llvy.ltd/casdoor
1
0
Fork 0
mirror of https://github.com/casdoor/casdoor.git synced 2025-05-23 02:35:49 +08:00
Code Issues Packages Projects Releases Wiki Activity

fix: fix permission problem in provider (#2848)

Browse Source
This commit is contained in:
DacongDA 2024-03-30 23:18:03 +08:00 committed by GitHub
parent ea88839db9
commit eb448bd043
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1 changed files with 30 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
controllers/provider.go
View File

@ -159,6 +159,16 @@ func (c *ApiController) UpdateProvider() {
return
}
isGlobalAdmin, user := c.isGlobalAdmin()
if provider.Owner == "admin" && !isGlobalAdmin {
c.ResponseError("no permission")
return
} else if !isGlobalAdmin && user.Owner != provider.Owner {
c.ResponseError("no permission")
return
}
c.Data["json"] = wrapActionResponse(object.UpdateProvider(id, &provider))
c.ServeJSON()
}
@ -189,6 +199,16 @@ func (c *ApiController) AddProvider() {
return
}
isGlobalAdmin, user := c.isGlobalAdmin()
if provider.Owner == "admin" && !isGlobalAdmin {
c.ResponseError("no permission")
return
} else if !isGlobalAdmin && user.Owner != provider.Owner {
c.ResponseError("no permission")
return
}
c.Data["json"] = wrapActionResponse(object.AddProvider(&provider))
c.ServeJSON()
}
@ -208,6 +228,16 @@ func (c *ApiController) DeleteProvider() {
return
}
isGlobalAdmin, user := c.isGlobalAdmin()
if provider.Owner == "admin" && !isGlobalAdmin {
c.ResponseError("no permission")
return
} else if !isGlobalAdmin && user.Owner != provider.Owner {
c.ResponseError("no permission")
return
}
c.Data["json"] = wrapActionResponse(object.DeleteProvider(&provider))
c.ServeJSON()
}