diff options
| author | Manuel Nuñez <10672208+mind-ar@users.noreply.github.com> | 2022-09-04 19:21:30 -0300 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-09-05 08:21:30 +1000 |
| commit | ca85992ac6dabafd8410a8928c01ebb8edaf6d7c (patch) | |
| tree | 8a7349f15cb3a603ca2eed97bb6a73bc1b262e02 /internal/authorization/authorizer.go | |
| parent | 6cc182de0827ef71ce69bc2f4ad4e0fb89a54bfa (diff) | |
fix(handlers): verify handler (#3956)
When an anonymous user tries to access a forbidden resource with no subject, we should response with 403.
Fixes #3084
Diffstat (limited to 'internal/authorization/authorizer.go')
| -rw-r--r-- | internal/authorization/authorizer.go | 6 |
1 files changed, 3 insertions, 3 deletions
diff --git a/internal/authorization/authorizer.go b/internal/authorization/authorizer.go index 3b6e75f74..d08ec3a5b 100644 --- a/internal/authorization/authorizer.go +++ b/internal/authorization/authorizer.go @@ -54,7 +54,7 @@ func (p Authorizer) IsSecondFactorEnabled() bool { } // GetRequiredLevel retrieve the required level of authorization to access the object. -func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level { +func (p Authorizer) GetRequiredLevel(subject Subject, object Object) (bool, Level) { logger := logging.Logger() logger.Debugf("Check authorization of subject %s and object %s (method %s).", @@ -64,7 +64,7 @@ func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level { if rule.IsMatch(subject, object) { logger.Tracef(traceFmtACLHitMiss, "HIT", rule.Position, subject.String(), object.String(), object.Method) - return rule.Policy + return len(rule.Subjects) > 0, rule.Policy } logger.Tracef(traceFmtACLHitMiss, "MISS", rule.Position, subject.String(), object.String(), object.Method) @@ -73,7 +73,7 @@ func (p Authorizer) GetRequiredLevel(subject Subject, object Object) Level { logger.Debugf("No matching rule for subject %s and url %s... Applying default policy.", subject.String(), object.String()) - return p.defaultPolicy + return false, p.defaultPolicy } // GetRuleMatchResults iterates through the rules and produces a list of RuleMatchResult provided a subject and object. |