From a57b2d95386be28012b026c59647693df8db431f Mon Sep 17 00:00:00 2001
From: ManyTheFish <many@meilisearch.com>
Date: Wed, 25 May 2022 16:35:00 +0200
Subject: [PATCH] Restrict master key access to /keys routes

---
 .../src/extractors/authentication/mod.rs      | 26 +++++++------------
 1 file changed, 9 insertions(+), 17 deletions(-)

diff --git a/meilisearch-http/src/extractors/authentication/mod.rs b/meilisearch-http/src/extractors/authentication/mod.rs
index cf93d363a..a0e914ec9 100644
--- a/meilisearch-http/src/extractors/authentication/mod.rs
+++ b/meilisearch-http/src/extractors/authentication/mod.rs
@@ -159,22 +159,9 @@ pub mod policies {
         Some(uid)
     }
 
-    pub struct MasterPolicy;
-
-    impl Policy for MasterPolicy {
-        fn authenticate(
-            auth: AuthController,
-            token: &str,
-            _index: Option<&str>,
-        ) -> Option<AuthFilter> {
-            if let Some(master_key) = auth.get_master_key() {
-                if master_key == token {
-                    return Some(AuthFilter::default());
-                }
-            }
-
-            None
-        }
+    fn is_keys_action(action: u8) -> bool {
+        use actions::*;
+        matches!(action, KEYS_GET | KEYS_CREATE | KEYS_UPDATE | KEYS_DELETE)
     }
 
     pub struct ActionPolicy<const A: u8>;
@@ -186,7 +173,12 @@ pub mod policies {
             index: Option<&str>,
         ) -> Option<AuthFilter> {
             // authenticate if token is the master key.
-            if auth.get_master_key().map_or(true, |mk| mk == token) {
+            // master key can only have access to keys routes.
+            // if master key is None only keys routes are inaccessible.
+            if auth
+                .get_master_key()
+                .map_or_else(|| !is_keys_action(A), |mk| mk == token && is_keys_action(A))
+            {
                 return Some(AuthFilter::default());
             }