Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Authorize contributors to view and patch draft documents #98

Merged
merged 1 commit into from
Mar 22, 2023
Merged

Authorize contributors to view and patch draft documents #98

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
23 changes: 20 additions & 3 deletions internal/api/drafts.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -483,11 +483,20 @@ func DraftsDocumentHandler(
return
}

// Authorize request (only the owner can access a document draft).
// Authorize request (only allow owners or contributors to get past this
// point in the handler). We further authorize some methods later that
// require owner access only.
userEmail := r.Context().Value("userEmail").(string)
if docObj.GetOwners()[0] != userEmail {
var isOwner, isContributor bool
if docObj.GetOwners()[0] == userEmail {
isOwner = true
}
if contains(docObj.GetContributors(), userEmail) {
isContributor = true
}
if !isOwner && !isContributor {
http.Error(w,
`{"error": "Not a document owner"}`,
`{"error": "Only owners or contributors can access a draft document"}`,
http.StatusUnauthorized)
return
}
Expand Down Expand Up @@ -540,6 +549,14 @@ func DraftsDocumentHandler(
l.Info("retrieved document draft", "doc_id", docId)

case "DELETE":
// Authorize request.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I thought this would already be in place for deleting documents. 😄

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We were! 🙂 We were only authorizing draft owners for all methods before this PR, and now with this PR we authorize owners+contributors for all methods, and this is extra authorization to only allow owners to delete drafts.

if !isOwner {
http.Error(w,
`{"error": "Only owners can delete a draft document"}`,
http.StatusUnauthorized)
return
}

// Delete document
err = s.DeleteFile(docId)
if err != nil {
Expand Down