fix(models): validate API token permissions against v1+v2 route union

PermissionsAreValid only consulted apiTokenRoutes, so a v2-only resource
(no v1 counterpart) could never be granted as a token scope even though
CanDoAPIRoute already authorises against both tables. Validate against
the union so the v1+v2 authorization and validation paths agree.
This commit is contained in:
kolaente 2026-05-30 22:55:09 +02:00 committed by kolaente
parent 8532016a2d
commit 43e910025a
1 changed files with 8 additions and 3 deletions

View File

@ -422,15 +422,20 @@ func CanDoAPIRoute(c *echo.Context, token *APIToken) (can bool) {
func PermissionsAreValid(permissions APIPermissions) (err error) {
for key, methods := range permissions {
routes, has := apiTokenRoutes[key]
if !has {
// A permission is valid if the group exists in either table. v2-only
// resources (no v1 counterpart) live solely in apiTokenRoutesV2, so
// validating against the union lets tokens grant them. CanDoAPIRoute
// already consults both tables when authorising.
v1Routes := apiTokenRoutes[key]
v2Routes := apiTokenRoutesV2[key]
if v1Routes == nil && v2Routes == nil {
return &ErrInvalidAPITokenPermission{
Group: key,
}
}
for _, method := range methods {
if routes[method] == nil {
if v1Routes[method] == nil && v2Routes[method] == nil {
return &ErrInvalidAPITokenPermission{
Group: key,
Permission: method,