From eb448bd043facb65670870f931c2b6764487096b Mon Sep 17 00:00:00 2001
From: DacongDA <dacongda1@sina.com>
Date: Sat, 30 Mar 2024 23:18:03 +0800
Subject: [PATCH] fix: fix permission problem in provider (#2848)

---
 controllers/provider.go | 30 ++++++++++++++++++++++++++++++
 1 file changed, 30 insertions(+)

diff --git a/controllers/provider.go b/controllers/provider.go
index 234ce788..28458d0a 100644
--- a/controllers/provider.go
+++ b/controllers/provider.go
@@ -159,6 +159,16 @@ func (c *ApiController) UpdateProvider() {
 		return
 	}
 
+	isGlobalAdmin, user := c.isGlobalAdmin()
+
+	if provider.Owner == "admin" && !isGlobalAdmin {
+		c.ResponseError("no permission")
+		return
+	} else if !isGlobalAdmin && user.Owner != provider.Owner {
+		c.ResponseError("no permission")
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.UpdateProvider(id, &provider))
 	c.ServeJSON()
 }
@@ -189,6 +199,16 @@ func (c *ApiController) AddProvider() {
 		return
 	}
 
+	isGlobalAdmin, user := c.isGlobalAdmin()
+
+	if provider.Owner == "admin" && !isGlobalAdmin {
+		c.ResponseError("no permission")
+		return
+	} else if !isGlobalAdmin && user.Owner != provider.Owner {
+		c.ResponseError("no permission")
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.AddProvider(&provider))
 	c.ServeJSON()
 }
@@ -208,6 +228,16 @@ func (c *ApiController) DeleteProvider() {
 		return
 	}
 
+	isGlobalAdmin, user := c.isGlobalAdmin()
+
+	if provider.Owner == "admin" && !isGlobalAdmin {
+		c.ResponseError("no permission")
+		return
+	} else if !isGlobalAdmin && user.Owner != provider.Owner {
+		c.ResponseError("no permission")
+		return
+	}
+
 	c.Data["json"] = wrapActionResponse(object.DeleteProvider(&provider))
 	c.ServeJSON()
 }