aiden
/
memos
mirror of https://github.com/usememos/memos
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

fix: add user authentication checks

Browse Source
pull/5159/head
Johnny 6 days ago
parent f6e025d583
commit efe6013c36
5 changed files with 59 additions and 5 deletions
Show Stats Download Patch File Download Diff File

9
server/router/api/v1/attachment_service.go
Unescape Escape View File

@ -53,6 +53,9 @@ func (s *APIV1Service) CreateAttachment(ctx context.Context, request *v1pb.Creat
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
// Validate required fields // Validate required fields
if request.Attachment == nil { if request.Attachment == nil {
@ -124,6 +127,9 @@ func (s *APIV1Service) ListAttachments(ctx context.Context, request *v1pb.ListAt
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
// Set default page size // Set default page size
pageSize := int(request.PageSize) pageSize := int(request.PageSize)
@ -364,6 +370,9 @@ func (s *APIV1Service) DeleteAttachment(ctx context.Context, request *v1pb.Delet
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
attachment, err := s.Store.GetAttachment(ctx, &store.FindAttachment{ attachment, err := s.Store.GetAttachment(ctx, &store.FindAttachment{
UID: &attachmentUID, UID: &attachmentUID,
CreatorID: &user.ID, CreatorID: &user.ID,

15
server/router/api/v1/memo_service.go
Unescape Escape View File

@ -29,6 +29,9 @@ func (s *APIV1Service) CreateMemo(ctx context.Context, request *v1pb.CreateMemoR
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get user") return nil, status.Errorf(codes.Internal, "failed to get user")
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
create := &store.Memo{ create := &store.Memo{
UID: shortuuid.New(), UID: shortuuid.New(),
@ -318,6 +321,9 @@ func (s *APIV1Service) UpdateMemo(ctx context.Context, request *v1pb.UpdateMemoR
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user") return nil, status.Errorf(codes.Internal, "failed to get current user")
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
// Only the creator or admin can update the memo. // Only the creator or admin can update the memo.
if memo.CreatorID != user.ID && !isSuperUser(user) { if memo.CreatorID != user.ID && !isSuperUser(user) {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
@ -453,6 +459,9 @@ func (s *APIV1Service) DeleteMemo(ctx context.Context, request *v1pb.DeleteMemoR
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user") return nil, status.Errorf(codes.Internal, "failed to get current user")
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
// Only the creator or admin can update the memo. // Only the creator or admin can update the memo.
if memo.CreatorID != user.ID && !isSuperUser(user) { if memo.CreatorID != user.ID && !isSuperUser(user) {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
@ -689,6 +698,9 @@ func (s *APIV1Service) RenameMemoTag(ctx context.Context, request *v1pb.RenameMe
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user") return nil, status.Errorf(codes.Internal, "failed to get current user")
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
memoFind := &store.FindMemo{ memoFind := &store.FindMemo{
CreatorID: &user.ID, CreatorID: &user.ID,
@ -739,6 +751,9 @@ func (s *APIV1Service) DeleteMemoTag(ctx context.Context, request *v1pb.DeleteMe
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user") return nil, status.Errorf(codes.Internal, "failed to get current user")
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
memoFind := &store.FindMemo{ memoFind := &store.FindMemo{
CreatorID: &user.ID, CreatorID: &user.ID,

3
server/router/api/v1/reaction_service.go
Unescape Escape View File

@ -37,6 +37,9 @@ func (s *APIV1Service) UpsertMemoReaction(ctx context.Context, request *v1pb.Ups
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user") return nil, status.Errorf(codes.Internal, "failed to get current user")
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
reaction, err := s.Store.UpsertReaction(ctx, &store.Reaction{ reaction, err := s.Store.UpsertReaction(ctx, &store.Reaction{
CreatorID: user.ID, CreatorID: user.ID,
ContentID: request.Reaction.ContentId, ContentID: request.Reaction.ContentId,

34
server/router/api/v1/user_service.go
Unescape Escape View File

@ -36,6 +36,9 @@ func (s *APIV1Service) ListUsers(ctx context.Context, request *v1pb.ListUsersReq
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
if currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin { if currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
} }
@ -322,6 +325,9 @@ func (s *APIV1Service) GetUserSetting(ctx context.Context, request *v1pb.GetUser
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
// Only allow user to get their own settings // Only allow user to get their own settings
if currentUser.ID != userID { if currentUser.ID != userID {
@ -356,6 +362,9 @@ func (s *APIV1Service) UpdateUserSetting(ctx context.Context, request *v1pb.Upda
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
// Only allow user to update their own settings // Only allow user to update their own settings
if currentUser.ID != userID { if currentUser.ID != userID {
@ -442,6 +451,9 @@ func (s *APIV1Service) ListUserSettings(ctx context.Context, request *v1pb.ListU
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
// Only allow user to list their own settings // Only allow user to list their own settings
if currentUser.ID != userID { if currentUser.ID != userID {
@ -500,7 +512,7 @@ func (s *APIV1Service) ListUserAccessTokens(ctx context.Context, request *v1pb.L
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil { if currentUser == nil {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
} }
if currentUser.ID != userID { if currentUser.ID != userID {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
@ -562,7 +574,7 @@ func (s *APIV1Service) CreateUserAccessToken(ctx context.Context, request *v1pb.
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil { if currentUser == nil {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
} }
if currentUser.ID != userID { if currentUser.ID != userID {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
@ -630,7 +642,7 @@ func (s *APIV1Service) DeleteUserAccessToken(ctx context.Context, request *v1pb.
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil { if currentUser == nil {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
} }
if currentUser.ID != userID { if currentUser.ID != userID {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
@ -673,7 +685,7 @@ func (s *APIV1Service) ListUserSessions(ctx context.Context, request *v1pb.ListU
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil { if currentUser == nil {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
} }
if currentUser.ID != userID { if currentUser.ID != userID {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
@ -736,7 +748,7 @@ func (s *APIV1Service) RevokeUserSession(ctx context.Context, request *v1pb.Revo
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil { if currentUser == nil {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
} }
if currentUser.ID != userID { if currentUser.ID != userID {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
@ -796,6 +808,9 @@ func (s *APIV1Service) ListUserWebhooks(ctx context.Context, request *v1pb.ListU
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin { if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
} }
@ -825,6 +840,9 @@ func (s *APIV1Service) CreateUserWebhook(ctx context.Context, request *v1pb.Crea
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin { if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
} }
@ -862,6 +880,9 @@ func (s *APIV1Service) UpdateUserWebhook(ctx context.Context, request *v1pb.Upda
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin { if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
} }
@ -931,6 +952,9 @@ func (s *APIV1Service) DeleteUserWebhook(ctx context.Context, request *v1pb.Dele
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if currentUser == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin { if currentUser.ID != userID && currentUser.Role != store.RoleHost && currentUser.Role != store.RoleAdmin {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
} }

3
server/router/api/v1/workspace_service.go
Unescape Escape View File

@ -83,6 +83,9 @@ func (s *APIV1Service) UpdateWorkspaceSetting(ctx context.Context, request *v1pb
if err != nil { if err != nil {
return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err) return nil, status.Errorf(codes.Internal, "failed to get current user: %v", err)
} }
if user == nil {
return nil, status.Errorf(codes.Unauthenticated, "user not authenticated")
}
if user.Role != store.RoleHost { if user.Role != store.RoleHost {
return nil, status.Errorf(codes.PermissionDenied, "permission denied") return nil, status.Errorf(codes.PermissionDenied, "permission denied")
} }

Write Preview
Loading…
Cancel
Save