From 7823ecbbdd826efef2aa19a153cdc15cbfc02b87 Mon Sep 17 00:00:00 2001 From: To-om Date: Fri, 13 Apr 2018 08:47:36 +0200 Subject: [PATCH] #89 Let an user display and change their API key --- app/org/thp/cortex/controllers/AnalyzerCtrl.scala | 2 +- app/org/thp/cortex/controllers/MispCtrl.scala | 3 +-- app/org/thp/cortex/controllers/UserCtrl.scala | 8 ++++++-- 3 files changed, 8 insertions(+), 5 deletions(-) diff --git a/app/org/thp/cortex/controllers/AnalyzerCtrl.scala b/app/org/thp/cortex/controllers/AnalyzerCtrl.scala index adf802682..795dfdd23 100644 --- a/app/org/thp/cortex/controllers/AnalyzerCtrl.scala +++ b/app/org/thp/cortex/controllers/AnalyzerCtrl.scala @@ -4,7 +4,7 @@ import javax.inject.{ Inject, Singleton } import scala.concurrent.{ ExecutionContext, Future } -import play.api.libs.json.{ JsNull, JsObject, Json } +import play.api.libs.json.{ JsObject, Json } import play.api.mvc.{ AbstractController, Action, AnyContent, ControllerComponents } import akka.stream.Materializer diff --git a/app/org/thp/cortex/controllers/MispCtrl.scala b/app/org/thp/cortex/controllers/MispCtrl.scala index dac5e034a..783493b92 100644 --- a/app/org/thp/cortex/controllers/MispCtrl.scala +++ b/app/org/thp/cortex/controllers/MispCtrl.scala @@ -2,11 +2,10 @@ package org.thp.cortex.controllers import javax.inject.Inject import org.elastic4play.controllers.{ Authenticated, Fields, FieldsBodyParser, Renderer } -import org.elastic4play.services.QueryDSL import org.thp.cortex.models.Roles import org.thp.cortex.services.{ AnalyzerSrv, MispSrv } import play.api.Logger -import play.api.libs.json.{ JsObject, JsValue, Json } +import play.api.libs.json.{ JsObject, JsValue } import play.api.mvc._ import scala.concurrent.{ ExecutionContext, Future } diff --git a/app/org/thp/cortex/controllers/UserCtrl.scala b/app/org/thp/cortex/controllers/UserCtrl.scala index f6aceec8e..8277fdff0 100644 --- a/app/org/thp/cortex/controllers/UserCtrl.scala +++ b/app/org/thp/cortex/controllers/UserCtrl.scala @@ -210,9 +210,11 @@ class UserCtrl @Inject() ( } @Timed - def getKey(userId: String): Action[AnyContent] = authenticated(Roles.orgAdmin, Roles.superAdmin).async { implicit request ⇒ + def getKey(userId: String): Action[AnyContent] = authenticated().async { implicit request ⇒ for { _ ← checkUserOrganization(userId) + _ ← if (userId == request.userId || request.roles.contains(Roles.orgAdmin) || request.roles.contains(Roles.superAdmin)) Future.successful(()) + else Future.failed(AuthorizationError("You are not authorized to perform this operation")) key ← authSrv.getKey(userId) } yield Ok(key) } @@ -226,9 +228,11 @@ class UserCtrl @Inject() ( } @Timed - def renewKey(userId: String): Action[AnyContent] = authenticated(Roles.orgAdmin, Roles.superAdmin).async { implicit request ⇒ + def renewKey(userId: String): Action[AnyContent] = authenticated().async { implicit request ⇒ for { _ ← checkUserOrganization(userId) + _ ← if (userId == request.userId || request.roles.contains(Roles.orgAdmin) || request.roles.contains(Roles.superAdmin)) Future.successful(()) + else Future.failed(AuthorizationError("You are not authorized to perform this operation")) key ← authSrv.renewKey(userId) } yield Ok(key) }