From e21a970c42d065dcf93846274051324dcc0d8dc7 Mon Sep 17 00:00:00 2001 From: Jared Date: Tue, 7 Feb 2023 23:12:19 -0500 Subject: [PATCH] Return the proper http response for unprivileged requests --- endpoints/closerewardfund.go | 5 ++++- endpoints/createqueue.go | 32 ++++++++++++++++++++++---------- endpoints/createrewardfund.go | 2 +- endpoints/escalateprivileges.go | 5 +++-- endpoints/getusers.go | 5 +++-- endpoints/register.go | 4 ++-- utils/submission.go | 8 +++++++- 7 files changed, 42 insertions(+), 19 deletions(-) diff --git a/endpoints/closerewardfund.go b/endpoints/closerewardfund.go index 5a8da9c..49cbbda 100644 --- a/endpoints/closerewardfund.go +++ b/endpoints/closerewardfund.go @@ -31,9 +31,12 @@ func CloseRewardFund(w http.ResponseWriter, r *http.Request) { var fund RewardFund var modified int64 - if claims.Privileges <= AdminPlus && req.Close { + if claims != nil && claims.Privileges <= AdminPlus && req.Close { Db.Table("reward_funds").Find(&fund, req.ID) modified = Db.Delete(&fund).RowsAffected + } else { + w.WriteHeader(403) + return } var resp SuccessResponse diff --git a/endpoints/createqueue.go b/endpoints/createqueue.go index eb4dca7..73661e6 100644 --- a/endpoints/createqueue.go +++ b/endpoints/createqueue.go @@ -4,6 +4,7 @@ import ( "encoding/json" "net/http" + "github.com/imosed/signet/auth" . "github.com/imosed/signet/data" "github.com/rs/zerolog/log" ) @@ -24,21 +25,32 @@ func CreateQueue(w http.ResponseWriter, r *http.Request) { return } - var specificQueue Queue - Db.Table("queues").First(&specificQueue, "name = ?", req.Name) + var claims *auth.Claims + claims, err = auth.GetUserClaims(r) + if err != nil { + log.Error().Err(err).Msg("Could not determine if user is authenticated") + return + } var resp CreateQueueResponse + if claims != nil && claims.Privileges <= Admin { + var specificQueue Queue + Db.Table("queues").First(&specificQueue, "name = ?", req.Name) - if specificQueue.ID != 0 { - resp.ID = specificQueue.ID - } else { - queue := Queue{ - Name: req.Name, - } + if specificQueue.ID != 0 { + resp.ID = specificQueue.ID + } else { + queue := Queue{ + Name: req.Name, + } - Db.Create(&queue) + Db.Create(&queue) - resp.ID = queue.ID + resp.ID = queue.ID + } + } else { + w.WriteHeader(403) + return } err = json.NewEncoder(w).Encode(resp) diff --git a/endpoints/createrewardfund.go b/endpoints/createrewardfund.go index 90f9cc4..4091432 100644 --- a/endpoints/createrewardfund.go +++ b/endpoints/createrewardfund.go @@ -85,7 +85,7 @@ func CreateRewardFund(resp http.ResponseWriter, req *http.Request) { return } - if claims.Privileges <= Admin { + if claims != nil && claims.Privileges <= Admin { Db.Create(&rewardFund) Db.Create(&joinRecord) diff --git a/endpoints/escalateprivileges.go b/endpoints/escalateprivileges.go index 14f7996..b2197a3 100644 --- a/endpoints/escalateprivileges.go +++ b/endpoints/escalateprivileges.go @@ -28,7 +28,7 @@ func ChangePrivileges(w http.ResponseWriter, r *http.Request) { var claims *auth.Claims claims, err = auth.GetUserClaims(r) - if claims.Privileges < 2 { + if claims != nil && claims.Privileges <= AdminPlus { Db.Table("users").Where("id = ?", req.UserID).Find(&user) if req.Privileges == SuperUser { resp.Success = false @@ -44,7 +44,8 @@ func ChangePrivileges(w http.ResponseWriter, r *http.Request) { Db.Save(user) resp.Success = true } else { - resp.Success = false + w.WriteHeader(403) + return } err = json.NewEncoder(w).Encode(resp) diff --git a/endpoints/getusers.go b/endpoints/getusers.go index a1ba786..6fabaed 100644 --- a/endpoints/getusers.go +++ b/endpoints/getusers.go @@ -15,12 +15,13 @@ type GetUsersResponse struct { func GetUsers(w http.ResponseWriter, r *http.Request) { claims, err := auth.GetUserClaims(r) - if claims.Privileges > AdminPlus { + if claims == nil || (claims != nil && claims.Privileges > AdminPlus) { + w.WriteHeader(403) return } var users []User - Db.Table("users").Where("privileges >= ?", claims.Privileges).Scan(&users) + Db.Table("users").Where("privileges >= ?", claims.Privileges).Order("id").Scan(&users) var resp GetUsersResponse resp.Users = users diff --git a/endpoints/register.go b/endpoints/register.go index 3c1e536..07e0a45 100644 --- a/endpoints/register.go +++ b/endpoints/register.go @@ -154,7 +154,7 @@ func Register(w http.ResponseWriter, r *http.Request) { return } - if noUsersRegistered() || claims.Privileges <= AdminPlus { + if noUsersRegistered() || (claims != nil && claims.Privileges <= AdminPlus) { hash, err := GetHashedPassword(req.Password) if err != nil { log.Error().Err(err).Msg("Could not generate hash for registration") @@ -176,7 +176,7 @@ func Register(w http.ResponseWriter, r *http.Request) { if err != nil { log.Error().Err(err).Msg("Could not deliver unsuccessful account creation response") } - } else if claims.Privileges > SuperUser { + } else if claims != nil && claims.Privileges > SuperUser { w.WriteHeader(403) } } diff --git a/utils/submission.go b/utils/submission.go index 7df4212..cb8e6bb 100644 --- a/utils/submission.go +++ b/utils/submission.go @@ -2,6 +2,7 @@ package utils import ( "fmt" + "math" "github.com/imosed/signet/client" . "github.com/imosed/signet/data" @@ -14,6 +15,11 @@ import ( "gorm.io/gorm/clause" ) +func getFraction(price float64) xdr.Price { + factor := math.Pow(10, 8) + return xdr.Price{N: xdr.Int32(price * factor), D: xdr.Int32(factor)} +} + func SubmitGroupFund(fundID uint) (bool, error) { var fund RewardFund Db.Preload(clause.Associations).Find(&fund, fundID) @@ -63,7 +69,7 @@ func SubmitGroupFund(fundID uint) (bool, error) { Issuer: fund.IssuerWallet, }, Amount: fmt.Sprintf("%f", submissionAmount), - Price: xdr.Price{N: 1, D: xdr.Int32(fund.Price)}, + Price: getFraction(fund.Price), OfferID: 0, SourceAccount: fund.FundWallet, },