From 99749decdc994d15b3e3baf848c20a7d858d170f Mon Sep 17 00:00:00 2001 From: Alexandre Aubin Date: Fri, 29 Sep 2023 14:30:14 +0200 Subject: [PATCH] access.lua: rework again ACL check because the previous code sometimes ended up with error 500 because of permission = nil --- access.lua | 65 ++++++++++++++++++++++-------------------------------- 1 file changed, 26 insertions(+), 39 deletions(-) diff --git a/access.lua b/access.lua index 229403a..69355d4 100644 --- a/access.lua +++ b/access.lua @@ -215,47 +215,34 @@ function element_is_in_table(element, table) return false end --- Check whether the app is public access -function check_public_access(permission) - if permission == nil then - logger:debug("No permission matching request for "..ngx.var.uri.." ... Assuming access is denied") - return false - end - - if permission["public"] then - logger:debug("Someone tries to access "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")") - return true - end -end - --- Check whether a user is allowed to access a URL using the `permissions` directive --- of the configuration file -function check_has_access(permission) - - -- Public access - if authUser == nil or permission["public"] then - user = authUser or "A visitor" - logger:debug(user.." tries to access "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")") - return permission["public"] - end - - logger:debug("User "..authUser.." tries to access "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")") - - -- The user has permission to access the content if he is in the list of allowed users - if element_is_in_table(authUser, permission["users"]) then - logger:debug("User "..authUser.." can access "..ngx.var.host..ngx.var.uri..uri_args_string()) - return true - else - logger:debug("User "..authUser.." cannot access "..ngx.var.uri) - return false - end -end - -if check_public_access(permission) then - has_access = true +-- No permission object found = no access +if permission == nil then + logger:debug("No permission matching request for "..ngx.var.uri.." ... Assuming access is denied") + has_access = false +-- permission is public = everybody has access, no need to check auth +elseif permission["public"] then + logger:debug("Someone tries to access "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")") + has_access = true +-- Check auth header, assume the route is protected else is_logged_in, authUser, authPasswordEnc = check_authentication() - has_access = check_has_access(permission) + + -- Unauthenticated user, deny access + if authUser == nil then + logger:debug("Denied unauthenticated access to "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")") + has_access = false + else + logger:debug("User "..authUser.." tries to access "..ngx.var.uri.." (corresponding perm: "..permission["id"]..")") + + -- The user has permission to access the content if s.he is in the list of allowed users + if element_is_in_table(authUser, permission["users"]) then + logger:debug("User "..authUser.." can access "..ngx.var.host..ngx.var.uri..uri_args_string()) + has_access = true + else + logger:debug("User "..authUser.." cannot access "..ngx.var.uri) + has_access = false + end + end end -- ###########################################################################