summaryrefslogtreecommitdiff
path: root/app/middleware/require_permission.go
diff options
context:
space:
mode:
authormo khan <mo@mokhan.ca>2025-05-24 00:08:00 -0600
committermo khan <mo@mokhan.ca>2025-05-24 00:08:00 -0600
commita8e47145f93f07740d751be37d450599b26b2fc8 (patch)
tree3d8fdd7f7fcbda853cf1f42b4a5d96df57c3d71d /app/middleware/require_permission.go
parent1ab4de8ec28d4fdd46cd9b3e246eea4a85ca6b6c (diff)
feat: create middleware to check if user has permission
Diffstat (limited to 'app/middleware/require_permission.go')
-rw-r--r--app/middleware/require_permission.go33
1 files changed, 33 insertions, 0 deletions
diff --git a/app/middleware/require_permission.go b/app/middleware/require_permission.go
new file mode 100644
index 0000000..563278e
--- /dev/null
+++ b/app/middleware/require_permission.go
@@ -0,0 +1,33 @@
+package middleware
+
+import (
+ "net/http"
+
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+)
+
+func RequirePermission(permission Permission, ability rpc.Ability) func(http.Handler) http.Handler {
+ return func(next http.Handler) http.Handler {
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ user := cfg.CurrentUser.From(r.Context())
+
+ reply, err := ability.Allowed(r.Context(),
+ permission.RequestFor(user, &domain.Sparkle{ID: "*"}),
+ )
+ if err != nil {
+ pls.LogError(r.Context(), err)
+ w.WriteHeader(http.StatusForbidden)
+ return
+ }
+
+ if reply.Result {
+ next.ServeHTTP(w, r)
+ } else {
+ w.WriteHeader(http.StatusForbidden)
+ }
+ })
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 03:17:22 +0000