change order for access control checks and aquire account lock after global lock

2024-11-25 17:43:38 +01:00 · 2023-03-31 12:03:53 +02:00 · 2023-03-31 12:03:53 +02:00 · 110067c00f
commit 110067c00f
parent 32c96c15b8
2 changed files with 23 additions and 14 deletions
--- a/management/server/account.go
+++ b/management/server/account.go
@ -1126,7 +1126,6 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
 // MarkPATUsed marks a personal access token as used
 func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
 	unlock := am.Store.AcquireGlobalLock()
-	defer unlock()

 	user, err := am.Store.GetUserByTokenID(tokenID)
 	if err != nil {
@ -1138,6 +1137,15 @@ func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
 		return err
 	}

+	unlock()
+	unlock = am.Store.AcquireAccountLock(account.Id)
+	defer unlock()
+
+	account, err = am.Store.GetAccountByUser(user.Id)
+	if err != nil {
+		return err
+	}
+
 	pat, ok := account.Users[user.Id].PATs[tokenID]
 	if !ok {
 		return fmt.Errorf("token not found")
--- a/management/server/http/middleware/access_control.go
+++ b/management/server/http/middleware/access_control.go
@ -37,19 +37,7 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		claims := a.claimsExtract.FromRequestContext(r)

-		ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
-		if err != nil {
-			log.Debugf("Regex failed")
-			util.WriteError(status.Errorf(status.Internal, ""), w)
-			return
-		}
-		if ok {
-			log.Debugf("Valid Path")
-			h.ServeHTTP(w, r)
-			return
-		}
-
-		ok, err = a.isUserAdmin(claims)
+		ok, err := a.isUserAdmin(claims)
 		if err != nil {
 			util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
 			return
@ -57,6 +45,19 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
 		if !ok {
 			switch r.Method {
 			case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
+
+				ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
+				if err != nil {
+					log.Debugf("Regex failed")
+					util.WriteError(status.Errorf(status.Internal, ""), w)
+					return
+				}
+				if ok {
+					log.Debugf("Valid Path")
+					h.ServeHTTP(w, r)
+					return
+				}
+
 				util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
 				return
 			}