Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

権限回りをmiddlewareでやりたい #285

Open
sapphi-red opened this issue Mar 6, 2020 · 2 comments · May be fixed by #536
Open

権限回りをmiddlewareでやりたい #285

sapphi-red opened this issue Mar 6, 2020 · 2 comments · May be fixed by #536
Assignees
@H1rono
Labels
Refactoring

Comments

@sapphi-red
Copy link
Contributor

RBAC
@H1rono H1rono self-assigned this Apr 4, 2023
@H1rono
Copy link
Member

H1rono commented Apr 9, 2023

Casbinというライブラリを使おうと思います

@H1rono
Copy link
Member

H1rono commented Apr 16, 2023

Casbinが関わりそうなエンドポイント、該当ソース一覧

POST /items

booQ/router/items.go

Lines 71 to 74 in c56f2b4

// item.Type=0⇒個人、1⇒trap所有、2⇒支援課
if item.Type != model.PersonalItem && !user.Admin {
return c.NoContent(http.StatusForbidden)
}

PUT /items/:id

booQ/router/items.go

Lines 116 to 119 in c56f2b4

err = model.CheckOwnsOrAdmin(&user, &item)
if err != nil {
return c.JSON(http.StatusForbidden, err)
}

booQ/router/items.go

Lines 121 to 124 in c56f2b4

item, err = model.UpdateItem(&item, &body, user.Admin)
if err != nil {
return c.JSON(http.StatusBadRequest, err)
}

DELETE /items/:id

booQ/router/items.go

Lines 137 to 139 in c56f2b4

if !user.Admin {
return c.NoContent(http.StatusForbidden)
}

POST /items/:id/owners

booQ/router/items.go

Lines 168 to 171 in c56f2b4

err = model.CheckTargetedOrAdmin(me, user)
if err != nil {
return c.JSON(http.StatusForbidden, err)
}

booQ/router/items.go

Lines 176 to 178 in c56f2b4

if body.UserID > 2 && item.Type > model.PersonalItem {
return c.NoContent(http.StatusForbidden)
}

booQ/router/items.go

Lines 185 to 188 in c56f2b4

// item.Type=0⇒個人、1⇒trap(id:1)所有、2⇒支援課(id:2)
if item.Type != model.PersonalItem && !me.Admin {
return c.NoContent(http.StatusForbidden)
}

PUT /items/:id/owners

booQ/router/items.go

Lines 222 to 225 in c56f2b4

err = model.CheckTargetedOrAdmin(me, user)
if err != nil {
return c.JSON(http.StatusForbidden, err)
}

booQ/router/items.go

Lines 230 to 232 in c56f2b4

if body.UserID > 2 && item.Type > model.PersonalItem {
return c.NoContent(http.StatusForbidden)
}

booQ/router/items.go

Lines 239 to 242 in c56f2b4

// item.Type=0⇒個人、1⇒trap(id:1)所有、2⇒支援課(id:2)
if item.Type != model.PersonalItem && !me.Admin {
return c.NoContent(http.StatusForbidden)
}

POST /items/:id/logs

booQ/router/logs.go

Lines 41 to 49 in c56f2b4

for _, owner := range item.Owners {
if owner.UserID == body.OwnerID {
if !owner.Rentalable {
return c.NoContent(http.StatusForbidden)
}
itemCount = owner.Count
exist = true
}
}

PUT /users

booQ/router/users.go

Lines 38 to 54 in c56f2b4

user := c.Get("user").(model.User)
prevUser, err := model.GetUserByName(req.Name)
if err != nil {
return c.JSON(http.StatusForbidden, err)
}
if !user.Admin {
return c.NoContent(http.StatusForbidden)
}
if req.Admin == prevUser.Admin {
return c.NoContent(http.StatusBadRequest)
}
prevUser.Admin = req.Admin
res, err := model.UpdateUser(prevUser)
if err != nil {
return c.JSON(http.StatusNotFound, err)
}

@H1rono H1rono linked a pull request Apr 20, 2023 that will close this issue
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@H1rono H1rono

Labels
Refactoring
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Add middlewares traPtitech/booQ
2 participants
@sapphi-red @H1rono