Ensure all routes check for authorization

2025-12-14 03:32:15 +00:00 · 2025-01-19 00:20:16 +01:00
parent 130f754cdd
commit 6485b89c73
9 changed files with 59 additions and 13 deletions
--- a/crates/frontend/src/routes/addressbook.rs
+++ b/crates/frontend/src/routes/addressbook.rs
@@ -4,6 +4,7 @@ use actix_web::{
    HttpRequest, HttpResponse, Responder,
 };
 use askama::Template;
+use askama_actix::TemplateToResponse;
 use rustical_store::{auth::User, Addressbook, AddressbookStore};

 #[derive(Template)]
@@ -15,21 +16,28 @@ struct AddressbookPage {
 pub async fn route_addressbook<AS: AddressbookStore>(
    path: Path<(String, String)>,
    store: Data<AS>,
-    _user: User,
+    user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
    let (owner, addrbook_id) = path.into_inner();
+    if owner != user.id {
+        return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
+    }
    Ok(AddressbookPage {
        addressbook: store.get_addressbook(&owner, &addrbook_id).await?,
-    })
+    }
+    .to_response())
 }

 pub async fn route_addressbook_restore<AS: AddressbookStore>(
    path: Path<(String, String)>,
    req: HttpRequest,
    store: Data<AS>,
-    _user: User,
+    user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
    let (owner, addressbook_id) = path.into_inner();
+    if owner != user.id {
+        return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
+    }
    store.restore_addressbook(&owner, &addressbook_id).await?;
    Ok(match req.headers().get(header::REFERER) {
        Some(referer) => web::Redirect::to(referer.to_str().unwrap().to_owned())
--- a/crates/frontend/src/routes/calendar.rs
+++ b/crates/frontend/src/routes/calendar.rs
@@ -4,6 +4,7 @@ use actix_web::{
    HttpRequest, HttpResponse, Responder,
 };
 use askama::Template;
+use askama_actix::TemplateToResponse;
 use rustical_store::{auth::User, Calendar, CalendarStore};

 #[derive(Template)]
@@ -15,21 +16,28 @@ struct CalendarPage {
 pub async fn route_calendar<C: CalendarStore>(
    path: Path<(String, String)>,
    store: Data<C>,
-    _user: User,
+    user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
    let (owner, cal_id) = path.into_inner();
+    if owner != user.id {
+        return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
+    }
    Ok(CalendarPage {
        calendar: store.get_calendar(&owner, &cal_id).await?,
-    })
+    }
+    .to_response())
 }

 pub async fn route_calendar_restore<CS: CalendarStore>(
    path: Path<(String, String)>,
    req: HttpRequest,
    store: Data<CS>,
-    _user: User,
+    user: User,
 ) -> Result<impl Responder, rustical_store::Error> {
    let (owner, cal_id) = path.into_inner();
+    if owner != user.id {
+        return Ok(HttpResponse::Unauthorized().body("Unauthorized"));
+    }
    store.restore_calendar(&owner, &cal_id).await?;
    Ok(match req.headers().get(header::REFERER) {
        Some(referer) => web::Redirect::to(referer.to_str().unwrap().to_owned())