summaryrefslogtreecommitdiff
path: root/app/middleware/require_permission.go
diff options
context:
space:
mode:
Diffstat (limited to 'app/middleware/require_permission.go')
-rw-r--r--app/middleware/require_permission.go33
1 files changed, 33 insertions, 0 deletions
diff --git a/app/middleware/require_permission.go b/app/middleware/require_permission.go
new file mode 100644
index 0000000..563278e
--- /dev/null
+++ b/app/middleware/require_permission.go
@@ -0,0 +1,33 @@
+package middleware
+
+import (
+ "net/http"
+
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/authzd.git/pkg/rpc"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/cfg"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/app/domain"
+ "gitlab.com/gitlab-org/software-supply-chain-security/authorization/sparkled/pkg/pls"
+)
+
+func RequirePermission(permission Permission, ability rpc.Ability) func(http.Handler) http.Handler {
+ return func(next http.Handler) http.Handler {
+ return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+ user := cfg.CurrentUser.From(r.Context())
+
+ reply, err := ability.Allowed(r.Context(),
+ permission.RequestFor(user, &domain.Sparkle{ID: "*"}),
+ )
+ if err != nil {
+ pls.LogError(r.Context(), err)
+ w.WriteHeader(http.StatusForbidden)
+ return
+ }
+
+ if reply.Result {
+ next.ServeHTTP(w, r)
+ } else {
+ w.WriteHeader(http.StatusForbidden)
+ }
+ })
+ }
+}
generated by cgit v1.2.3 (git 2.39.1) at 2026-02-02 03:17:12 +0000