checkForSuperuserOnlyRuleFields loosely checks and returns an error if the provided RequestInfo contains rule fields that only the superuser can use.
(requestInfo *core.RequestInfo)
| 513 | // checkForSuperuserOnlyRuleFields loosely checks and returns an error if |
| 514 | // the provided RequestInfo contains rule fields that only the superuser can use. |
| 515 | func checkForSuperuserOnlyRuleFields(requestInfo *core.RequestInfo) error { |
| 516 | if len(requestInfo.Query) == 0 || requestInfo.HasSuperuserAuth() { |
| 517 | return nil // superuser or nothing to check |
| 518 | } |
| 519 | |
| 520 | for _, param := range ruleQueryParams { |
| 521 | v := requestInfo.Query[param] |
| 522 | if v == "" { |
| 523 | continue |
| 524 | } |
| 525 | |
| 526 | for _, field := range superuserOnlyRuleFields { |
| 527 | if strings.Contains(v, field) { |
| 528 | return router.NewForbiddenError("Only superusers can filter by "+field, nil) |
| 529 | } |
| 530 | } |
| 531 | } |
| 532 | |
| 533 | return nil |
| 534 | } |
| 535 | |
| 536 | // firstApiError returns the first ApiError from the errors list |
| 537 | // (this is used usually to prevent unnecessary wraping and to allow bubling ApiError from nested hooks) |
no test coverage detected
searching dependent graphs…