Require auth for most methods

2021-12-07 06:51:14 +01:00
parent 5fcf09f160
commit 34421e082f
4 changed files with 221 additions and 176 deletions
--- a/server/fileservice.go
+++ b/server/fileservice.go
@@ -6,6 +6,7 @@ import (
 	"time"

 	"gitea.benny.dog/torjus/ezshare/pb"
+	"gitea.benny.dog/torjus/ezshare/server/interceptors"
 	"gitea.benny.dog/torjus/ezshare/store"
 	"github.com/dustin/go-humanize"
 	"github.com/google/uuid"
@@ -26,6 +27,10 @@ func NewGRPCFileServiceServer(store store.FileStore) *GRPCFileServiceServer {
 }

 func (s *GRPCFileServiceServer) UploadFile(ctx context.Context, req *pb.UploadFileRequest) (*pb.UploadFileResponse, error) {
+	// Check if authorized
+	if !interceptors.RoleAtLeast(ctx, pb.User_USER) {
+		return nil, status.Error(codes.PermissionDenied, "permission denied")
+	}
 	var f pb.File
 	f.Data = req.GetData()
 	f.Metadata = &pb.File_Metadata{}
@@ -94,6 +99,19 @@ func (s *GRPCFileServiceServer) GetFile(ctx context.Context, req *pb.GetFileRequ
 }

 func (s *GRPCFileServiceServer) DeleteFile(ctx context.Context, req *pb.DeleteFileRequest) (*pb.DeleteFileResponse, error) {
+	// Check if authorized
+	if !interceptors.RoleAtLeast(ctx, pb.User_USER) {
+		return nil, status.Error(codes.PermissionDenied, "permission denied")
+	}
+	// Ensure owner of file or admin
+	f, err := s.store.GetFile(req.Id)
+	if err != nil {
+		s.Logger.Warnw("Error getting file.", "error", err)
+	}
+	if !(f.Metadata.Owner == interceptors.UserIDFromContext(ctx) || interceptors.RoleFromContext(ctx) == pb.User_ADMIN) {
+		return nil, status.Error(codes.PermissionDenied, "permission denied")
+	}
+
 	if err := s.store.DeleteFile(req.Id); err != nil {
 		s.Logger.Warnw("Error deleting file.", "error", err)
 		return nil, err
@@ -103,10 +121,21 @@ func (s *GRPCFileServiceServer) DeleteFile(ctx context.Context, req *pb.DeleteFi
 }

 func (s *GRPCFileServiceServer) ListFiles(ctx context.Context, req *pb.ListFilesRequest) (*pb.ListFilesResponse, error) {
-	infos, err := s.store.ListFiles()
+	var infos []*pb.ListFilesResponse_ListFileInfo
+	allInfos, err := s.store.ListFiles()
 	if err != nil {
 		return nil, err
 	}
+	if interceptors.RoleFromContext(ctx) == pb.User_ADMIN {
+		return &pb.ListFilesResponse{Files: allInfos}, nil
+	}
+
+	ownerID := interceptors.UserIDFromContext(ctx)
+	for _, info := range allInfos {
+		if info.Metadata.Owner == ownerID {
+			infos = append(infos, info)
+		}
+	}

 	return &pb.ListFilesResponse{
 		Files: infos,
--- a/server/interceptors/auth.go
+++ b/server/interceptors/auth.go
@@ -81,3 +81,9 @@ func UserIDFromContext(ctx context.Context) string {
 	}
 	return ""
 }
+
+func RoleAtLeast(ctx context.Context, role pb.User_Role) bool {
+	ctxRole := RoleFromContext(ctx)
+
+	return ctxRole > role
+}