From f3b48d0678fe23c8ff4aed8bfdc370b3b8197b9f Mon Sep 17 00:00:00 2001 From: Jeffrey Armstrong Date: Wed, 4 May 2022 12:08:32 -0400 Subject: Auth levels are now read from a special config file. Both display and operations are now checked for auth level. --- captain/requtils.f90 | 54 ++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 42 insertions(+), 12 deletions(-) (limited to 'captain/requtils.f90') diff --git a/captain/requtils.f90 b/captain/requtils.f90 index 41eacc6..620170a 100644 --- a/captain/requtils.f90 +++ b/captain/requtils.f90 @@ -71,6 +71,24 @@ contains end if end function notfound_code + + pure function notpermitted_code(req) + use http, only: HTTP_UNAUTHORIZED => HTTP_CODE_UNAUTHORIZED + use server_response, only: request, GEMINI_UNAUTHORIZED => GEMINI_CODE_BAD_REQUEST + implicit none + + class(request), intent(in)::req + integer::notpermitted_code + + if(req%protocol == 'gemini') then + ! You might think we'd use Gemini certificates, but fuck certificates... + ! Just fail with a bad request. + notpermitted_code = GEMINI_UNAUTHORIZED + else + notpermitted_code = HTTP_UNAUTHORIZED + end if + + end function notpermitted_code subroutine basic_mimetype(actual_filename, mimetype) use utilities, only: get_one_line_output_shell_command @@ -239,19 +257,30 @@ contains call req%path_component(1, category) call req%path_starting_with_component(2, filename) - resp%body_filename => get_special_full_filename(trim(category), trim(filename)) - - inquire(file=resp%body_filename, exist=exists) - if(.not. exists) then - - resp%code = notfound_code(req) - call write_log("File did not exist: "//resp%body_filename, LOG_NORMAL) + if((req%auth_level < global_permissions%get("view-raw-instructions") .and. trim(category) == "instructions") .or. & + (req%auth_level < global_permissions%get("access-releases") .and. trim(category) == "releases") .or. & + (req%auth_level < global_permissions%get("access-logs") .and. trim(category) == "results")) & + then + resp%code = notpermitted_code(req) + else + + resp%body_filename => get_special_full_filename(trim(category), trim(filename)) + + inquire(file=resp%body_filename, exist=exists) + if(.not. exists) then - resp%code = success_code(req) - call basic_mimetype(resp%body_filename, resp%body_mimetype) + resp%code = notfound_code(req) + call write_log("File did not exist: "//resp%body_filename, LOG_NORMAL) + + else + + resp%code = success_code(req) + call basic_mimetype(resp%body_filename, resp%body_mimetype) + end if + end if end function request_static @@ -652,6 +681,7 @@ contains use captain_db use server_response use remote_launch + use config, only: global_permissions implicit none type(request), intent(in)::req @@ -668,15 +698,15 @@ contains command = req%query_string(1:i-1) argument = req%query_string(i+1:len_trim(req%query_string)) - if(trim(command) == "launch") then + if(trim(command) == "launch" .and. req%auth_level >= global_permissions%get("launch-job")) then call launch_instructions_on_player(instruction_name, argument) - else if(trim(command) == "assign") then + else if(trim(command) == "assign" .and. req%auth_level >= global_permissions%get("assign-instructions")) then i = get_instruction_id(trim(instruction_name)) j = get_player_id(trim(argument)) call add_player_for_instruction(i, j) - else if(trim(command) == "remove") then + else if(trim(command) == "remove" .and. req%auth_level >= global_permissions%get("assign-instructions")) then i = get_instruction_id(trim(instruction_name)) j = get_player_id(trim(argument)) call remove_player_for_instruction(i, j) -- cgit v1.2.3