From dc1bd10c8f3d1290e28693c9fdf7a06f8e593b22 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?William=20Bouzour=C3=A8ne?= <william@bouzourene.ch>
Date: Mon, 30 Dec 2024 14:46:01 +0100
Subject: [PATCH] Add admin authz middleware

---
 main.go                      |  1 +
 middlewares/authorization.go | 34 ++++++++++++++++++++++++++++++++++
 2 files changed, 35 insertions(+)
 create mode 100644 middlewares/authorization.go

diff --git a/main.go b/main.go
index 0cc4978..755f5aa 100644
--- a/main.go
+++ b/main.go
@@ -91,6 +91,7 @@ func main() {
 	app.Use(middlewares.MfaEnrollMiddleware)
 	app.Use(middlewares.MfaVerifyMiddleware)
 	app.Use(middlewares.TemplatesMiddleware)
+	app.Use("/admin", middlewares.AuthzAdmin)
 
 	// Controllers
 	app.Get("/", controllers.Homepage)
diff --git a/middlewares/authorization.go b/middlewares/authorization.go
new file mode 100644
index 0000000..6c61000
--- /dev/null
+++ b/middlewares/authorization.go
@@ -0,0 +1,34 @@
+package middlewares
+
+import (
+	"git.readonly.ch/bouzoure/popvaud-people/helpers"
+	"git.readonly.ch/bouzoure/popvaud-people/models"
+	"github.com/gofiber/fiber/v2"
+)
+
+func AuthzAdmin(c *fiber.Ctx) error {
+	sess, err := helpers.GetSessionStore(c)
+	if err != nil {
+		return err
+	}
+
+	db, err := helpers.GetDatabase()
+	if err != nil {
+		return err
+	}
+
+	var allowAccess bool
+	userid := sess.Get("userid")
+
+	if userid != nil {
+		var user models.User
+		db.First(&user, "id = ?", userid.(uint))
+		allowAccess = user.IsAdmin
+	}
+
+	if !allowAccess {
+		return fiber.NewError(fiber.StatusForbidden, "Forbidden (authz_admin)")
+	}
+
+	return c.Next()
+}