feat: [#615] added authorization layer for get public settings method…

… of the settings service
torrust · Aug 3, 2024 · 2880f7c · 2880f7c
1 parent 530f37a
commit 2880f7c
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 7 deletions.
diff --git a/src/services/authorization.rs b/src/services/authorization.rs
@@ -44,6 +44,7 @@ pub enum ACTION {
     GetAboutPage,
     GetLicensePage,
     GetImageByUrl,
+    GetPublicSettings,
 }
 
 pub struct Service {
@@ -174,18 +175,20 @@ impl CasbinConfiguration {
                 "
                 admin, AddCategory
                 admin, DeleteCategory
-                admin, GetSettings
+                admin, GetPublicSettings
                 admin, GetSettingsSecret
                 admin, AddTag
                 admin, DeleteTag
                 admin, DeleteTorrent
                 admin, BanUser
                 admin, GetImageByUrl
                 registered, GetImageByUrl
+                registered, GetPublicSettings
                 guest, GetCategories
                 guest, GetTags
                 guest, GetAboutPage
                 guest, GetLicensePage
+                guest, GetPublicSettings
                 ",
             ),
         }

diff --git a/src/services/settings.rs b/src/services/settings.rs
@@ -62,9 +62,13 @@ impl Service {
     /// # Errors
     ///
     /// It returns an error if the user does not have the required permissions.
-    pub async fn get_public(&self) -> ConfigurationPublic {
+    pub async fn get_public(&self, opt_user_id: Option<UserId>) -> Result<ConfigurationPublic, ServiceError> {
+        self.authorization_service
+            .authorize(ACTION::GetPublicSettings, opt_user_id)
+            .await?;
+
         let settings_lock = self.configuration.get_all().await;
-        extract_public_settings(&settings_lock)
+        Ok(extract_public_settings(&settings_lock))
     }
 
     /// It gets the site name from the settings.

diff --git a/src/web/api/server/v1/contexts/settings/handlers.rs b/src/web/api/server/v1/contexts/settings/handlers.rs
@@ -6,6 +6,7 @@ use axum::extract::State;
 use axum::response::{IntoResponse, Json, Response};
 
 use crate::common::AppData;
+use crate::web::api::server::v1::extractors::optional_user_id::ExtractOptionalLoggedInUser;
 use crate::web::api::server::v1::extractors::user_id::ExtractLoggedInUser;
 use crate::web::api::server::v1::responses;
 
@@ -30,10 +31,14 @@ pub async fn get_all_handler(
 
 /// Get public Settings.
 #[allow(clippy::unused_async)]
-pub async fn get_public_handler(State(app_data): State<Arc<AppData>>) -> Response {
-    let public_settings = app_data.settings_service.get_public().await;
-
-    Json(responses::OkResponseData { data: public_settings }).into_response()
+pub async fn get_public_handler(
+    State(app_data): State<Arc<AppData>>,
+    ExtractOptionalLoggedInUser(opt_user_id): ExtractOptionalLoggedInUser,
+) -> Response {
+    match app_data.settings_service.get_public(opt_user_id).await {
+        Ok(public_settings) => Json(responses::OkResponseData { data: public_settings }).into_response(),
+        Err(error) => error.into_response(),
+    }
 }
 
 /// Get website name.