core
/
trifid
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects 7 Releases Wiki Activity

roles:delete, roles:edit error parity & fix glaring security hole in role edit 

Implements: https://todo.e3t.cc/~core/trifid/1
This commit is contained in:
core 2023-07-31 00:38:19 -04:00
parent e7da2d7009
commit 7dd7cf80ff
Signed by: core
GPG Key ID: FDBF740DADDCEECF
1 changed files with 38 additions and 38 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

76
trifid-api/src/routes/v1/roles.rs
View File

@ -926,8 +926,8 @@ pub async fn delete_role(
} else { } else {
HttpResponse::NotFound().json(APIErrorsResponse { HttpResponse::NotFound().json(APIErrorsResponse {
errors: vec![APIError { errors: vec![APIError {
code: "ERR_MISSING_ROLE".to_string(), code: "ERR_NOT_FOUND".to_string(),
message: "Role does not exist".to_string(), message: "resource not found".to_string(),
path: None, path: None,
}], }],
}) })
@ -1041,8 +1041,43 @@ pub async fn update_role_request(
} }
}; };
let role = match role::Entity::find()
.filter(role::Column::Id.eq(role.as_str()))
.one(&db.conn)
.await
{
Ok(r) => r,
Err(e) => {
error!("database error: {}", e);
return HttpResponse::InternalServerError().json(APIErrorsResponse {
errors: vec![
APIError {
code: "ERR_DB_ERROR".to_string(),
message: "There was an error performing the database request, please try again later.".to_string(),
path: None,
}
],
});
}
};
let role = match role {
Some(r) => r,
None => {
return HttpResponse::NotFound().json(APIErrorsResponse {
errors: vec![APIError {
code: "ERR_NOT_FOUND".to_string(),
message:
"This resource does not exist or you do not have permission to access it."
.to_string(),
path: None,
}],
})
}
};
let existing_rules: Vec<firewall_rule::Model> = match firewall_rule::Entity::find() let existing_rules: Vec<firewall_rule::Model> = match firewall_rule::Entity::find()
.filter(firewall_rule::Column::Role.eq(role.clone())) .filter(firewall_rule::Column::Role.eq(role.id.clone()))
.all(&db.conn) .all(&db.conn)
.await .await
{ {
@ -1079,41 +1114,6 @@ pub async fn update_role_request(
}; };
} }
let role = match role::Entity::find()
.filter(role::Column::Id.eq(role.as_str()))
.one(&db.conn)
.await
{
Ok(r) => r,
Err(e) => {
error!("database error: {}", e);
return HttpResponse::InternalServerError().json(APIErrorsResponse {
errors: vec![
APIError {
code: "ERR_DB_ERROR".to_string(),
message: "There was an error performing the database request, please try again later.".to_string(),
path: None,
}
],
});
}
};
let role = match role {
Some(r) => r,
None => {
return HttpResponse::Unauthorized().json(APIErrorsResponse {
errors: vec![APIError {
code: "ERR_UNAUTHORIZED".to_string(),
message:
"This resource does not exist or you do not have permission to access it."
.to_string(),
path: None,
}],
})
}
};
let mut role_active_model = role.clone().into_active_model(); let mut role_active_model = role.clone().into_active_model();
role_active_model.modified_at = Set(SystemTime::now() role_active_model.modified_at = Set(SystemTime::now()