auth
auth/client.go
Require authentication when adding endpoint to client. That seems like a bit of a security hole, doesn't it? Not sure how this got overlooked.
1.1 --- a/client.go Sat Mar 07 20:20:12 2015 -0500 1.2 +++ b/client.go Sat Mar 07 20:45:34 2015 -0500 1.3 @@ -746,7 +746,24 @@ 1.4 encode(w, r, http.StatusBadRequest, response{Errors: errors}) 1.5 return 1.6 } 1.7 - _, err = c.GetClient(id) 1.8 + username, password, ok := r.BasicAuth() 1.9 + if !ok { 1.10 + errors = append(errors, requestError{Slug: requestErrAccessDenied}) 1.11 + encode(w, r, http.StatusUnauthorized, response{Errors: errors}) 1.12 + return 1.13 + } 1.14 + profile, err := authenticate(username, password, c) 1.15 + if err != nil { 1.16 + if isAuthError(err) { 1.17 + errors = append(errors, requestError{Slug: requestErrAccessDenied}) 1.18 + encode(w, r, http.StatusUnauthorized, response{Errors: errors}) 1.19 + } else { 1.20 + errors = append(errors, requestError{Slug: requestErrActOfGod}) 1.21 + encode(w, r, http.StatusInternalServerError, response{Errors: errors}) 1.22 + } 1.23 + return 1.24 + } 1.25 + client, err = c.GetClient(id) 1.26 if err != nil { 1.27 if err == ErrClientNotFound { 1.28 errors = append(errors, requestError{Slug: requestErrNotFound, Param: "id"}) 1.29 @@ -757,6 +774,11 @@ 1.30 encode(w, r, http.StatusInternalServerError, response{Errors: errors}) 1.31 return 1.32 } 1.33 + if !client.OwnerID.Equal(profile.ID) { 1.34 + errors = append(errors, requestError{Slug: requestErrAccessDenied}) 1.35 + encode(w, r, http.StatusUnauthorized, response{Errors: errors}) 1.36 + return 1.37 + } 1.38 var req addEndpointReq 1.39 decoder := json.NewDecoder(r.Body) 1.40 err = decoder.Decode(&req)