HasWritePermissions.

Author: lostlevels

auth/service/api/v1/permission.go

@@ -33,3 +33,35 @@ func (r *Router) requireUserHasCustodian(targetParamUserID string, handlerFunc r
 	}
 	return api.RequireUser(fn)
 }
+
+// requireWriteAccess aborts with an error if the request isn't a server request
+// or the authenticated user doesn't have access to the user id in the url param,
+// targetParamUserID
+func (r *Router) requireWriteAccess(targetParamUserID string, handlerFunc rest.HandlerFunc) rest.HandlerFunc {
+	return func(res rest.ResponseWriter, req *rest.Request) {
+		if handlerFunc != nil && res != nil && req != nil {
+			targetUserID := req.PathParam(targetParamUserID)
+			responder := request.MustNewResponder(res, req)
+			ctx := req.Context()
+			details := request.GetAuthDetails(ctx)
+			if details == nil {
+				responder.Empty(http.StatusUnauthorized)
+				return
+			}
+			if details.IsService() {
+				handlerFunc(res, req)
+				return
+			}
+			hasPerms, err := r.PermissionsClient().HasWritePermissions(ctx, details.UserID(), targetUserID)
+			if err != nil {
+				responder.InternalServerError(err)
+				return
+			}
+			if !hasPerms {
+				responder.Empty(http.StatusForbidden)
+				return
+			}
+			handlerFunc(res, req)
+		}
+	}
+}

auth/service/api/v1/profile.go

@@ -15,8 +15,9 @@ import (
 func (r *Router) ProfileRoutes() []*rest.Route {
 	return []*rest.Route{
 		rest.Get("/v1/profiles/:userId", api.RequireUser(r.GetProfile)),
-		rest.Put("/v1/profiles/:userId", r.requireUserHasCustodian("userId", r.UpdateProfile)),
-		rest.Delete("/v1/profiles/:userId", r.requireUserHasCustodian("userId", r.DeleteProfile)),
+		// The following modification routes required custodian access in seagull, but I'm not sure that's quite right - it seems it should be if the user can modify the userId.
+		rest.Put("/v1/profiles/:userId", r.requireWriteAccess("userId", r.UpdateProfile)),
+		rest.Delete("/v1/profiles/:userId", r.requireWriteAccess("userId", r.DeleteProfile)),
 	}
 }
 

permission/client/client.go

@@ -72,3 +72,15 @@ func (c *Client) HasCustodianPermissions(ctx context.Context, granteeUserID, gra
 	}
 	return len(perms[permission.Custodian]) > 0, nil
 }
+
+func (c *Client) HasWritePermissions(ctx context.Context, granteeUserID, grantorUserID string) (has bool, err error) {
+	if granteeUserID != "" && granteeUserID == grantorUserID {
+		return true, nil
+	}
+	perms, err := c.GetUserPermissions(ctx, granteeUserID, grantorUserID)
+	if err != nil {
+		return false, err
+	}
+	return len(perms[permission.Custodian]) > 0 || len(perms[permission.Write]) > 0 || len(perms[permission.Owner]) > 0, nil
+
+}

permission/permission.go

@@ -20,6 +20,7 @@ type Client interface {
 	// Not sure whether to put these methods in platform/permission or go-common/clients
 	HasMembershipRelationship(ctx context.Context, granteeUserID, grantorUserID string) (has bool, err error)
 	HasCustodianPermissions(ctx context.Context, granteeUserID, grantorUserID string) (has bool, err error)
+	HasWritePermissions(ctx context.Context, granteeUserID, grantorUserID string) (has bool, err error)
 }
 
 func FixOwnerPermissions(permissions Permissions) Permissions {