Fix bug when creating client tokens

It was using the user that made the request as the user to get the list of clients from, which meant for example if an admin made the request, you were limited to the names of clients that the admin also used.
2025-02-25 18:55:29 -06:00 · 2022-03-09 12:19:44 -07:00 · 2022-03-09 12:19:44 -07:00 · ebf114e182
commit ebf114e182
parent c583e1409b
1 changed files with 14 additions and 6 deletions
--- a/api.go
+++ b/api.go
@ -449,28 +449,36 @@ func (a *Api) DeleteTunnel(tokenData TokenData, params url.Values) error {

 func (a *Api) CreateToken(tokenData TokenData, params url.Values) (string, error) {

-	owner := params.Get("owner")
-	if owner == "" {
+	ownerId := params.Get("owner")
+	if ownerId == "" {
 		return "", errors.New("Invalid owner paramater")
 	}

 	user, _ := a.db.GetUser(tokenData.Owner)

-	if tokenData.Owner != owner && !user.IsAdmin {
+	if tokenData.Owner != ownerId && !user.IsAdmin {
 		return "", errors.New("Unauthorized")
 	}

+	var owner User
+
+	if tokenData.Owner == ownerId {
+		owner = user
+	} else {
+		owner, _ = a.db.GetUser(ownerId)
+	}
+
 	client := params.Get("client")

 	if client != "any" {
-		if _, exists := user.Clients[client]; !exists {
-			return "", errors.New(fmt.Sprintf("Client %s does not exist for user %s", client, owner))
+		if _, exists := owner.Clients[client]; !exists {
+			return "", errors.New(fmt.Sprintf("Client %s does not exist for user %s", client, ownerId))
 		}
 	} else {
 		client = ""
 	}

-	token, err := a.db.AddToken(owner, client)
+	token, err := a.db.AddToken(ownerId, client)
 	if err != nil {
 		return "", errors.New("Failed to create token")
 	}