fix(models): validate API token permissions against v1+v2 route union
PermissionsAreValid only consulted apiTokenRoutes, so a v2-only resource (no v1 counterpart) could never be granted as a token scope even though CanDoAPIRoute already authorises against both tables. Validate against the union so the v1+v2 authorization and validation paths agree.
This commit is contained in:
parent
8532016a2d
commit
43e910025a
|
|
@ -422,15 +422,20 @@ func CanDoAPIRoute(c *echo.Context, token *APIToken) (can bool) {
|
|||
func PermissionsAreValid(permissions APIPermissions) (err error) {
|
||||
|
||||
for key, methods := range permissions {
|
||||
routes, has := apiTokenRoutes[key]
|
||||
if !has {
|
||||
// A permission is valid if the group exists in either table. v2-only
|
||||
// resources (no v1 counterpart) live solely in apiTokenRoutesV2, so
|
||||
// validating against the union lets tokens grant them. CanDoAPIRoute
|
||||
// already consults both tables when authorising.
|
||||
v1Routes := apiTokenRoutes[key]
|
||||
v2Routes := apiTokenRoutesV2[key]
|
||||
if v1Routes == nil && v2Routes == nil {
|
||||
return &ErrInvalidAPITokenPermission{
|
||||
Group: key,
|
||||
}
|
||||
}
|
||||
|
||||
for _, method := range methods {
|
||||
if routes[method] == nil {
|
||||
if v1Routes[method] == nil && v2Routes[method] == nil {
|
||||
return &ErrInvalidAPITokenPermission{
|
||||
Group: key,
|
||||
Permission: method,
|
||||
|
|
|
|||
Loading…
Reference in New Issue