42 lines
1.5 KiB
Go
42 lines
1.5 KiB
Go
package setting
|
|
|
|
import (
|
|
"context"
|
|
|
|
"haixun-backend/internal/library/authctx"
|
|
app "haixun-backend/internal/library/errors"
|
|
"haixun-backend/internal/library/errors/code"
|
|
"haixun-backend/internal/svc"
|
|
)
|
|
|
|
// authorizeSettingAccess guards the generic settings API against horizontal
|
|
// privilege escalation (IDOR). The settings collection stores sensitive values
|
|
// such as AI / Brave / Exa API keys under the "user" and "account" scopes, so
|
|
// the caller must be the owner of the scope being accessed.
|
|
//
|
|
// - "user": scope_id must equal the caller uid (uid is enumerable).
|
|
// - "account": the threads account must belong to the caller.
|
|
// - other scopes (brand / persona / placement_topic / copy_mission ...):
|
|
// keyed by unguessable ObjectIDs and hold non-secret research config;
|
|
// ownership is enforced by their own feature endpoints. We still require an
|
|
// authenticated actor here.
|
|
func authorizeSettingAccess(ctx context.Context, svcCtx *svc.ServiceContext, scope, scopeID string) error {
|
|
actor, ok := authctx.ActorFromContext(ctx)
|
|
if !ok || actor.UID == "" {
|
|
return app.For(code.Auth).AuthUnauthorized("missing actor")
|
|
}
|
|
|
|
switch scope {
|
|
case "user":
|
|
if scopeID != actor.UID {
|
|
return app.For(code.Setting).AuthForbidden("cannot access another user's settings")
|
|
}
|
|
case "account":
|
|
if _, err := svcCtx.ThreadsAccount.Get(ctx, actor.TenantID, actor.UID, scopeID); err != nil {
|
|
return app.For(code.Setting).AuthForbidden("cannot access settings of an account you do not own")
|
|
}
|
|
}
|
|
|
|
return nil
|
|
}
|