forked from Juniper/contrail
/
id_perms_checker.go
50 lines (46 loc) · 1.29 KB
/
id_perms_checker.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
package services
import (
"context"
"github.com/Juniper/asf/pkg/auth"
"github.com/Juniper/asf/pkg/errutil"
"github.com/Juniper/contrail/pkg/models"
"github.com/pkg/errors"
"github.com/sirupsen/logrus"
)
// isVisibleObject verifies that the object is visible to a user without administrator rights
func isVisibleObject(ctx context.Context, idPerms *models.IdPermsType) error {
if ctx == nil {
logrus.Errorf("user unauthenticated: context is nil")
return nil
}
auth := auth.GetIdentity(ctx)
if auth == nil {
logrus.Errorf("user unauthenticated: non authorized context")
return nil
}
if idPerms == nil {
// by default UserVisible == true
return nil
}
if !idPerms.GetUserVisible() && !auth.IsAdmin() {
return errors.Errorf("this object is not visible by users: %s", auth.UserID())
}
return nil
}
func getStoredIDPerms(
ctx context.Context, service *ContrailService, typeName, uuid string,
) (*models.IdPermsType, error) {
base, err := getObject(ctx, service.DBService, typeName, uuid,
[]string{models.AccessControlListFieldIDPerms})
if err != nil {
return nil, err
}
type baseIDPermser interface {
GetIDPerms() *models.IdPermsType
}
m, ok := base.(baseIDPermser)
if !ok {
return nil, errutil.ErrorInternalf("method IDPerms() not found")
}
return m.GetIDPerms(), nil
}