56 lines
1.2 KiB
Go
56 lines
1.2 KiB
Go
package api
|
|
|
|
import (
|
|
"errors"
|
|
"net/http"
|
|
)
|
|
|
|
func (api *API) PermissionMiddleware(next http.Handler) http.Handler {
|
|
// 0 anonymous user
|
|
// 1 admin
|
|
// 2 normal user
|
|
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
|
|
// get permission of URL
|
|
permission, ok := api.APIConfig.Permission[r.URL.Path]
|
|
// 0 means no permission required
|
|
if !ok || permission == 0 {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
// ger user permission level
|
|
userLevel := api.GetUserLevel(r)
|
|
|
|
// admin has root (highest) permission level 1
|
|
if userLevel == 1 {
|
|
next.ServeHTTP(w, r)
|
|
return
|
|
}
|
|
|
|
// anonymous userLevel 0 don't have any permission
|
|
// check permission level for other users
|
|
if userLevel == 0 || userLevel > permission {
|
|
api.HandleError(w, r, errors.New("No enougth permission"))
|
|
return
|
|
}
|
|
|
|
next.ServeHTTP(w, r)
|
|
})
|
|
}
|
|
|
|
func (api *API) GetUserLevel(r *http.Request) int64 {
|
|
session, _ := api.store.Get(r, api.defaultSessionName)
|
|
userId, ok := session.Values["userId"]
|
|
if !ok {
|
|
// not logined user is considered anonymous user
|
|
return 0
|
|
}
|
|
|
|
user, err := api.Db.GetUserById(userId.(int64))
|
|
if err != nil {
|
|
return 0
|
|
}
|
|
|
|
return user.Role
|
|
}
|