github.com/decred/politeia@v1.4.0/politeiawww/legacy/routes.go (about) 1 // Copyright (c) 2019-2020 The Decred developers 2 // Use of this source code is governed by an ISC 3 // license that can be found in the LICENSE file. 4 5 package legacy 6 7 import ( 8 "net/http" 9 "strings" 10 11 cms "github.com/decred/politeia/politeiawww/api/cms/v1" 12 cmv1 "github.com/decred/politeia/politeiawww/api/comments/v1" 13 piv1 "github.com/decred/politeia/politeiawww/api/pi/v1" 14 rcv1 "github.com/decred/politeia/politeiawww/api/records/v1" 15 tkv1 "github.com/decred/politeia/politeiawww/api/ticketvote/v1" 16 www "github.com/decred/politeia/politeiawww/api/www/v1" 17 "github.com/decred/politeia/politeiawww/legacy/comments" 18 "github.com/decred/politeia/politeiawww/legacy/pi" 19 "github.com/decred/politeia/politeiawww/legacy/records" 20 "github.com/decred/politeia/politeiawww/legacy/ticketvote" 21 "github.com/decred/politeia/util" 22 ) 23 24 type permission uint 25 26 const ( 27 permissionPublic permission = iota 28 permissionLogin 29 permissionAdmin 30 ) 31 32 // setUserWWWRoutes setsup the user routes. 33 func (p *Politeiawww) setUserWWWRoutes() { 34 // Public routes 35 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 36 www.RouteNewUser, p.handleNewUser, 37 permissionPublic) 38 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 39 www.RouteVerifyNewUser, p.handleVerifyNewUser, 40 permissionPublic) 41 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 42 www.RouteResendVerification, p.handleResendVerification, 43 permissionPublic) 44 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 45 www.RouteLogout, p.handleLogout, 46 permissionPublic) 47 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 48 www.RouteResetPassword, p.handleResetPassword, 49 permissionPublic) 50 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 51 www.RouteVerifyResetPassword, p.handleVerifyResetPassword, 52 permissionPublic) 53 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 54 www.RouteUserDetails, p.handleUserDetails, 55 permissionPublic) 56 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 57 www.RouteUsers, p.handleUsers, 58 permissionPublic) 59 60 // Setup the login route. 61 p.addLoginRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 62 www.RouteLogin, p.handleLogin) 63 64 // Routes that require being logged in. 65 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 66 www.RouteSecret, p.handleSecret, 67 permissionLogin) 68 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 69 www.RouteUserMe, p.handleMe, 70 permissionLogin) 71 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 72 www.RouteUpdateUserKey, p.handleUpdateUserKey, 73 permissionLogin) 74 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 75 www.RouteVerifyUpdateUserKey, p.handleVerifyUpdateUserKey, 76 permissionLogin) 77 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 78 www.RouteChangeUsername, p.handleChangeUsername, 79 permissionLogin) 80 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 81 www.RouteChangePassword, p.handleChangePassword, 82 permissionLogin) 83 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 84 www.RouteEditUser, p.handleEditUser, 85 permissionLogin) 86 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 87 www.RouteUserRegistrationPayment, p.handleUserRegistrationPayment, 88 permissionLogin) 89 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 90 www.RouteUserProposalPaywall, p.handleUserProposalPaywall, 91 permissionLogin) 92 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 93 www.RouteUserProposalPaywallTx, p.handleUserProposalPaywallTx, 94 permissionLogin) 95 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 96 www.RouteUserProposalCredits, p.handleUserProposalCredits, 97 permissionLogin) 98 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 99 www.RouteSetTOTP, p.handleSetTOTP, 100 permissionLogin) 101 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 102 www.RouteVerifyTOTP, p.handleVerifyTOTP, 103 permissionLogin) 104 105 // Routes that require being logged in as an admin user. 106 p.addRoute(http.MethodPut, www.PoliteiaWWWAPIRoute, 107 www.RouteUserPaymentsRescan, p.handleUserPaymentsRescan, 108 permissionAdmin) 109 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 110 www.RouteManageUser, p.handleManageUser, 111 permissionAdmin) 112 } 113 114 // setCMSUserWWWRoutes setsup the user routes for cms mode 115 func (p *Politeiawww) setCMSUserWWWRoutes() { 116 // Public routes 117 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 118 www.RouteLogout, p.handleLogout, 119 permissionPublic) 120 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 121 www.RouteResetPassword, p.handleResetPassword, 122 permissionPublic) 123 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 124 www.RouteVerifyResetPassword, p.handleVerifyResetPassword, 125 permissionPublic) 126 p.addRoute(http.MethodPost, cms.APIRoute, 127 cms.RouteRegisterUser, p.handleRegisterUser, 128 permissionPublic) 129 130 // Setup the login route. 