# HG changeset patch # User Sascha L. Teichmann # Date 1624555461 -7200 # Node ID e09e003948c74633a6818c887b57522cf288c86d # Parent 755ed195fdc3675d3c5e3e40455a8585883d644b Decouple and enforce roles in creating scheduled imports. diff -r 755ed195fdc3 -r e09e003948c7 pkg/controllers/importconfig.go --- a/pkg/controllers/importconfig.go Thu Jun 24 18:39:03 2021 +0200 +++ b/pkg/controllers/importconfig.go Thu Jun 24 19:24:21 2021 +0200 @@ -30,6 +30,11 @@ mw "gemma.intevation.de/gemma/pkg/middleware" ) +// RolesRequierer enforces roles when storing schedules. +type RolesRequierer interface { + RequiresRoles() auth.Roles +} + func runImportConfig(req *http.Request) (jr mw.JSONResult, err error) { id, _ := strconv.ParseInt(mux.Vars(req)["id"], 10, 64) @@ -253,18 +258,6 @@ kind := imports.JobKind(cfg.Kind) - session, _ := auth.GetSession(req) - - // TODO: Find a more general way to prevent this. - if kind == imports.ReportJobKind && !session.Roles.Has("sys_admin") { - err = mw.JSONError{ - Code: http.StatusUnauthorized, - Message: fmt.Sprintf( - "Not allowed to add config for kind %s", string(cfg.Kind)), - } - return - } - ctor := imports.ImportModelForJobKind(kind) if ctor == nil { err = mw.JSONError{ @@ -274,6 +267,19 @@ return } config := ctor() + + session, _ := auth.GetSession(req) + + if r, ok := config.(RolesRequierer); ok { + if roles := r.RequiresRoles(); len(roles) > 0 && !session.Roles.HasAny(roles...) { + err = mw.JSONError{ + Code: http.StatusUnauthorized, + Message: fmt.Sprintf( + "Not allowed to add config for kind %s", string(cfg.Kind)), + } + return + } + } if err = json.Unmarshal(cfg.Config, config); err != nil { return } diff -r 755ed195fdc3 -r e09e003948c7 pkg/imports/report.go --- a/pkg/imports/report.go Thu Jun 24 18:39:03 2021 +0200 +++ b/pkg/imports/report.go Thu Jun 24 19:24:21 2021 +0200 @@ -27,6 +27,7 @@ "text/template" "time" + "gemma.intevation.de/gemma/pkg/auth" "gemma.intevation.de/gemma/pkg/common" "gemma.intevation.de/gemma/pkg/config" "gemma.intevation.de/gemma/pkg/misc" @@ -84,6 +85,9 @@ return nil } +// RequiresRoles enforces to be a sys_admin to run this . +func (*Report) RequiresRoles() auth.Roles { return auth.Roles{"sys_admin"} } + func (r *Report) Description() (string, error) { return r.Name, nil } func (*Report) CleanUp() error { return nil }