roles:delete, roles:edit error parity & fix glaring security hole in role edit

Implements: https://todo.e3t.cc/~core/trifid/1
2023-07-31 00:38:19 -04:00 · 2023-07-31 00:38:19 -04:00 · 7dd7cf80ff
parent e7da2d7009
commit 7dd7cf80ff
1 changed files with 38 additions and 38 deletions
--- a/trifid-api/src/routes/v1/roles.rs
+++ b/trifid-api/src/routes/v1/roles.rs
@ -926,8 +926,8 @@ pub async fn delete_role(
    } else {
        HttpResponse::NotFound().json(APIErrorsResponse {
            errors: vec![APIError {
-                code: "ERR_MISSING_ROLE".to_string(),
-                message: "Role does not exist".to_string(),
+                code: "ERR_NOT_FOUND".to_string(),
+                message: "resource not found".to_string(),
                path: None,
            }],
        })
@ -1041,8 +1041,43 @@ pub async fn update_role_request(
        }
    };

+    let role = match role::Entity::find()
+        .filter(role::Column::Id.eq(role.as_str()))
+        .one(&db.conn)
+        .await
+    {
+        Ok(r) => r,
+        Err(e) => {
+            error!("database error: {}", e);
+            return HttpResponse::InternalServerError().json(APIErrorsResponse {
+                errors: vec![
+                    APIError {
+                        code: "ERR_DB_ERROR".to_string(),
+                        message: "There was an error performing the database request, please try again later.".to_string(),
+                        path: None,
+                    }
+                ],
+            });
+        }
+    };
+
+    let role = match role {
+        Some(r) => r,
+        None => {
+            return HttpResponse::NotFound().json(APIErrorsResponse {
+                errors: vec![APIError {
+                    code: "ERR_NOT_FOUND".to_string(),
+                    message:
+                    "This resource does not exist or you do not have permission to access it."
+                        .to_string(),
+                    path: None,
+                }],
+            })
+        }
+    };
+
    let existing_rules: Vec<firewall_rule::Model> = match firewall_rule::Entity::find()
-        .filter(firewall_rule::Column::Role.eq(role.clone()))
+        .filter(firewall_rule::Column::Role.eq(role.id.clone()))
        .all(&db.conn)
        .await
    {
@ -1079,41 +1114,6 @@ pub async fn update_role_request(
        };
    }

-    let role = match role::Entity::find()
-        .filter(role::Column::Id.eq(role.as_str()))
-        .one(&db.conn)
-        .await
-    {
-        Ok(r) => r,
-        Err(e) => {
-            error!("database error: {}", e);
-            return HttpResponse::InternalServerError().json(APIErrorsResponse {
-                errors: vec![
-                    APIError {
-                        code: "ERR_DB_ERROR".to_string(),
-                        message: "There was an error performing the database request, please try again later.".to_string(),
-                        path: None,
-                    }
-                ],
-            });
-        }
-    };
-
-    let role = match role {
-        Some(r) => r,
-        None => {
-            return HttpResponse::Unauthorized().json(APIErrorsResponse {
-                errors: vec![APIError {
-                    code: "ERR_UNAUTHORIZED".to_string(),
-                    message:
-                        "This resource does not exist or you do not have permission to access it."
-                            .to_string(),
-                    path: None,
-                }],
-            })
-        }
-    };
-
    let mut role_active_model = role.clone().into_active_model();

    role_active_model.modified_at = Set(SystemTime::now()