GitHub push (with secret)

kshvakov · kshvakov · commit eefda50596e0 · 2016-05-27T22:10:50.000+03:00
diff --git a/src/app/controllers/project/get.go b/src/app/controllers/project/get.go
@@ -1,6 +1,7 @@
 package project
 
 import (
+	"github.com/postgres-ci/app-server/src/app/models/auth"
 	"github.com/postgres-ci/app-server/src/app/models/project"
 	"github.com/postgres-ci/app-server/src/common/errors"
 	"github.com/postgres-ci/app-server/src/tools/params"
@@ -12,6 +13,15 @@ import (
 
 func getHandler(c *http200ok.Context) {
 
+	currentUser := c.Get("CurrentUser").(*auth.User)
+
+	if !currentUser.IsSuperuser {
+
+		render.JSONError(c, http.StatusForbidden, "Access denied")
+
+		return
+	}
+
 	project, err := project.Get(params.ToInt32(c, "ProjectID"))
 
 	if err != nil {
diff --git a/src/app/controllers/users/get.go b/src/app/controllers/users/get.go
@@ -1,6 +1,7 @@
 package users
 
 import (
+	"github.com/postgres-ci/app-server/src/app/models/auth"
 	"github.com/postgres-ci/app-server/src/app/models/users"
 	"github.com/postgres-ci/app-server/src/common/errors"
 	"github.com/postgres-ci/app-server/src/tools/params"
@@ -12,6 +13,15 @@ import (
 
 func getHandler(c *http200ok.Context) {
 
+	currentUser := c.Get("CurrentUser").(*auth.User)
+
+	if !currentUser.IsSuperuser {
+
+		render.JSONError(c, http.StatusForbidden, "Access denied")
+
+		return
+	}
+
 	user, err := users.Get(params.ToInt32(c, "UserID"))
 
 	if err != nil {
diff --git a/src/app/controllers/webhooks/github.go b/src/app/controllers/webhooks/github.go
@@ -33,14 +33,14 @@ func githubHandler(c *http200ok.Context) {
 
 		if err != nil {
 
-			http.Error(c.Response, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			render.JSONError(c, http.StatusInternalServerError, err.Error())
 
 			return
 		}
 
 		if err := json.Unmarshal(source, &push); err != nil {
 
-			http.Error(c.Response, http.StatusText(http.StatusBadRequest), http.StatusBadRequest)
+			render.JSONError(c, http.StatusBadRequest, err.Error())
 
 			return
 		}
@@ -50,9 +50,9 @@ func githubHandler(c *http200ok.Context) {
 		if err != nil {
 
 			if errors.IsNotFound(err) {
-				http.Error(c.Response, "Project not nound", http.StatusNotFound)
+				render.JSONError(c, http.StatusNotFound, "Project not nound")
 			} else {
-				http.Error(c.Response, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+				render.JSONError(c, http.StatusInternalServerError, err.Error())
 			}
 
 			return
@@ -64,7 +64,7 @@ func githubHandler(c *http200ok.Context) {
 
 			if signature == "" {
 
-				http.Error(c.Response, "Missing X-Hub-Signature header", http.StatusForbidden)
+				render.JSONError(c, http.StatusForbidden, "Missing X-Hub-Signature header")
 
 				return
 			}
@@ -76,22 +76,22 @@ func githubHandler(c *http200ok.Context) {
 
 			if !hmac.Equal([]byte(signature[5:]), []byte(expectedMAC)) {
 
-				http.Error(c.Response, "HMAC verification failed", http.StatusForbidden)
+				render.JSONError(c, http.StatusForbidden, "HMAC verification failed")
 
 				return
 			}
 		}
 
 		if err := github.Push(push); err != nil {
 
-			http.Error(c.Response, http.StatusText(http.StatusInternalServerError), http.StatusInternalServerError)
+			render.JSONError(c, http.StatusInternalServerError, err.Error())
 
 			return
 		}
 
 	case "":
 
-		http.Error(c.Response, "Missing X-GitHub-Event header", http.StatusBadRequest)
+		render.JSONError(c, http.StatusBadRequest, "Missing X-GitHub-Event header")
 
 		return
 
