feat(groups): add granular CanAssign{Identities,Roles} checks in hand…

…lers
canonical · Oct 15, 2024 · d25b430 · d25b430
1 parent 5c19305
commit d25b430
Showing 1 changed file with 48 additions and 0 deletions.
diff --git a/pkg/groups/handlers.go b/pkg/groups/handlers.go
@@ -469,6 +469,7 @@ func (a *API) handleAssignRoles(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
 	ID := chi.URLParam(r, "id")
+	principal := authentication.PrincipalFromContext(r.Context())
 
 	defer r.Body.Close()
 	body, err := io.ReadAll(r.Body)
@@ -499,6 +500,29 @@ func (a *API) handleAssignRoles(w http.ResponseWriter, r *http.Request) {
 
 	}
 
+	canAssign, err := a.service.CanAssignRoles(r.Context(), principal.Identifier(), roles.Roles...)
+	if err != nil {
+		rr := types.Response{
+			Status:  http.StatusInternalServerError,
+			Message: err.Error(),
+		}
+
+		w.WriteHeader(http.StatusInternalServerError)
+		_ = json.NewEncoder(w).Encode(rr)
+		return
+	}
+
+	if !canAssign {
+		rr := types.Response{
+			Status:  http.StatusForbidden,
+			Message: fmt.Sprintf("user %s is not allowed to assign specified roles", principal.Identifier()),
+		}
+
+		w.WriteHeader(http.StatusForbidden)
+		_ = json.NewEncoder(w).Encode(rr)
+		return
+	}
+
 	err = a.service.AssignRoles(r.Context(), ID, roles.Roles...)
 
 	if err != nil {
@@ -607,6 +631,7 @@ func (a *API) handleAssignIdentities(w http.ResponseWriter, r *http.Request) {
 	w.Header().Set("Content-Type", "application/json")
 
 	ID := chi.URLParam(r, "id")
+	principal := authentication.PrincipalFromContext(r.Context())
 
 	defer r.Body.Close()
 	body, err := io.ReadAll(r.Body)
@@ -637,6 +662,29 @@ func (a *API) handleAssignIdentities(w http.ResponseWriter, r *http.Request) {
 
 	}
 
+	canAssign, err := a.service.CanAssignIdentities(r.Context(), principal.Identifier(), identities.Identities...)
+	if err != nil {
+		rr := types.Response{
+			Status:  http.StatusInternalServerError,
+			Message: err.Error(),
+		}
+
+		w.WriteHeader(http.StatusInternalServerError)
+		_ = json.NewEncoder(w).Encode(rr)
+		return
+	}
+
+	if !canAssign {
+		rr := types.Response{
+			Status:  http.StatusForbidden,
+			Message: fmt.Sprintf("user %s is not allowed to assign specified identities", principal.Identifier()),
+		}
+
+		w.WriteHeader(http.StatusForbidden)
+		_ = json.NewEncoder(w).Encode(rr)
+		return
+	}
+
 	err = a.service.AssignIdentities(r.Context(), ID, identities.Identities...)
 
 	if err != nil {