photoprism/internal/api/auth.go

41 lines
1.6 KiB
Go
Raw Normal View History

package api
import (
"github.com/gin-gonic/gin"
"github.com/photoprism/photoprism/internal/acl"
"github.com/photoprism/photoprism/internal/entity"
"github.com/photoprism/photoprism/internal/event"
)
// Auth checks if the user has permission to access the specified resource and returns the session if so.
func Auth(c *gin.Context, resource acl.Resource, grant acl.Permission) *entity.Session {
return AuthAny(c, resource, acl.Permissions{grant})
}
// AuthAny checks if at least one permission allows access and returns the session in this case.
func AuthAny(c *gin.Context, resource acl.Resource, grants acl.Permissions) (s *entity.Session) {
// Get client IP address and session ID, if any.
ip := ClientIP(c)
sessId := SessionID(c)
// Find client session.
if s = Session(sessId); s == nil {
event.AuditWarn([]string{ip, "unauthenticated", "%s %s as unknown user", "denied"}, grants.String(), string(resource))
return entity.SessionStatusUnauthorized()
} else {
s.SetClientIP(ip)
}
// Check authorization.
if s.User() == nil {
event.AuditWarn([]string{ip, "session %s", "%s %s as unknown user", "denied"}, s.RefID, grants.String(), string(resource))
return entity.SessionStatusUnauthorized()
} else if acl.Resources.DenyAll(resource, s.User().AclRole(), grants) {
event.AuditErr([]string{ip, "session %s", "%s %s as %s", "denied"}, s.RefID, grants.String(), string(resource), s.User().AclRole().String())
return entity.SessionStatusForbidden()
} else {
event.AuditInfo([]string{ip, "session %s", "%s %s as %s", "granted"}, s.RefID, grants.String(), string(resource), s.User().AclRole().String())
return s
}
}