Allow auth without access to secrets (and then just don't access secrets)

This commit is contained in:
Martchus 2022-07-29 22:07:24 +02:00
parent 662c924321
commit bde385ba6b
1 changed files with 5 additions and 1 deletions

View File

@ -80,7 +80,7 @@ void Session::received(boost::system::error_code ec, size_t bytesTransferred)
// find route's controller and invoke it
if (const auto routing(router.find(RouteId{ method, std::string(path) })); routing != router.cend()) {
const Route &route = routing->second;
const auto requiredPermissions = route.permissions;
auto requiredPermissions = route.permissions;
if (requiredPermissions != UserPermissions::None && requiredPermissions != UserPermissions::DefaultPermissions) {
const auto authInfo = request.find(boost::beast::http::field::authorization);
if (authInfo == request.end()) {
@ -95,6 +95,10 @@ void Session::received(boost::system::error_code ec, size_t bytesTransferred)
respond(Render::makeAuthRequired(request));
return;
}
if (!(userAuth.permissions & UserPermissions::AccessSecrets)) {
// accessing secrets is rather options; just don't access them if user lacks permissions
requiredPermissions -= UserPermissions::AccessSecrets;
}
if (!checkFlagEnum(userAuth.permissions, requiredPermissions)) {
respond(Render::makeForbidden(request));
return;