From e515039ad44536765a4bf6f0754ca7a560ffe9e7 Mon Sep 17 00:00:00 2001
From: Ulric Qin <ulric.qin@gmail.com>
Date: Thu, 3 Mar 2022 10:25:52 +0800
Subject: [PATCH] use bgrwCheck func to check alert_rule put

---
 src/webapi/router/router.go            |  2 +-
 src/webapi/router/router_alert_rule.go |  2 ++
 src/webapi/router/router_mw.go         | 16 ++++++++++++++++
 3 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/src/webapi/router/router.go b/src/webapi/router/router.go
index cdc3da9f..251f5b1a 100644
--- a/src/webapi/router/router.go
+++ b/src/webapi/router/router.go
@@ -186,7 +186,7 @@ func configRoute(r *gin.Engine, version string) {
 		pages.POST("/busi-group/:id/alert-rules", jwtAuth(), user(), perm("/alert-rules/add"), bgrw(), alertRuleAdd)
 		pages.DELETE("/busi-group/:id/alert-rules", jwtAuth(), user(), perm("/alert-rules/del"), bgrw(), alertRuleDel)
 		pages.PUT("/busi-group/:id/alert-rules/fields", jwtAuth(), user(), perm("/alert-rules/put"), bgrw(), alertRulePutFields)
-		pages.PUT("/busi-group/:id/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules/put"), bgrw(), alertRulePut)
+		pages.PUT("/busi-group/:id/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules/put"), alertRulePut)
 		pages.GET("/alert-rule/:arid", jwtAuth(), user(), perm("/alert-rules"), alertRuleGet)
 
 		pages.GET("/busi-group/:id/alert-mutes", jwtAuth(), user(), perm("/alert-mutes"), bgro(), alertMuteGets)
diff --git a/src/webapi/router/router_alert_rule.go b/src/webapi/router/router_alert_rule.go
index cdd3529f..644ef282 100644
--- a/src/webapi/router/router_alert_rule.go
+++ b/src/webapi/router/router_alert_rule.go
@@ -78,6 +78,8 @@ func alertRulePut(c *gin.Context) {
 		return
 	}
 
+	bgrwCheck(c, ar.GroupId)
+
 	f.UpdateBy = c.MustGet("username").(string)
 	ginx.NewRender(c).Message(ar.Update(f))
 }
diff --git a/src/webapi/router/router_mw.go b/src/webapi/router/router_mw.go
index c6994c34..71e599a3 100644
--- a/src/webapi/router/router_mw.go
+++ b/src/webapi/router/router_mw.go
@@ -105,6 +105,7 @@ func bgro() gin.HandlerFunc {
 	}
 }
 
+// bgrw 逐步要被干掉，不安全
 func bgrw() gin.HandlerFunc {
 	return func(c *gin.Context) {
 		me := c.MustGet("user").(*models.User)
@@ -122,6 +123,21 @@ func bgrw() gin.HandlerFunc {
 	}
 }
 
+// bgrwCheck 要逐渐替换掉bgrw方法，更安全
+func bgrwCheck(c *gin.Context, bgid int64) {
+	me := c.MustGet("user").(*models.User)
+	bg := BusiGroup(bgid)
+
+	can, err := me.CanDoBusiGroup(bg, "rw")
+	ginx.Dangerous(err)
+
+	if !can {
+		ginx.Bomb(http.StatusForbidden, "forbidden")
+	}
+
+	c.Set("busi_group", bg)
+}
+
 func perm(operation string) gin.HandlerFunc {
 	return func(c *gin.Context) {
 		me := c.MustGet("user").(*models.User)
-- 
GitLab