requireVaultAccess checks that the session has access to the given vault. For scoped sessions (VaultID set): checks that the session's vault matches. For instance-level sessions: resolves actor and checks the unified vault_grants table. Returns the actor (nil for scoped sessions) or writes an error
(w http.ResponseWriter, r *http.Request, vaultID string)
| 561 | // For instance-level sessions: resolves actor and checks the unified vault_grants table. |
| 562 | // Returns the actor (nil for scoped sessions) or writes an error response. |
| 563 | func (s *Server) requireVaultAccess(w http.ResponseWriter, r *http.Request, vaultID string) (*Actor, error) { |
| 564 | sess := sessionFromContext(r.Context()) |
| 565 | if sess == nil { |
| 566 | jsonError(w, http.StatusForbidden, "Authentication required") |
| 567 | return nil, fmt.Errorf("no session") |
| 568 | } |
| 569 | |
| 570 | // Scoped session: vault is baked into the session. |
| 571 | if sess.VaultID != "" { |
| 572 | if sess.VaultID != vaultID { |
| 573 | jsonError(w, http.StatusForbidden, "Session not authorized for this vault") |
| 574 | return nil, fmt.Errorf("vault mismatch") |
| 575 | } |
| 576 | return nil, nil // scoped session, no actor resolved |
| 577 | } |
| 578 | |
| 579 | // Instance-level session: resolve actor, check unified vault_grants. |
| 580 | actor, err := s.actorFromSession(r.Context(), sess) |
| 581 | if err != nil { |
| 582 | jsonError(w, http.StatusForbidden, "Invalid session") |
| 583 | return nil, err |
| 584 | } |
| 585 | |
| 586 | has, err := s.store.HasVaultAccess(r.Context(), actor.ID, vaultID) |
| 587 | if err != nil { |
| 588 | jsonError(w, http.StatusInternalServerError, "Failed to check vault access") |
| 589 | return nil, err |
| 590 | } |
| 591 | if !has { |
| 592 | jsonError(w, http.StatusForbidden, "No access to this vault") |
| 593 | return nil, fmt.Errorf("no grant") |
| 594 | } |
| 595 | |
| 596 | return actor, nil |
| 597 | } |
| 598 | |
| 599 | // requireVaultAdmin checks that the actor has admin role in the given vault. |
| 600 | // For scoped sessions: checks sess.VaultRole. For instance-level sessions: checks vault_grants. |
no test coverage detected