# HG changeset patch
# User Sascha L. Teichmann <sascha.teichmann@intevation.de>
# Date 1624555461 -7200
# Node ID e09e003948c74633a6818c887b57522cf288c86d
# Parent  755ed195fdc3675d3c5e3e40455a8585883d644b
Decouple and enforce roles in creating scheduled imports.

diff -r 755ed195fdc3 -r e09e003948c7 pkg/controllers/importconfig.go
--- a/pkg/controllers/importconfig.go	Thu Jun 24 18:39:03 2021 +0200
+++ b/pkg/controllers/importconfig.go	Thu Jun 24 19:24:21 2021 +0200
@@ -30,6 +30,11 @@
 	mw "gemma.intevation.de/gemma/pkg/middleware"
 )
 
+// RolesRequierer enforces roles when storing schedules.
+type RolesRequierer interface {
+	RequiresRoles() auth.Roles
+}
+
 func runImportConfig(req *http.Request) (jr mw.JSONResult, err error) {
 
 	id, _ := strconv.ParseInt(mux.Vars(req)["id"], 10, 64)
@@ -253,18 +258,6 @@
 
 	kind := imports.JobKind(cfg.Kind)
 
-	session, _ := auth.GetSession(req)
-
-	// TODO: Find a more general way to prevent this.
-	if kind == imports.ReportJobKind && !session.Roles.Has("sys_admin") {
-		err = mw.JSONError{
-			Code: http.StatusUnauthorized,
-			Message: fmt.Sprintf(
-				"Not allowed to add config for kind %s", string(cfg.Kind)),
-		}
-		return
-	}
-
 	ctor := imports.ImportModelForJobKind(kind)
 	if ctor == nil {
 		err = mw.JSONError{
@@ -274,6 +267,19 @@
 		return
 	}
 	config := ctor()
+
+	session, _ := auth.GetSession(req)
+
+	if r, ok := config.(RolesRequierer); ok {
+		if roles := r.RequiresRoles(); len(roles) > 0 && !session.Roles.HasAny(roles...) {
+			err = mw.JSONError{
+				Code: http.StatusUnauthorized,
+				Message: fmt.Sprintf(
+					"Not allowed to add config for kind %s", string(cfg.Kind)),
+			}
+			return
+		}
+	}
 	if err = json.Unmarshal(cfg.Config, config); err != nil {
 		return
 	}
diff -r 755ed195fdc3 -r e09e003948c7 pkg/imports/report.go
--- a/pkg/imports/report.go	Thu Jun 24 18:39:03 2021 +0200
+++ b/pkg/imports/report.go	Thu Jun 24 19:24:21 2021 +0200
@@ -27,6 +27,7 @@
 	"text/template"
 	"time"
 
+	"gemma.intevation.de/gemma/pkg/auth"
 	"gemma.intevation.de/gemma/pkg/common"
 	"gemma.intevation.de/gemma/pkg/config"
 	"gemma.intevation.de/gemma/pkg/misc"
@@ -84,6 +85,9 @@
 	return nil
 }
 
+// RequiresRoles enforces to be a sys_admin to run this .
+func (*Report) RequiresRoles() auth.Roles { return auth.Roles{"sys_admin"} }
+
 func (r *Report) Description() (string, error) { return r.Name, nil }
 
 func (*Report) CleanUp() error { return nil }