Browse Source

Return the proper http response for unprivileged requests

master
Jared 1 year ago
parent
commit
e21a970c42
7 changed files with 42 additions and 19 deletions
  1. +4
    -1
      endpoints/closerewardfund.go
  2. +22
    -10
      endpoints/createqueue.go
  3. +1
    -1
      endpoints/createrewardfund.go
  4. +3
    -2
      endpoints/escalateprivileges.go
  5. +3
    -2
      endpoints/getusers.go
  6. +2
    -2
      endpoints/register.go
  7. +7
    -1
      utils/submission.go

+ 4
- 1
endpoints/closerewardfund.go View File

@@ -31,9 +31,12 @@ func CloseRewardFund(w http.ResponseWriter, r *http.Request) {


var fund RewardFund var fund RewardFund
var modified int64 var modified int64
if claims.Privileges <= AdminPlus && req.Close {
if claims != nil && claims.Privileges <= AdminPlus && req.Close {
Db.Table("reward_funds").Find(&fund, req.ID) Db.Table("reward_funds").Find(&fund, req.ID)
modified = Db.Delete(&fund).RowsAffected modified = Db.Delete(&fund).RowsAffected
} else {
w.WriteHeader(403)
return
} }


var resp SuccessResponse var resp SuccessResponse


+ 22
- 10
endpoints/createqueue.go View File

@@ -4,6 +4,7 @@ import (
"encoding/json" "encoding/json"
"net/http" "net/http"


"github.com/imosed/signet/auth"
. "github.com/imosed/signet/data" . "github.com/imosed/signet/data"
"github.com/rs/zerolog/log" "github.com/rs/zerolog/log"
) )
@@ -24,21 +25,32 @@ func CreateQueue(w http.ResponseWriter, r *http.Request) {
return return
} }


var specificQueue Queue
Db.Table("queues").First(&specificQueue, "name = ?", req.Name)
var claims *auth.Claims
claims, err = auth.GetUserClaims(r)
if err != nil {
log.Error().Err(err).Msg("Could not determine if user is authenticated")
return
}


var resp CreateQueueResponse var resp CreateQueueResponse
if claims != nil && claims.Privileges <= Admin {
var specificQueue Queue
Db.Table("queues").First(&specificQueue, "name = ?", req.Name)


if specificQueue.ID != 0 {
resp.ID = specificQueue.ID
} else {
queue := Queue{
Name: req.Name,
}
if specificQueue.ID != 0 {
resp.ID = specificQueue.ID
} else {
queue := Queue{
Name: req.Name,
}


Db.Create(&queue)
Db.Create(&queue)


resp.ID = queue.ID
resp.ID = queue.ID
}
} else {
w.WriteHeader(403)
return
} }


err = json.NewEncoder(w).Encode(resp) err = json.NewEncoder(w).Encode(resp)


+ 1
- 1
endpoints/createrewardfund.go View File

@@ -85,7 +85,7 @@ func CreateRewardFund(resp http.ResponseWriter, req *http.Request) {
return return
} }


if claims.Privileges <= Admin {
if claims != nil && claims.Privileges <= Admin {
Db.Create(&rewardFund) Db.Create(&rewardFund)
Db.Create(&joinRecord) Db.Create(&joinRecord)




+ 3
- 2
endpoints/escalateprivileges.go View File

@@ -28,7 +28,7 @@ func ChangePrivileges(w http.ResponseWriter, r *http.Request) {
var claims *auth.Claims var claims *auth.Claims
claims, err = auth.GetUserClaims(r) claims, err = auth.GetUserClaims(r)


if claims.Privileges < 2 {
if claims != nil && claims.Privileges <= AdminPlus {
Db.Table("users").Where("id = ?", req.UserID).Find(&user) Db.Table("users").Where("id = ?", req.UserID).Find(&user)
if req.Privileges == SuperUser { if req.Privileges == SuperUser {
resp.Success = false resp.Success = false
@@ -44,7 +44,8 @@ func ChangePrivileges(w http.ResponseWriter, r *http.Request) {
Db.Save(user) Db.Save(user)
resp.Success = true resp.Success = true
} else { } else {
resp.Success = false
w.WriteHeader(403)
return
} }


err = json.NewEncoder(w).Encode(resp) err = json.NewEncoder(w).Encode(resp)


+ 3
- 2
endpoints/getusers.go View File

@@ -15,12 +15,13 @@ type GetUsersResponse struct {
func GetUsers(w http.ResponseWriter, r *http.Request) { func GetUsers(w http.ResponseWriter, r *http.Request) {
claims, err := auth.GetUserClaims(r) claims, err := auth.GetUserClaims(r)


if claims.Privileges > AdminPlus {
if claims == nil || (claims != nil && claims.Privileges > AdminPlus) {
w.WriteHeader(403)
return return
} }


var users []User var users []User
Db.Table("users").Where("privileges >= ?", claims.Privileges).Scan(&users)
Db.Table("users").Where("privileges >= ?", claims.Privileges).Order("id").Scan(&users)


var resp GetUsersResponse var resp GetUsersResponse
resp.Users = users resp.Users = users


+ 2
- 2
endpoints/register.go View File

@@ -154,7 +154,7 @@ func Register(w http.ResponseWriter, r *http.Request) {
return return
} }


if noUsersRegistered() || claims.Privileges <= AdminPlus {
if noUsersRegistered() || (claims != nil && claims.Privileges <= AdminPlus) {
hash, err := GetHashedPassword(req.Password) hash, err := GetHashedPassword(req.Password)
if err != nil { if err != nil {
log.Error().Err(err).Msg("Could not generate hash for registration") log.Error().Err(err).Msg("Could not generate hash for registration")
@@ -176,7 +176,7 @@ func Register(w http.ResponseWriter, r *http.Request) {
if err != nil { if err != nil {
log.Error().Err(err).Msg("Could not deliver unsuccessful account creation response") log.Error().Err(err).Msg("Could not deliver unsuccessful account creation response")
} }
} else if claims.Privileges > SuperUser {
} else if claims != nil && claims.Privileges > SuperUser {
w.WriteHeader(403) w.WriteHeader(403)
} }
} }

+ 7
- 1
utils/submission.go View File

@@ -2,6 +2,7 @@ package utils


import ( import (
"fmt" "fmt"
"math"


"github.com/imosed/signet/client" "github.com/imosed/signet/client"
. "github.com/imosed/signet/data" . "github.com/imosed/signet/data"
@@ -14,6 +15,11 @@ import (
"gorm.io/gorm/clause" "gorm.io/gorm/clause"
) )


func getFraction(price float64) xdr.Price {
factor := math.Pow(10, 8)
return xdr.Price{N: xdr.Int32(price * factor), D: xdr.Int32(factor)}
}

func SubmitGroupFund(fundID uint) (bool, error) { func SubmitGroupFund(fundID uint) (bool, error) {
var fund RewardFund var fund RewardFund
Db.Preload(clause.Associations).Find(&fund, fundID) Db.Preload(clause.Associations).Find(&fund, fundID)
@@ -63,7 +69,7 @@ func SubmitGroupFund(fundID uint) (bool, error) {
Issuer: fund.IssuerWallet, Issuer: fund.IssuerWallet,
}, },
Amount: fmt.Sprintf("%f", submissionAmount), Amount: fmt.Sprintf("%f", submissionAmount),
Price: xdr.Price{N: 1, D: xdr.Int32(fund.Price)},
Price: getFraction(fund.Price),
OfferID: 0, OfferID: 0,
SourceAccount: fund.FundWallet, SourceAccount: fund.FundWallet,
}, },


Loading…
Cancel
Save