feat: middleware allow actions from authenticated accounts only (#4179)

inovex · Jun 3, 2024 · b2d729c · b2d729c
1 parent b012ba7
commit b2d729c
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 8 deletions.
diff --git a/server/src/api/context.go b/server/src/api/context.go
@@ -1,14 +1,15 @@
 package api
 
 import (
-	"context"
-	"errors"
-	"github.com/go-chi/chi/v5"
-	"github.com/google/uuid"
-	"net/http"
-	"scrumlr.io/server/common"
-	"scrumlr.io/server/identifiers"
-	"scrumlr.io/server/logger"
+  "context"
+  "errors"
+  "github.com/go-chi/chi/v5"
+  "github.com/google/uuid"
+  "net/http"
+  "scrumlr.io/server/common"
+  "scrumlr.io/server/database/types"
+  "scrumlr.io/server/identifiers"
+  "scrumlr.io/server/logger"
 )
 
 func (s *Server) BoardCandidateContext(next http.Handler) http.Handler {
@@ -140,6 +141,37 @@ func (s *Server) BoardEditableContext(next http.Handler) http.Handler {
 	})
 }
 
+func (s *Server) BoardAuthenticatedContext(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		log := logger.FromRequest(r)
+
+		boardParam := chi.URLParam(r, "id")
+		board, err := uuid.Parse(boardParam)
+		if err != nil {
+			common.Throw(w, r, common.BadRequestError(errors.New("invalid board id")))
+			return
+		}
+		userID := r.Context().Value(identifiers.UserIdentifier).(uuid.UUID)
+
+		user, err := s.users.Get(r.Context(), userID)
+
+		if err != nil {
+			log.Errorw("Could not fetch user", "error", err)
+			common.Throw(w, r, errors.New("could not fetch user"))
+			return
+		}
+
+		if user.AccountType == types.AccountTypeAnonymous {
+			log.Errorw("Not authorized to perform this action", "accountType", user.AccountType)
+			common.Throw(w, r, common.ForbiddenError(errors.New("not authorized")))
+			return
+		}
+
+		boardContext := context.WithValue(r.Context(), identifiers.BoardIdentifier, board)
+		next.ServeHTTP(w, r.WithContext(boardContext))
+	})
+}
+
 func (s *Server) ColumnContext(next http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		columnParam := chi.URLParam(r, "column")

diff --git a/server/src/common/dto/users.go b/server/src/common/dto/users.go
@@ -18,12 +18,16 @@ type User struct {
 
 	// The user's avatar configuration
 	Avatar *types.Avatar `json:"avatar,omitempty"`
+
+	// The user's account type configuration
+	AccountType types.AccountType `json:"accountType"`
 }
 
 func (u *User) From(user database.User) *User {
 	u.ID = user.ID
 	u.Name = user.Name
 	u.Avatar = user.Avatar
+	u.AccountType = user.AccountType
 	return u
 }