mirror/phylum
1
0
Fork 0
mirror of https://codeberg.org/shroff/phylum.git synced 2026-01-05 02:59:57 -06:00
Code Issues Packages Projects Releases Wiki Activity

[server][api] Add scope check for profile update and shared routes

Browse Source
This commit is contained in:
Abhishek Shroff
2025-07-12 09:50:51 +05:30
parent 34278d1bc6
commit 07b380daf5
3 changed files with 13 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
server/internal/api/v1/my/bootstrap.go
View File

@@ -33,7 +33,7 @@ func handleBootstrapRoute(c *gin.Context) {
}
func Bootstrap(ctx context.Context, auth auth.Auth, since int64) (responses.Bootstrap, error) {
if !auth.HasScope("bookmarks:list") || !auth.HasScope("users:read") || !auth.HasScope("profile:read") {
if !auth.HasScope("bookmarks:list") || !auth.HasScope("users:list") || !auth.HasScope("profile:read") {
return responses.Bootstrap{}, core.ErrInsufficientScope
}
if bookmarks, err := ListBookmarks(ctx, auth.UserID(), since); err != nil {

11
server/internal/api/v1/my/details.go → server/internal/api/v1/my/profile.go
View File

@@ -8,20 +8,23 @@ import (
"github.com/gin-gonic/gin"
)
type detailsParams struct {
type profileUpdateParams struct {
Name string `json:"name" form:"name"`
}
func handleDetailsUpdateRoute(c *gin.Context) {
var params detailsParams
func handleProfileUpdateRoute(c *gin.Context) {
var params profileUpdateParams
err := c.Bind(&params)
if err != nil {
panic(err)
}
auth := authenticator.GetAuth(c)
var user core.User
if !auth.HasScope("profile:update") {
panic(core.ErrInsufficientScope)
}
var user core.User
err = db.Get(c.Request.Context()).RunInTx(func(db db.TxHandler) error {
if params.Name != "" {
if user, err = core.UpdateUserName(db, auth.UserID(), params.Name); err != nil {

7
server/internal/api/v1/my/routes.go
View File

@@ -14,14 +14,17 @@ type sharedResponse struct {
func SetupRoutes(r *gin.RouterGroup) {
group := r.Group("/my")
group.GET("/shared", handleSharedRoute)
group.GET("/bootstrap", handleBootstrapRoute)
group.POST("/details", handleDetailsUpdateRoute)
group.GET("/shared", handleSharedRoute)
group.POST("/profile", handleProfileUpdateRoute)
setupBookmarksRoutes(group)
}
func handleSharedRoute(c *gin.Context) {
auth := authenticator.GetAuth(c)
if !auth.HasScope("shared:list") {
panic(core.ErrInsufficientPermissions)
}
shared, err := core.SharedResources(db.Get(c.Request.Context()), auth.UserID())
if err != nil {
panic(err)