diff options
| -rw-r--r-- | api/context.go | 30 | ||||
| -rw-r--r-- | api/file.go | 2 | ||||
| -rw-r--r-- | api/user.go | 2 | ||||
| -rw-r--r-- | api/web_socket.go | 2 | ||||
| -rw-r--r-- | model/client.go | 24 |
5 files changed, 39 insertions, 21 deletions
diff --git a/api/context.go b/api/context.go index 0f7ba0fff..ddc8f79b1 100644 --- a/api/context.go +++ b/api/context.go @@ -42,31 +42,39 @@ type Context struct { } func ApiAppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, false, false, true, false, false} + return &handler{h, false, false, true, false, false, false} } func AppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, false, false, false, false, false} + return &handler{h, false, false, false, false, false, false} } func AppHandlerIndependent(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, false, false, false, false, true} + return &handler{h, false, false, false, false, true, false} } func ApiUserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, true, false, true, true, false} + return &handler{h, true, false, true, true, false, false} } func ApiUserRequiredActivity(h func(*Context, http.ResponseWriter, *http.Request), isUserActivity bool) http.Handler { - return &handler{h, true, false, true, isUserActivity, false} + return &handler{h, true, false, true, isUserActivity, false, false} } func UserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, true, false, false, false, false} + return &handler{h, true, false, false, false, false, false} } func ApiAdminSystemRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, true, true, true, false, false} + return &handler{h, true, true, true, false, false, false} +} + +func ApiAppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { + return &handler{h, false, false, true, false, false, true} +} + +func ApiUserRequiredTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { + return &handler{h, true, false, true, true, false, true} } type handler struct { @@ -76,6 +84,7 @@ type handler struct { isApi bool isUserActivity bool isTeamIndependent bool + trustRequester bool } func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { @@ -104,6 +113,13 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { if len(token) == 0 { if cookie, err := r.Cookie(model.SESSION_COOKIE_TOKEN); err == nil { token = cookie.Value + + if (h.requireSystemAdmin || h.requireUser) && !h.trustRequester { + if r.Header.Get(model.HEADER_REQUESTED_WITH) != model.HEADER_REQUESTED_WITH_XML { + c.Err = model.NewLocAppError("ServeHTTP", "api.context.session_expired.app_error", nil, "token="+token) + token = "" + } + } } } diff --git a/api/file.go b/api/file.go index f0873f884..19f69052d 100644 --- a/api/file.go +++ b/api/file.go @@ -62,7 +62,7 @@ func InitFile(r *mux.Router) { sr := r.PathPrefix("/files").Subrouter() sr.Handle("/upload", ApiUserRequired(uploadFile)).Methods("POST") - sr.Handle("/get/{channel_id:[A-Za-z0-9]+}/{user_id:[A-Za-z0-9]+}/{filename:([A-Za-z0-9]+/)?.+(\\.[A-Za-z0-9]{3,})?}", ApiAppHandler(getFile)).Methods("GET") + sr.Handle("/get/{channel_id:[A-Za-z0-9]+}/{user_id:[A-Za-z0-9]+}/{filename:([A-Za-z0-9]+/)?.+(\\.[A-Za-z0-9]{3,})?}", ApiAppHandlerTrustRequester(getFile)).Methods("GET") sr.Handle("/get_info/{channel_id:[A-Za-z0-9]+}/{user_id:[A-Za-z0-9]+}/{filename:([A-Za-z0-9]+/)?.+(\\.[A-Za-z0-9]{3,})?}", ApiAppHandler(getFileInfo)).Methods("GET") sr.Handle("/get_public_link", ApiUserRequired(getPublicLink)).Methods("POST") sr.Handle("/get_export", ApiUserRequired(getExport)).Methods("GET") diff --git a/api/user.go b/api/user.go index 60b92f90d..ab13cbb68 100644 --- a/api/user.go +++ b/api/user.go @@ -67,7 +67,7 @@ func InitUser(r *mux.Router) { sr.Handle("/{id:[A-Za-z0-9]+}", ApiUserRequired(getUser)).Methods("GET") sr.Handle("/{id:[A-Za-z0-9]+}/sessions", ApiUserRequired(getSessions)).Methods("GET") sr.Handle("/{id:[A-Za-z0-9]+}/audits", ApiUserRequired(getAudits)).Methods("GET") - sr.Handle("/{id:[A-Za-z0-9]+}/image", ApiUserRequired(getProfileImage)).Methods("GET") + sr.Handle("/{id:[A-Za-z0-9]+}/image", ApiUserRequiredTrustRequester(getProfileImage)).Methods("GET") sr.Handle("/claim/email_to_oauth", ApiAppHandler(emailToOAuth)).Methods("POST") sr.Handle("/claim/oauth_to_email", ApiUserRequired(oauthToEmail)).Methods("POST") diff --git a/api/web_socket.go b/api/web_socket.go index 7590e6646..e15732f43 100644 --- a/api/web_socket.go +++ b/api/web_socket.go @@ -14,7 +14,7 @@ import ( func InitWebSocket(r *mux.Router) { l4g.Debug(utils.T("api.web_socket.init.debug")) - r.Handle("/websocket", ApiUserRequired(connect)).Methods("GET") + r.Handle("/websocket", ApiUserRequiredTrustRequester(connect)).Methods("GET") hub.Start() } diff --git a/model/client.go b/model/client.go index 960fe634b..fba4246e2 100644 --- a/model/client.go +++ b/model/client.go @@ -16,17 +16,19 @@ import ( ) const ( - HEADER_REQUEST_ID = "X-Request-ID" - HEADER_VERSION_ID = "X-Version-ID" - HEADER_ETAG_SERVER = "ETag" - HEADER_ETAG_CLIENT = "If-None-Match" - HEADER_FORWARDED = "X-Forwarded-For" - HEADER_REAL_IP = "X-Real-IP" - HEADER_FORWARDED_PROTO = "X-Forwarded-Proto" - HEADER_TOKEN = "token" - HEADER_BEARER = "BEARER" - HEADER_AUTH = "Authorization" - API_URL_SUFFIX = "/api/v1" + HEADER_REQUEST_ID = "X-Request-ID" + HEADER_VERSION_ID = "X-Version-ID" + HEADER_ETAG_SERVER = "ETag" + HEADER_ETAG_CLIENT = "If-None-Match" + HEADER_FORWARDED = "X-Forwarded-For" + HEADER_REAL_IP = "X-Real-IP" + HEADER_FORWARDED_PROTO = "X-Forwarded-Proto" + HEADER_TOKEN = "token" + HEADER_BEARER = "BEARER" + HEADER_AUTH = "Authorization" + HEADER_REQUESTED_WITH = "X-Requested-With" + HEADER_REQUESTED_WITH_XML = "XMLHttpRequest" + API_URL_SUFFIX = "/api/v1" ) type Result struct { |