change order for access control checks and aquire account lock after global lock

This commit is contained in:
Pascal Fischer 2023-03-31 12:03:53 +02:00
parent 32c96c15b8
commit 110067c00f
2 changed files with 23 additions and 14 deletions

View File

@ -1126,7 +1126,6 @@ func (am *DefaultAccountManager) redeemInvite(account *Account, userID string) e
// MarkPATUsed marks a personal access token as used // MarkPATUsed marks a personal access token as used
func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error { func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
unlock := am.Store.AcquireGlobalLock() unlock := am.Store.AcquireGlobalLock()
defer unlock()
user, err := am.Store.GetUserByTokenID(tokenID) user, err := am.Store.GetUserByTokenID(tokenID)
if err != nil { if err != nil {
@ -1138,6 +1137,15 @@ func (am *DefaultAccountManager) MarkPATUsed(tokenID string) error {
return err return err
} }
unlock()
unlock = am.Store.AcquireAccountLock(account.Id)
defer unlock()
account, err = am.Store.GetAccountByUser(user.Id)
if err != nil {
return err
}
pat, ok := account.Users[user.Id].PATs[tokenID] pat, ok := account.Users[user.Id].PATs[tokenID]
if !ok { if !ok {
return fmt.Errorf("token not found") return fmt.Errorf("token not found")

View File

@ -37,19 +37,7 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
claims := a.claimsExtract.FromRequestContext(r) claims := a.claimsExtract.FromRequestContext(r)
ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path) ok, err := a.isUserAdmin(claims)
if err != nil {
log.Debugf("Regex failed")
util.WriteError(status.Errorf(status.Internal, ""), w)
return
}
if ok {
log.Debugf("Valid Path")
h.ServeHTTP(w, r)
return
}
ok, err = a.isUserAdmin(claims)
if err != nil { if err != nil {
util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w) util.WriteError(status.Errorf(status.Unauthorized, "invalid JWT"), w)
return return
@ -57,6 +45,19 @@ func (a *AccessControl) Handler(h http.Handler) http.Handler {
if !ok { if !ok {
switch r.Method { switch r.Method {
case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut: case http.MethodDelete, http.MethodPost, http.MethodPatch, http.MethodPut:
ok, err := regexp.MatchString(`^.*/api/users/.*/tokens.*$`, r.URL.Path)
if err != nil {
log.Debugf("Regex failed")
util.WriteError(status.Errorf(status.Internal, ""), w)
return
}
if ok {
log.Debugf("Valid Path")
h.ServeHTTP(w, r)
return
}
util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w) util.WriteError(status.Errorf(status.PermissionDenied, "only admin can perform this operation"), w)
return return
} }