feat(api): prevent non administrator users to use admin restricted API endpoints (#3227)

2025-07-25 00:09:40 +02:00 · 2019-10-07 16:10:51 +13:00 · 2019-10-07 16:10:51 +13:00 · f7480c4ad4
commit f7480c4ad4
parent 1fbe6a12f1
21 changed files with 118 additions and 93 deletions
--- a/api/http/handler/teams/handler.go
+++ b/api/http/handler/teams/handler.go
@ -23,17 +23,17 @@ func NewHandler(bouncer *security.RequestBouncer) *Handler {
 		Router: mux.NewRouter(),
 	}
 	h.Handle("/teams",
-		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.teamCreate))).Methods(http.MethodPost)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.teamCreate))).Methods(http.MethodPost)
 	h.Handle("/teams",
-		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.teamList))).Methods(http.MethodGet)
+		bouncer.RestrictedAccess(httperror.LoggerHandler(h.teamList))).Methods(http.MethodGet)
 	h.Handle("/teams/{id}",
-		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.teamInspect))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.teamInspect))).Methods(http.MethodGet)
 	h.Handle("/teams/{id}",
-		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.teamUpdate))).Methods(http.MethodPut)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.teamUpdate))).Methods(http.MethodPut)
 	h.Handle("/teams/{id}",
-		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.teamDelete))).Methods(http.MethodDelete)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.teamDelete))).Methods(http.MethodDelete)
 	h.Handle("/teams/{id}/memberships",
-		bouncer.AuthorizedAccess(httperror.LoggerHandler(h.teamMemberships))).Methods(http.MethodGet)
+		bouncer.AdminAccess(httperror.LoggerHandler(h.teamMemberships))).Methods(http.MethodGet)

 	return h
 }