From d65ba62bfc6734c092c90ece1c045b073b42ea55 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Miroslav=20=C5=A0ediv=C3=BD?= <sedivy.miro@gmail.com>
Date: Fri, 8 Jan 2021 23:42:53 +0100
Subject: [PATCH] upload middleware: fix permissions issue.

---
 internal/api/room/handler.go | 16 +++++++++++++++-
 1 file changed, 15 insertions(+), 1 deletion(-)

diff --git a/internal/api/room/handler.go b/internal/api/room/handler.go
index c76937a7..298d8f10 100644
--- a/internal/api/room/handler.go
+++ b/internal/api/room/handler.go
@@ -1,10 +1,13 @@
 package room
 
 import (
+	"net/http"
+
 	"github.com/go-chi/chi"
 
 	"demodesk/neko/internal/types"
 	"demodesk/neko/internal/http/auth"
+	"demodesk/neko/internal/utils"
 )
 
 type RoomHandler struct {
@@ -61,7 +64,18 @@ func (h *RoomHandler) Route(r chi.Router) {
 		r.With(auth.AdminsOnly).Get("/configurations", h.screenConfigurationsList)
 	})
 
-	r.With(auth.HostsOnly).Route("/upload", func(r chi.Router) {
+	r.With(h.uploadMiddleware).Route("/upload", func(r chi.Router) {
 		r.Post("/drop", h.uploadDrop)
 	})
 }
+
+func (h *RoomHandler) uploadMiddleware(next http.Handler) http.Handler {
+	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		session := auth.GetSession(r)
+		if !session.IsHost() && !h.sessions.ImplicitHosting() {
+			utils.HttpForbidden(w, "Without implicit hosting, only host can upload files.")
+		} else {
+			next.ServeHTTP(w, r)
+		}
+	})
+}