Skip to content

Commit

Permalink
Add domain ownership test to PURL save endpoint
Browse files Browse the repository at this point in the history
  • Loading branch information
@fabiante
fabiante committed Sep 24, 2023
1 parent adc4abf commit 0f930df
Show file tree
Hide file tree
Showing 2 changed files with 13 additions and 1 deletion.
7 changes: 7 additions & 0 deletions api/err.go
View file
Original file line number Diff line number Diff line change
@@ -1,10 +1,17 @@
package api

import (
"errors"

"github.com/fabiante/persurl/api/res"
"github.com/gin-gonic/gin"
)

var (
ErrForbidden = errors.New("you are not allowed to do this")
)

// respondWithError responds with an error and aborts the request.
func respondWithError(ctx *gin.Context, status int, err error) {
response := res.ErrorList{
Errors: []res.Error{
Expand Down
7 changes: 6 additions & 1 deletion api/server_admin.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,12 @@ func (s *Server) SavePURL(ctx *gin.Context) {
return
}

// todo: check user authorization on this url
// check authorization
user := getAuthenticatedUser(ctx)
if domain.OwnerID != user.ID {
respondWithError(ctx, http.StatusForbidden, ErrForbidden)
return
}

err = s.admin.SavePURL(domain, name, req.Target)
switch {
Expand Down

0 comments on commit 0f930df

Please sign in to comment.