snowykami/meilisearch
1
0
Fork 0
mirror of https://github.com/meilisearch/meilisearch.git synced 2024-11-23 10:37:41 +08:00
Code Issues Actions 8 Packages Projects Releases Wiki Activity

Restrict master key access to /keys routes

Browse Source
This commit is contained in:
ManyTheFish 2022-05-25 16:35:00 +02:00
parent 34c8888f56
commit a57b2d9538
1 changed files with 9 additions and 17 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

26
meilisearch-http/src/extractors/authentication/mod.rs
View File

@ -159,22 +159,9 @@ pub mod policies {
Some(uid) Some(uid)
} }
pub struct MasterPolicy; fn is_keys_action(action: u8) -> bool {
use actions::*;
impl Policy for MasterPolicy { matches!(action, KEYS_GET | KEYS_CREATE | KEYS_UPDATE | KEYS_DELETE)
fn authenticate(
auth: AuthController,
token: &str,
_index: Option<&str>,
) -> Option<AuthFilter> {
if let Some(master_key) = auth.get_master_key() {
if master_key == token {
return Some(AuthFilter::default());
}
}
None
}
} }
pub struct ActionPolicy<const A: u8>; pub struct ActionPolicy<const A: u8>;
@ -186,7 +173,12 @@ pub mod policies {
index: Option<&str>, index: Option<&str>,
) -> Option<AuthFilter> { ) -> Option<AuthFilter> {
// authenticate if token is the master key. // authenticate if token is the master key.
if auth.get_master_key().map_or(true, |mk| mk == token) { // master key can only have access to keys routes.
// if master key is None only keys routes are inaccessible.
if auth
.get_master_key()
.map_or_else(|| !is_keys_action(A), |mk| mk == token && is_keys_action(A))
{
return Some(AuthFilter::default()); return Some(AuthFilter::default());
} }