mirror of
https://github.com/netbirdio/netbird.git
synced 2024-11-29 11:33:48 +01:00
change order for access control checks and aquire account lock after global lock
This commit is contained in:
parent
32c96c15b8
commit
110067c00f
@ -1126,7 +1126,6 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
|
|||||||
// MarkPATUsed marks a personal access token as used
|
// MarkPATUsed marks a personal access token as used
|
||||||
func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
|
func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
|
||||||
unlock := am.Store.AcquireGlobalLock()
|
unlock := am.Store.AcquireGlobalLock()
|
||||||
defer unlock()
|
|
||||||
|
|
||||||
user, err := am.Store.GetUserByTokenID(tokenID)
|
user, err := am.Store.GetUserByTokenID(tokenID)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
@ -1138,6 +1137,15 @@ func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
|
|||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
|
unlock()
|
||||||
|
unlock = am.Store.AcquireAccountLock(account.Id)
|
||||||
|
defer unlock()
|
||||||
|
|
||||||
|
account, err = am.Store.GetAccountByUser(user.Id)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
|
||||||
pat, ok := account.Users[user.Id].PATs[tokenID]
|
pat, ok := account.Users[user.Id].PATs[tokenID]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("token not found")
|
return fmt.Errorf("token not found")
|
||||||
|
@ -37,19 +37,7 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
|
|||||||
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
||||||
claims := a.claimsExtract.FromRequestContext(r)
|
claims := a.claimsExtract.FromRequestContext(r)
|
||||||
|
|
||||||
ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
|
ok, err := a.isUserAdmin(claims)
|
||||||
if err != nil {
|
|
||||||
log.Debugf("Regex failed")
|
|
||||||
util.WriteError(status.Errorf(status.Internal, ""), w)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
if ok {
|
|
||||||
log.Debugf("Valid Path")
|
|
||||||
h.ServeHTTP(w, r)
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
||||||
ok, err = a.isUserAdmin(claims)
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
|
util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
|
||||||
return
|
return
|
||||||
@ -57,6 +45,19 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
|
|||||||
if !ok {
|
if !ok {
|
||||||
switch r.Method {
|
switch r.Method {
|
||||||
case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
|
case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
|
||||||
|
|
||||||
|
ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
|
||||||
|
if err != nil {
|
||||||
|
log.Debugf("Regex failed")
|
||||||
|
util.WriteError(status.Errorf(status.Internal, ""), w)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
if ok {
|
||||||
|
log.Debugf("Valid Path")
|
||||||
|
h.ServeHTTP(w, r)
|
||||||
|
return
|
||||||
|
}
|
||||||
|
|
||||||
util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
|
util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
|
Loading…
Reference in New Issue
Block a user