Allow auth without access to secrets (and then just don't access secrets)
This commit is contained in:
parent
662c924321
commit
bde385ba6b
|
@ -80,7 +80,7 @@ void Session::received(boost::system::error_code ec, size_t bytesTransferred)
|
|||
// find route's controller and invoke it
|
||||
if (const auto routing(router.find(RouteId{ method, std::string(path) })); routing != router.cend()) {
|
||||
const Route &route = routing->second;
|
||||
const auto requiredPermissions = route.permissions;
|
||||
auto requiredPermissions = route.permissions;
|
||||
if (requiredPermissions != UserPermissions::None && requiredPermissions != UserPermissions::DefaultPermissions) {
|
||||
const auto authInfo = request.find(boost::beast::http::field::authorization);
|
||||
if (authInfo == request.end()) {
|
||||
|
@ -95,6 +95,10 @@ void Session::received(boost::system::error_code ec, size_t bytesTransferred)
|
|||
respond(Render::makeAuthRequired(request));
|
||||
return;
|
||||
}
|
||||
if (!(userAuth.permissions & UserPermissions::AccessSecrets)) {
|
||||
// accessing secrets is rather options; just don't access them if user lacks permissions
|
||||
requiredPermissions -= UserPermissions::AccessSecrets;
|
||||
}
|
||||
if (!checkFlagEnum(userAuth.permissions, requiredPermissions)) {
|
||||
respond(Render::makeForbidden(request));
|
||||
return;
|
||||
|
|
Loading…
Reference in New Issue