add permission control

pkg/api/middleware.go

@@ -0,0 +1,55 @@
+package api
+
+import (
+	"errors"
+	"net/http"
+)
+
+func (api *API) PermissionMiddleware(next http.Handler) http.Handler {
+	// 0 anonymous user
+	// 1 admin
+	// 2 normal user
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		// get permission of URL
+		permission, ok := api.APIConfig.Permission[r.URL.Path]
+		// 0 means no permission required
+		if !ok || permission == 0 {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// ger user permission level
+		userLevel := api.GetUserLevel(r)
+
+		// admin has root (highest) permission level 1
+		if userLevel == 1 {
+			next.ServeHTTP(w, r)
+			return
+		}
+
+		// anonymous userLevel 0 don't have any permission
+		// check permission level for other users
+		if userLevel == 0 || userLevel > permission {
+			api.HandleError(w, r, errors.New("No enougth permission"))
+			return
+		}
+
+		next.ServeHTTP(w, r)
+	})
+}
+
+func (api *API) GetUserLevel(r *http.Request) int64 {
+	session, _ := api.store.Get(r, api.defaultSessionName)
+	userId, ok := session.Values["userId"]
+	if !ok {
+		// not logined user is considered anonymous user
+		return 0
+	}
+
+	user, err := api.Db.GetUserById(userId.(int64))
+	if err != nil {
+		return 0
+	}
+
+	return user.Role
+}