You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
93 lines
2.4 KiB
93 lines
2.4 KiB
package dash
|
|
|
|
import (
|
|
"net/http"
|
|
"strings"
|
|
|
|
"github.com/gin-contrib/sessions"
|
|
"github.com/gin-gonic/gin"
|
|
)
|
|
|
|
// setAuthContext sets username and role in context for use in handlers
|
|
func setAuthContext(c *gin.Context, username, role interface{}) {
|
|
c.Set("username", username)
|
|
if role != nil {
|
|
c.Set("role", role)
|
|
} else {
|
|
// Default to admin for backward compatibility
|
|
c.Set("role", "admin")
|
|
}
|
|
}
|
|
|
|
// RequireAuth checks if user is authenticated
|
|
func RequireAuth() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
session := sessions.Default(c)
|
|
authenticated := session.Get("authenticated")
|
|
username := session.Get("username")
|
|
role := session.Get("role")
|
|
|
|
if authenticated != true || username == nil {
|
|
c.Redirect(http.StatusTemporaryRedirect, "/login")
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
// Set username and role in context for use in handlers
|
|
setAuthContext(c, username, role)
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// RequireAuthAPI checks if user is authenticated for API endpoints
|
|
// Returns JSON error instead of redirecting to login page
|
|
func RequireAuthAPI() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
session := sessions.Default(c)
|
|
authenticated := session.Get("authenticated")
|
|
username := session.Get("username")
|
|
role := session.Get("role")
|
|
|
|
if authenticated != true || username == nil {
|
|
c.JSON(http.StatusUnauthorized, gin.H{
|
|
"error": "Authentication required",
|
|
"message": "Please log in to access this endpoint",
|
|
})
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
// Set username and role in context for use in handlers
|
|
setAuthContext(c, username, role)
|
|
c.Next()
|
|
}
|
|
}
|
|
|
|
// RequireWriteAccess checks if user has admin role (write access)
|
|
// Returns JSON error for API endpoints, redirects for HTML endpoints
|
|
func RequireWriteAccess() gin.HandlerFunc {
|
|
return func(c *gin.Context) {
|
|
role, exists := c.Get("role")
|
|
if !exists {
|
|
role = "admin" // Default for backward compatibility
|
|
}
|
|
|
|
roleStr, ok := role.(string)
|
|
if !ok || roleStr != "admin" {
|
|
// Check if this is an API request (path starts with /api) or HTML request
|
|
path := c.Request.URL.Path
|
|
if strings.HasPrefix(path, "/api") {
|
|
c.JSON(http.StatusForbidden, gin.H{
|
|
"error": "Insufficient permissions",
|
|
"message": "This operation requires admin access. Read-only users can only view data.",
|
|
})
|
|
} else {
|
|
c.Redirect(http.StatusSeeOther, "/admin?error=Insufficient permissions")
|
|
}
|
|
c.Abort()
|
|
return
|
|
}
|
|
|
|
c.Next()
|
|
}
|
|
}
|