AuthorizeGuardians authorizes the operation for users which belong to Guardians group. NOTE: The caller should not wrap the error returned. If needed, propagate the GRPC error code.
(ctx context.Context)
| 1145 | // AuthorizeGuardians authorizes the operation for users which belong to Guardians group. |
| 1146 | // NOTE: The caller should not wrap the error returned. If needed, propagate the GRPC error code. |
| 1147 | func AuthorizeGuardians(ctx context.Context) error { |
| 1148 | if worker.Config.AclSecretKey == nil { |
| 1149 | // the user has not turned on the acl feature |
| 1150 | return nil |
| 1151 | } |
| 1152 | |
| 1153 | userData, err := extractUserAndGroups(ctx) |
| 1154 | switch { |
| 1155 | case err == x.ErrNoJwt: |
| 1156 | return status.Error(codes.PermissionDenied, err.Error()) |
| 1157 | case err != nil: |
| 1158 | return status.Error(codes.Unauthenticated, err.Error()) |
| 1159 | default: |
| 1160 | userId := userData.userId |
| 1161 | groupIds := userData.groupIds |
| 1162 | |
| 1163 | if !x.IsSuperAdmin(groupIds) { |
| 1164 | // Deny access for members of non-guardian groups |
| 1165 | return status.Error(codes.PermissionDenied, fmt.Sprintf("Only guardians are "+ |
| 1166 | "allowed access. User '%v' is not a member of guardians group.", userId)) |
| 1167 | } |
| 1168 | } |
| 1169 | |
| 1170 | return nil |
| 1171 | } |
| 1172 | |
| 1173 | /* |
| 1174 | addUserFilterToQuery applies makes sure that a user can access only its own |
no test coverage detected