feat(api): limit devices credentials access to admin user

2024-04-15 18:28:06 -03:00 · 2024-04-15 18:28:06 -03:00 · 2d1a3157f6
commit 2d1a3157f6
parent 73c4457284
1 changed files with 12 additions and 0 deletions
--- a/backend/services/controller/internal/api/device.go
+++ b/backend/services/controller/internal/api/device.go
@ -111,6 +111,18 @@ type DeviceAuth struct {
 }

 func (a *Api) deviceAuth(w http.ResponseWriter, r *http.Request) {
+
+	user, err := a.db.FindUser(r.Context().Value("email").(string))
+	if err != nil {
+		w.WriteHeader(http.StatusInternalServerError)
+		utils.MarshallEncoder(err, w)
+		return
+	}
+	if user.Level != AdminUser {
+		w.WriteHeader(http.StatusForbidden)
+		return
+	}
+
 	if r.Method == http.MethodGet {

 		id := r.URL.Query().Get("id")