From 110067c00fc4c2a81dce37911ec081d4fa54dcf8 Mon Sep 17 00:00:00 2001
From: Pascal Fischer <pascal@netbird.io>
Date: Fri, 31 Mar 2023 12:03:53 +0200
Subject: [PATCH] change order for access control checks and aquire account
 lock after global lock

---
 management/server/account.go                  | 10 ++++++-
 .../server/http/middleware/access_control.go  | 27 ++++++++++---------
 2 files changed, 23 insertions(+), 14 deletions(-)

diff --git a/management/server/account.go b/management/server/account.go
index 27bf5606e..78c9237b8 100644
--- a/management/server/account.go
+++ b/management/server/account.go
@@ -1126,7 +1126,6 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
 // MarkPATUsed marks a personal access token as used
 func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
 	unlock := am.Store.AcquireGlobalLock()
-	defer unlock()
 
 	user, err := am.Store.GetUserByTokenID(tokenID)
 	if err != nil {
@@ -1138,6 +1137,15 @@ func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
 		return err
 	}
 
+	unlock()
+	unlock = am.Store.AcquireAccountLock(account.Id)
+	defer unlock()
+
+	account, err = am.Store.GetAccountByUser(user.Id)
+	if err != nil {
+		return err
+	}
+
 	pat, ok := account.Users[user.Id].PATs[tokenID]
 	if !ok {
 		return fmt.Errorf("token not found")
diff --git a/management/server/http/middleware/access_control.go b/management/server/http/middleware/access_control.go
index f1ab898a8..5f8389dfa 100644
--- a/management/server/http/middleware/access_control.go
+++ b/management/server/http/middleware/access_control.go
@@ -37,19 +37,7 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
 		claims := a.claimsExtract.FromRequestContext(r)
 
-		ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
-		if err != nil {
-			log.Debugf("Regex failed")
-			util.WriteError(status.Errorf(status.Internal, ""), w)
-			return
-		}
-		if ok {
-			log.Debugf("Valid Path")
-			h.ServeHTTP(w, r)
-			return
-		}
-
-		ok, err = a.isUserAdmin(claims)
+		ok, err := a.isUserAdmin(claims)
 		if err != nil {
 			util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
 			return
@@ -57,6 +45,19 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
 		if !ok {
 			switch r.Method {
 			case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
+
+				ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
+				if err != nil {
+					log.Debugf("Regex failed")
+					util.WriteError(status.Errorf(status.Internal, ""), w)
+					return
+				}
+				if ok {
+					log.Debugf("Valid Path")
+					h.ServeHTTP(w, r)
+					return
+				}
+
 				util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
 				return
 			}