diff options
Diffstat (limited to 'api/context.go')
-rw-r--r-- | api/context.go | 30 |
1 files changed, 23 insertions, 7 deletions
diff --git a/api/context.go b/api/context.go index 0f7ba0fff..ddc8f79b1 100644 --- a/api/context.go +++ b/api/context.go @@ -42,31 +42,39 @@ type Context struct { } func ApiAppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, false, false, true, false, false} + return &handler{h, false, false, true, false, false, false} } func AppHandler(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, false, false, false, false, false} + return &handler{h, false, false, false, false, false, false} } func AppHandlerIndependent(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, false, false, false, false, true} + return &handler{h, false, false, false, false, true, false} } func ApiUserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, true, false, true, true, false} + return &handler{h, true, false, true, true, false, false} } func ApiUserRequiredActivity(h func(*Context, http.ResponseWriter, *http.Request), isUserActivity bool) http.Handler { - return &handler{h, true, false, true, isUserActivity, false} + return &handler{h, true, false, true, isUserActivity, false, false} } func UserRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, true, false, false, false, false} + return &handler{h, true, false, false, false, false, false} } func ApiAdminSystemRequired(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { - return &handler{h, true, true, true, false, false} + return &handler{h, true, true, true, false, false, false} +} + +func ApiAppHandlerTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { + return &handler{h, false, false, true, false, false, true} +} + +func ApiUserRequiredTrustRequester(h func(*Context, http.ResponseWriter, *http.Request)) http.Handler { + return &handler{h, true, false, true, true, false, true} } type handler struct { @@ -76,6 +84,7 @@ type handler struct { isApi bool isUserActivity bool isTeamIndependent bool + trustRequester bool } func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { @@ -104,6 +113,13 @@ func (h handler) ServeHTTP(w http.ResponseWriter, r *http.Request) { if len(token) == 0 { if cookie, err := r.Cookie(model.SESSION_COOKIE_TOKEN); err == nil { token = cookie.Value + + if (h.requireSystemAdmin || h.requireUser) && !h.trustRequester { + if r.Header.Get(model.HEADER_REQUESTED_WITH) != model.HEADER_REQUESTED_WITH_XML { + c.Err = model.NewLocAppError("ServeHTTP", "api.context.session_expired.app_error", nil, "token="+token) + token = "" + } + } } } |