From ebf114e182bb3e38b9dd5895a2f33acf92ff89cf Mon Sep 17 00:00:00 2001 From: Anders Pitman Date: Wed, 9 Mar 2022 12:19:44 -0700 Subject: [PATCH] Fix bug when creating client tokens It was using the user that made the request as the user to get the list of clients from, which meant for example if an admin made the request, you were limited to the names of clients that the admin also used. --- api.go | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-) diff --git a/api.go b/api.go index a217e0c..05f7c68 100644 --- a/api.go +++ b/api.go @@ -449,28 +449,36 @@ func (a *Api) DeleteTunnel(tokenData TokenData, params url.Values) error { func (a *Api) CreateToken(tokenData TokenData, params url.Values) (string, error) { - owner := params.Get("owner") - if owner == "" { + ownerId := params.Get("owner") + if ownerId == "" { return "", errors.New("Invalid owner paramater") } user, _ := a.db.GetUser(tokenData.Owner) - if tokenData.Owner != owner && !user.IsAdmin { + if tokenData.Owner != ownerId && !user.IsAdmin { return "", errors.New("Unauthorized") } + var owner User + + if tokenData.Owner == ownerId { + owner = user + } else { + owner, _ = a.db.GetUser(ownerId) + } + client := params.Get("client") if client != "any" { - if _, exists := user.Clients[client]; !exists { - return "", errors.New(fmt.Sprintf("Client %s does not exist for user %s", client, owner)) + if _, exists := owner.Clients[client]; !exists { + return "", errors.New(fmt.Sprintf("Client %s does not exist for user %s", client, ownerId)) } } else { client = "" } - token, err := a.db.AddToken(owner, client) + token, err := a.db.AddToken(ownerId, client) if err != nil { return "", errors.New("Failed to create token") }