + } - for _, cancel := range cancellations { - cancel() - } - go InitializeContributionStreams() + Db.Create(&rewardFund) + Db.Create(&joinRecord) - for _, bonus := range fund.Bonuses { - bonus.RewardFundID = rewardFund.ID - bonuses = append(bonuses, bonus) - } - Db.Create(&bonuses) + for _, cancel := range cancellations { + cancel() + } + go InitializeContributionStreams() - err = json.NewEncoder(resp).Encode(&SuccessResponse{Success: true}) - if err != nil { - log.Error().Err(err).Msg("Could not create response for created reward fund") - } - } else { - resp.WriteHeader(403) + for _, bonus := range fund.Bonuses { + bonus.RewardFundID = rewardFund.ID + bonuses = append(bonuses, bonus) + } + Db.Create(&bonuses) + + err = json.NewEncoder(resp).Encode(&SuccessResponse{Success: true}) + if err != nil { + log.Error().Err(err).Msg("Could not create response for created reward fund") } } diff --git a/endpoints/editqueue.go b/endpoints/editqueue.go index 7818446..9df9d48 100644 --- a/endpoints/editqueue.go +++ b/endpoints/editqueue.go @@ -4,6 +4,7 @@ import ( "encoding/json" "net/http" + "github.com/imosed/signet/auth" . "github.com/imosed/signet/data" "github.com/rs/zerolog/log" ) @@ -27,6 +28,20 @@ func EditQueue(w http.ResponseWriter, r *http.Request) { return } + var claims *auth.Claims + claims, err = auth.GetUserClaims(r) + if err != nil { + log.Error().Err(err).Msg("Could not get user claims in call to EditQueue") + } + if claims == nil { + w.WriteHeader(401) + return + } + if claims.Privileges > Admin { + w.WriteHeader(403) + return + } + var resp SuccessResponse for _, qo := range req.FundOrders { Db.Table("queue_orders"). diff --git a/endpoints/escalateprivileges.go b/endpoints/escalateprivileges.go index b2197a3..1e9b9f2 100644 --- a/endpoints/escalateprivileges.go +++ b/endpoints/escalateprivileges.go @@ -28,26 +28,30 @@ func ChangePrivileges(w http.ResponseWriter, r *http.Request) { var claims *auth.Claims claims, err = auth.GetUserClaims(r) - if claims != nil && claims.Privileges <= AdminPlus { - Db.Table("users").Where("id = ?", req.UserID).Find(&user) - if req.Privileges == SuperUser { - resp.Success = false - - err = json.NewEncoder(w).Encode(resp) - if err != nil { - log.Error().Err(err).Msg("Could not deliver failed escalate privileges response") - } - return - } - - user.Privileges = req.Privileges - Db.Save(user) - resp.Success = true - } else { + if claims == nil { + w.WriteHeader(401) + return + } + if claims.Privileges > AdminPlus { w.WriteHeader(403) return } + Db.Table("users").Where("id = ?", req.UserID).Find(&user) + if req.Privileges == SuperUser { + resp.Success = false + + err = json.NewEncoder(w).Encode(resp) + if err != nil { + log.Error().Err(err).Msg("Could not deliver failed escalate privileges response") + } + return + } + + user.Privileges = req.Privileges + Db.Save(user) + resp.Success = true + err = json.NewEncoder(w).Encode(resp) if err != nil { log.Error().Err(err).Msg("Could not deliver successful escalate privileges response") diff --git a/endpoints/getqueuemembers.go b/endpoints/getqueuemembers.go index e7a4588..9ca2b24 100644 --- a/endpoints/getqueuemembers.go +++ b/endpoints/getqueuemembers.go @@ -4,6 +4,7 @@ import ( "encoding/json" "net/http" + "github.com/imosed/signet/auth" . "github.com/imosed/signet/data" "github.com/rs/zerolog/log" ) @@ -30,6 +31,21 @@ func GetQueueMembers(w http.ResponseWriter, r *http.Request) { return } + var claims *auth.Claims + claims, err = auth.GetUserClaims(r) + if err != nil { + log.Error().Err(err).Msg("Could not get user claims in request to GetQueueMembers") + } + + if claims == nil { + w.WriteHeader(401) + return + } + if claims.Privileges > Admin { + w.WriteHeader(403) + return + } + var members []QueueMember Db.Table("queue_orders qo").Select("rf.id, asset, qo.order"). Where("queue_id = ?", req.ID). diff --git a/endpoints/getusers.go b/endpoints/getusers.go index 6fabaed..33cffca 100644 --- a/endpoints/getusers.go +++ b/endpoints/getusers.go @@ -15,7 +15,11 @@ type GetUsersResponse struct { func GetUsers(w http.ResponseWriter, r *http.Request) { claims, err := auth.GetUserClaims(r) - if claims == nil || (claims != nil && claims.Privileges > AdminPlus) { + if claims == nil { + w.WriteHeader(401) + return + } + if claims.Privileges > AdminPlus { w.WriteHeader(403) return } diff --git a/endpoints/register.go b/endpoints/register.go index 07e0a45..73cc66a 100644 --- a/endpoints/register.go +++ b/endpoints/register.go @@ -150,33 +150,31 @@ func Register(w http.ResponseWriter, r *http.Request) { return } - if claims == nil { - return - } - - if noUsersRegistered() || (claims != nil && claims.Privileges <= AdminPlus) { - hash, err := GetHashedPassword(req.Password) - if err != nil { - log.Error().Err(err).Msg("Could not generate hash for registration") + if !noUsersRegistered() { + if claims == nil { + w.WriteHeader(401) return } + if claims.Privileges > AdminPlus { + w.WriteHeader(403) + return + } + } + + hash, err := GetHashedPassword(req.Password) + if err != nil { + log.Error().Err(err).Msg("Could not generate hash for registration") + return + } - Db.Create(&User{ - Username: req.Username, - Password: hash, - Privileges: determinePrivileges(), - }) + Db.Create(&User{ + Username: req.Username, + Password: hash, + Privileges: determinePrivileges(), + }) - err = json.NewEncoder(w).Encode(SuccessResponse{Success: true}) - if err != nil { - log.Error().Err(err).Msg("Could not deliver successful account creation response") - } - } else if !noUsersRegistered() { - err = json.NewEncoder(w).Encode(SuccessResponse{Success: false}) - if err != nil { - log.Error().Err(err).Msg("Could not deliver unsuccessful account creation response") - } - } else if claims != nil && claims.Privileges > SuperUser { - w.WriteHeader(403) + err = json.NewEncoder(w).Encode(SuccessResponse{Success: true}) + if err != nil { + log.Error().Err(err).Msg("Could not deliver successful account creation response") } } diff --git a/endpoints/submitfund.go b/endpoints/submitfund.go index e5e94d7..0fc88c8 100644 --- a/endpoints/submitfund.go +++ b/endpoints/submitfund.go @@ -4,6 +4,7 @@ import ( "encoding/json" "net/http" + "github.com/imosed/signet/auth" "github.com/imosed/signet/utils" "github.com/rs/zerolog/log" ) @@ -20,6 +21,20 @@ func SubmitFund(w http.ResponseWriter, r *http.Request) { log.Error().Err(err).Msg("Could not decode body in SubmitFund call") } + var claims *auth.Claims + claims, err = auth.GetUserClaims(r) + if err != nil { + log.Error().Err(err).Msg("Could not get user claims in call to SubmitFund") + } + if claims == nil { + w.WriteHeader(401) + return + } + if claims.Privileges > Admin { + w.WriteHeader(403) + return + } + var resp SuccessResponse resp.Success = false