Fix: user and things authz (#1941)

Signed-off-by: Arvindh <arvindh91@gmail.com>
2023-10-19 23:21:03 +05:30 · 2023-10-19 23:21:03 +05:30 · a91a8f44d3
parent 4ae0feced4
commit a91a8f44d3
2 changed files with 9 additions and 2 deletions
--- a/things/service.go
+++ b/things/service.go
@ -25,6 +25,7 @@ const (

 	userType  = "user"
 	tokenKind = "token"
+	userKind  = "users"
 	thingType = "thing"
 	groupType = "group"
 )
@ -143,7 +144,7 @@ func (svc service) ListClients(ctx context.Context, token string, reqUserID stri

 	switch {
 	case (reqUserID != "" && reqUserID != userID):
-		if _, err := svc.authorize(ctx, userType, tokenKind, userID, ownerPermission, userType, reqUserID); err != nil {
+		if _, err := svc.authorize(ctx, userType, userKind, userID, ownerRelation, userType, reqUserID); err != nil {
 			return mfclients.ClientsPage{}, err
 		}
 		rtids, err := svc.listClientIDs(ctx, reqUserID, pm.Permission)
--- a/users/service.go
+++ b/users/service.go
@ -22,6 +22,7 @@ const (
 	userKind   = "users"
 	tokenKind  = "token"
 	thingsKind = "things"
+	groupsKind = "groups"

 	userType  = "user"
 	groupType = "group"
@ -385,14 +386,19 @@ func (svc service) changeClientStatus(ctx context.Context, token string, client

 func (svc service) ListMembers(ctx context.Context, token, objectKind string, objectID string, pm mfclients.Page) (mfclients.MembersPage, error) {
 	var objectType string
+	var authzPerm string
 	switch objectKind {
 	case thingsKind:
 		objectType = thingType
+		authzPerm = pm.Permission
+	case groupsKind:
+		fallthrough
 	default:
 		objectType = groupType
+		authzPerm = auth.SwitchToPermission(pm.Permission)
 	}

-	if _, err := svc.authorize(ctx, userType, tokenKind, token, auth.SwitchToPermission(pm.Permission), objectType, objectID); err != nil {
+	if _, err := svc.authorize(ctx, userType, tokenKind, token, authzPerm, objectType, objectID); err != nil {
 		return mfclients.MembersPage{}, err
 	}
 	uids, err := svc.auth.ListAllSubjects(ctx, &mainflux.ListSubjectsReq{