@@ -27,11 +27,9 @@ type AuthObject struct {
2727
2828 // Object is that base static object the above functions can modify.
2929 Object rbac.Object
30- //// Actions are the various actions the middleware will check can be done on the object.
31- //Actions []rbac.Action
3230}
3331
34- func WithOwner (owner func (r * http.Request ) database.User ) func (http.Handler ) http.Handler {
32+ func RBACWithOwner (owner func (r * http.Request ) database.User ) func (http.Handler ) http.Handler {
3533 return func (next http.Handler ) http.Handler {
3634 return http .HandlerFunc (func (rw http.ResponseWriter , r * http.Request ) {
3735 ao := GetAuthObject (r )
@@ -45,7 +43,7 @@ func WithOwner(owner func(r *http.Request) database.User) func(http.Handler) htt
4543 }
4644}
4745
48- func InOrg (org func (r * http.Request ) database.Organization ) func (http.Handler ) http.Handler {
46+ func RBACInOrg (org func (r * http.Request ) database.Organization ) func (http.Handler ) http.Handler {
4947 return func (next http.Handler ) http.Handler {
5048 return http .HandlerFunc (func (rw http.ResponseWriter , r * http.Request ) {
5149 ao := GetAuthObject (r )
@@ -61,13 +59,18 @@ func InOrg(org func(r *http.Request) database.Organization) func(http.Handler) h
6159
6260// Authorize allows for static object & action authorize checking. If the object is a static object, this is an easy way
6361// to enforce the route.
64- func Authorize (logger slog.Logger , auth * rbac.RegoAuthorizer , actions ... rbac.Action ) func (http.Handler ) http.Handler {
62+ func Authorize (logger slog.Logger , auth * rbac.RegoAuthorizer , action rbac.Action ) func (http.Handler ) http.Handler {
6563 return func (next http.Handler ) http.Handler {
6664 return http .HandlerFunc (func (rw http.ResponseWriter , r * http.Request ) {
6765 roles := UserRoles (r )
6866 args := GetAuthObject (r )
6967
7068 object := args .Object
69+ organization , ok := r .Context ().Value (organizationParamContextKey {}).(database.Organization )
70+ if ok {
71+ object = object .InOrg (organization .ID )
72+ }
73+
7174 if args .InOrg != nil {
7275 object .InOrg (args .InOrg (r ))
7376 }
@@ -79,26 +82,24 @@ func Authorize(logger slog.Logger, auth *rbac.RegoAuthorizer, actions ...rbac.Ac
7982 }
8083
8184 // Error on the first action that fails
82- for _ , act := range actions {
83- err := auth .AuthorizeByRoleName (r .Context (), roles .ID .String (), roles .Roles , act , object )
84- if err != nil {
85- var internalError * rbac.UnauthorizedError
86- if xerrors .As (err , internalError ) {
87- logger = logger .With (slog .F ("internal" , internalError .Internal ()))
88- }
89- logger .Warn (r .Context (), "unauthorized" ,
90- slog .F ("roles" , roles .Roles ),
91- slog .F ("user_id" , roles .ID ),
92- slog .F ("username" , roles .Username ),
93- slog .F ("route" , r .URL .Path ),
94- slog .F ("action" , act ),
95- slog .F ("object" , object ),
96- )
97- httpapi .Write (rw , http .StatusUnauthorized , httpapi.Response {
98- Message : err .Error (),
99- })
100- return
85+ err := auth .AuthorizeByRoleName (r .Context (), roles .ID .String (), roles .Roles , action , object )
86+ if err != nil {
87+ var internalError * rbac.UnauthorizedError
88+ if xerrors .As (err , internalError ) {
89+ logger = logger .With (slog .F ("internal" , internalError .Internal ()))
10190 }
91+ logger .Warn (r .Context (), "unauthorized" ,
92+ slog .F ("roles" , roles .Roles ),
93+ slog .F ("user_id" , roles .ID ),
94+ slog .F ("username" , roles .Username ),
95+ slog .F ("route" , r .URL .Path ),
96+ slog .F ("action" , action ),
97+ slog .F ("object" , object ),
98+ )
99+ httpapi .Write (rw , http .StatusUnauthorized , httpapi.Response {
100+ Message : err .Error (),
101+ })
102+ return
102103 }
103104 next .ServeHTTP (rw , r )
104105 })
0 commit comments