fix control give for users.

2024-07-24 14:40:50 +12:00 · 2024-07-21 14:53:55 +02:00 · 2024-07-21 14:53:55 +02:00 · 667a54e9d9
commit 667a54e9d9
parent c0e5804b3b
3 changed files with 10 additions and 2 deletions
--- a/server/internal/api/room/handler.go
+++ b/server/internal/api/room/handler.go
@ -95,7 +95,7 @@ func (h *RoomHandler) Route(r types.Router) {
 		r.Post("/release", h.controlRelease)

 		r.With(auth.AdminsOnly).Post("/take", h.controlTake)
-		r.With(auth.AdminsOnly).Post("/give/{sessionId}", h.controlGive)
+		r.With(auth.HostsOrAdminsOnly).Post("/give/{sessionId}", h.controlGive)
 		r.With(auth.AdminsOnly).Post("/reset", h.controlReset)
 	})

--- a/server/internal/http/legacy/wstobackend.go
+++ b/server/internal/http/legacy/wstobackend.go
@ -100,7 +100,6 @@ func (s *session) wsToBackend(msg []byte, sendMsg func([]byte) error) error {
 			return err
 		}

-		// TODO: Not implemented for user - only for admins.
 		return s.apiReq(http.MethodPost, "/api/room/control/give/"+request.ID, nil, nil)

 	case oldEvent.CONTROL_CLIPBOARD:
--- a/server/pkg/auth/auth.go
+++ b/server/pkg/auth/auth.go
@ -40,6 +40,15 @@ func HostsOnly(w http.ResponseWriter, r *http.Request) (context.Context, error)
 	return nil, nil
 }

+func HostsOrAdminsOnly(w http.ResponseWriter, r *http.Request) (context.Context, error) {
+	session, ok := GetSession(r)
+	if !ok || (!session.IsHost() && !session.Profile().IsAdmin) {
+		return nil, utils.HttpForbidden("session is not host or admin")
+	}
+
+	return nil, nil
+}
+
 func CanWatchOnly(w http.ResponseWriter, r *http.Request) (context.Context, error) {
 	session, ok := GetSession(r)
 	if !ok || !session.Profile().CanWatch {