fix: updated rbac for notification and permission group apis (#2497)

kartik-579 · web-flow · commit 39e8f7581e2d · 2022-10-21T11:07:25.000+05:30
* updated rbac in notification recipients fetch api

* updated rbac

* updated error handling

* updated rbac for permission group fetch api
diff --git a/api/restHandler/NotificationRestHandler.go b/api/restHandler/NotificationRestHandler.go
@@ -576,6 +576,11 @@ func (impl NotificationRestHandlerImpl) FindAllNotificationConfig(w http.Respons
 		return
 	}
 
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceNotification, casbin.ActionGet, "*"); !ok {
+		// if user does not have notification level access then return unauthorized
+		common.WriteJsonResp(w, fmt.Errorf("unauthorized user"), nil, http.StatusForbidden)
+		return
+	}
 	//RBAC
 	pass := true
 	if len(slackConfigs) > 0 {
@@ -602,10 +607,6 @@ func (impl NotificationRestHandlerImpl) FindAllNotificationConfig(w http.Respons
 	if pass {
 		channelsResponse.SlackConfigs = slackConfigs
 	}
-
-	if ok := impl.enforcer.Enforce(token, casbin.ResourceNotification, casbin.ActionGet, "*"); !ok {
-		pass = false
-	}
 	sesConfigs, fErr := impl.sesService.FetchAllSESNotificationConfig()
 	if fErr != nil && fErr != pg.ErrNoRows {
 		impl.logger.Errorw("service err, FindAllNotificationConfig", "err", err)
@@ -723,6 +724,11 @@ func (impl NotificationRestHandlerImpl) RecipientListingSuggestion(w http.Respon
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
 		return
 	}
+	token := r.Header.Get("token")
+	if ok := impl.enforcer.Enforce(token, casbin.ResourceNotification, casbin.ActionGet, "*"); !ok {
+		common.WriteJsonResp(w, errors.New("unauthorized"), "Forbidden", http.StatusForbidden)
+		return
+	}
 	vars := mux.Vars(r)
 	value := vars["value"]
 	//var teams []int
diff --git a/api/user/UserRestHandler.go b/api/user/UserRestHandler.go
@@ -557,6 +557,53 @@ func (handler UserRestHandlerImpl) FetchRoleGroups(w http.ResponseWriter, r *htt
 		common.WriteJsonResp(w, err, "Unauthorized User", http.StatusUnauthorized)
 		return
 	}
+	// RBAC enforcer applying
+	token := r.Header.Get("token")
+	isAuthorised := false
+	//checking superAdmin access
+	isAuthorised, err = handler.userService.IsSuperAdmin(int(userId))
+	if err != nil {
+		handler.logger.Errorw("error in checking superAdmin access of user", "err", err)
+		common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+		return
+	}
+	if !isAuthorised {
+		user, err := handler.userService.GetById(userId)
+		if err != nil {
+			handler.logger.Errorw("error in getting user by id", "err", err)
+			common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+			return
+		}
+		var roleFilters []bean.RoleFilter
+		if len(user.Groups) > 0 {
+			groupRoleFilters, err := handler.userService.GetRoleFiltersByGroupNames(user.Groups)
+			if err != nil {
+				handler.logger.Errorw("Error in getting role filters by group names", "err", err, "groupNames", user.Groups)
+				common.WriteJsonResp(w, err, "", http.StatusInternalServerError)
+				return
+			}
+			if len(groupRoleFilters) > 0 {
+				roleFilters = append(roleFilters, groupRoleFilters...)
+			}
+		}
+		if user.RoleFilters != nil && len(user.RoleFilters) > 0 {
+			roleFilters = append(roleFilters, user.RoleFilters...)
+		}
+		if len(roleFilters) > 0 {
+			for _, filter := range roleFilters {
+				if len(filter.Team) > 0 {
+					if ok := handler.enforcer.Enforce(token, casbin.ResourceUser, casbin.ActionGet, strings.ToLower(filter.Team)); ok {
+						isAuthorised = true
+						break
+					}
+				}
+			}
+		}
+	}
+	if !isAuthorised {
+		common.WriteJsonResp(w, errors.New("unauthorized"), nil, http.StatusForbidden)
+		return
+	}
 	res, err := handler.roleGroupService.FetchRoleGroups()
 	if err != nil {
 		handler.logger.Errorw("service err, FetchRoleGroups", "err", err)
