From 07b380daf55e132cd3d94ad8a477ed13b604a867 Mon Sep 17 00:00:00 2001 From: Abhishek Shroff Date: Sat, 12 Jul 2025 09:50:51 +0530 Subject: [PATCH] [server][api] Add scope check for profile update and shared routes --- server/internal/api/v1/my/bootstrap.go | 2 +- server/internal/api/v1/my/{details.go => profile.go} | 11 +++++++---- server/internal/api/v1/my/routes.go | 7 +++++-- 3 files changed, 13 insertions(+), 7 deletions(-) rename server/internal/api/v1/my/{details.go => profile.go} (80%) diff --git a/server/internal/api/v1/my/bootstrap.go b/server/internal/api/v1/my/bootstrap.go index 307211c8..7e32ce78 100644 --- a/server/internal/api/v1/my/bootstrap.go +++ b/server/internal/api/v1/my/bootstrap.go @@ -33,7 +33,7 @@ func handleBootstrapRoute(c *gin.Context) { } func Bootstrap(ctx context.Context, auth auth.Auth, since int64) (responses.Bootstrap, error) { - if !auth.HasScope("bookmarks:list") || !auth.HasScope("users:read") || !auth.HasScope("profile:read") { + if !auth.HasScope("bookmarks:list") || !auth.HasScope("users:list") || !auth.HasScope("profile:read") { return responses.Bootstrap{}, core.ErrInsufficientScope } if bookmarks, err := ListBookmarks(ctx, auth.UserID(), since); err != nil { diff --git a/server/internal/api/v1/my/details.go b/server/internal/api/v1/my/profile.go similarity index 80% rename from server/internal/api/v1/my/details.go rename to server/internal/api/v1/my/profile.go index 4e0b2af3..236c7ff8 100644 --- a/server/internal/api/v1/my/details.go +++ b/server/internal/api/v1/my/profile.go @@ -8,20 +8,23 @@ import ( "github.com/gin-gonic/gin" ) -type detailsParams struct { +type profileUpdateParams struct { Name string `json:"name" form:"name"` } -func handleDetailsUpdateRoute(c *gin.Context) { - var params detailsParams +func handleProfileUpdateRoute(c *gin.Context) { + var params profileUpdateParams err := c.Bind(¶ms) if err != nil { panic(err) } auth := authenticator.GetAuth(c) - var user core.User + if !auth.HasScope("profile:update") { + panic(core.ErrInsufficientScope) + } + var user core.User err = db.Get(c.Request.Context()).RunInTx(func(db db.TxHandler) error { if params.Name != "" { if user, err = core.UpdateUserName(db, auth.UserID(), params.Name); err != nil { diff --git a/server/internal/api/v1/my/routes.go b/server/internal/api/v1/my/routes.go index 7a9492ff..dfa396d8 100644 --- a/server/internal/api/v1/my/routes.go +++ b/server/internal/api/v1/my/routes.go @@ -14,14 +14,17 @@ type sharedResponse struct { func SetupRoutes(r *gin.RouterGroup) { group := r.Group("/my") - group.GET("/shared", handleSharedRoute) group.GET("/bootstrap", handleBootstrapRoute) - group.POST("/details", handleDetailsUpdateRoute) + group.GET("/shared", handleSharedRoute) + group.POST("/profile", handleProfileUpdateRoute) setupBookmarksRoutes(group) } func handleSharedRoute(c *gin.Context) { auth := authenticator.GetAuth(c) + if !auth.HasScope("shared:list") { + panic(core.ErrInsufficientPermissions) + } shared, err := core.SharedResources(db.Get(c.Request.Context()), auth.UserID()) if err != nil { panic(err)