131 p.addLoginRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 132 www.RouteLogin, p.handleLogin) 133 134 // Routes that require being logged in. 135 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 136 www.RouteSecret, p.handleSecret, 137 permissionLogin) 138 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 139 www.RouteUserMe, p.handleMe, 140 permissionLogin) 141 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 142 www.RouteUpdateUserKey, p.handleUpdateUserKey, 143 permissionLogin) 144 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 145 www.RouteVerifyUpdateUserKey, p.handleVerifyUpdateUserKey, 146 permissionLogin) 147 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 148 www.RouteChangeUsername, p.handleChangeUsername, 149 permissionLogin) 150 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 151 www.RouteChangePassword, p.handleChangePassword, 152 permissionLogin) 153 p.addRoute(http.MethodGet, cms.APIRoute, 154 www.RouteUserDetails, p.handleCMSUserDetails, 155 permissionLogin) 156 p.addRoute(http.MethodPost, cms.APIRoute, 157 www.RouteEditUser, p.handleEditCMSUser, 158 permissionLogin) 159 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 160 www.RouteUsers, p.handleUsers, 161 permissionLogin) 162 p.addRoute(http.MethodGet, cms.APIRoute, 163 cms.RouteCMSUsers, p.handleCMSUsers, 164 permissionLogin) 165 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 166 www.RouteSetTOTP, p.handleSetTOTP, 167 permissionLogin) 168 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 169 www.RouteVerifyTOTP, p.handleVerifyTOTP, 170 permissionLogin) 171 172 // Routes that require being logged in as an admin user. 173 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 174 www.RouteUsers, p.handleUsers, 175 permissionAdmin) 176 p.addRoute(http.MethodPost, cms.APIRoute, 177 cms.RouteManageCMSUser, p.handleManageCMSUser, 178 permissionAdmin) 179 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 180 www.RouteManageUser, p.handleManageUser, 181 permissionAdmin) 182 } 183 184 func (p *Politeiawww) setCMSWWWRoutes() { 185 // The version routes set the CSRF token and thus need to be part 186 // of the CSRF protected auth router. 187 p.auth.HandleFunc("/", p.handleVersion).Methods(http.MethodGet) 188 p.auth.StrictSlash(true). 189 HandleFunc(www.PoliteiaWWWAPIRoute+www.RouteVersion, p.handleVersion). 190 Methods(http.MethodGet) 191 192 // Public routes. 193 p.addRoute(http.MethodGet, cms.APIRoute, 194 www.RoutePolicy, p.handleCMSPolicy, 195 permissionPublic) 196 197 // Routes that require being logged in. 198 p.addRoute(http.MethodPost, cms.APIRoute, 199 www.RouteNewComment, p.handleNewCommentInvoice, 200 permissionLogin) 201 p.addRoute(http.MethodPost, cms.APIRoute, 202 cms.RouteNewInvoice, p.handleNewInvoice, 203 permissionLogin) 204 p.addRoute(http.MethodPost, cms.APIRoute, 205 cms.RouteEditInvoice, p.handleEditInvoice, 206 permissionLogin) 207 p.addRoute(http.MethodGet, cms.APIRoute, 208 cms.RouteInvoiceDetails, p.handleInvoiceDetails, 209 permissionLogin) 210 p.addRoute(http.MethodGet, cms.APIRoute, 211 cms.RouteUserInvoices, p.handleUserInvoices, 212 permissionLogin) 213 p.addRoute(http.MethodPost, cms.APIRoute, 214 cms.RouteInvoices, p.handleInvoices, 215 permissionLogin) 216 p.addRoute(http.MethodGet, cms.APIRoute, 217 cms.RouteInvoiceComments, p.handleInvoiceComments, 218 permissionLogin) 219 p.addRoute(http.MethodPost, cms.APIRoute, 220 cms.RouteInvoiceExchangeRate, p.handleInvoiceExchangeRate, 221 permissionLogin) 222 p.addRoute(http.MethodPost, cms.APIRoute, 223 cms.RouteNewDCC, p.handleNewDCC, 224 permissionLogin) 225 p.addRoute(http.MethodGet, cms.APIRoute, 226 cms.RouteDCCDetails, p.handleDCCDetails, 227 permissionLogin) 228 p.addRoute(http.MethodPost, cms.APIRoute, 229 cms.RouteGetDCCs, p.handleGetDCCs, 230 permissionLogin) 231 p.addRoute(http.MethodPost, cms.APIRoute, 232 cms.RouteSupportOpposeDCC, p.handleSupportOpposeDCC, 233 permissionLogin) 234 p.addRoute(http.MethodPost, cms.APIRoute, 235 cms.RouteNewCommentDCC, p.handleNewCommentDCC, 236 permissionLogin) 237 p.addRoute(http.MethodGet, cms.APIRoute, 238 cms.RouteDCCComments, p.handleDCCComments, 239 permissionLogin) 240 p.addRoute(http.MethodGet, cms.APIRoute, 241 cms.RouteUserSubContractors, p.handleUserSubContractors, 242 permissionLogin) 243 p.addRoute(http.MethodGet, cms.APIRoute, 244 cms.RouteProposalOwner, p.handleProposalOwner, 245 permissionLogin) 246 p.addRoute(http.MethodPost, cms.APIRoute, 247 cms.RouteProposalBilling, p.handleProposalBilling, 248 permissionLogin) 249 p.addRoute(http.MethodPost, cms.APIRoute, 250 cms.RouteCastVoteDCC, p.handleCastVoteDCC, 251 permissionLogin) 252 p.addRoute(http.MethodPost, cms.APIRoute, 253 cms.RouteVoteDetailsDCC, p.handleVoteDetailsDCC, 254 permissionLogin) 255 p.addRoute(http.MethodGet, cms.APIRoute, 256 cms.RouteActiveVotesDCC, p.handleActiveVoteDCC, 257 permissionLogin) 258 p.addRoute(http.MethodGet, cms.APIRoute, 259 www.RouteTokenInventory, p.handlePassThroughTokenInventory, 260 permissionLogin) 261 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 262 www.RouteBatchProposals, p.handlePassThroughBatchProposals, 263 permissionLogin) 264 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 265 www.RouteSetTOTP, p.handleSetTOTP, 266 permissionLogin) 267 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 268 www.RouteVerifyTOTP, p.handleVerifyTOTP, 269 permissionLogin) 270 p.addRoute(http.MethodPost, cms.APIRoute, 271 cms.RouteUserCodeStats, p.handleUserCodeStats, 272 permissionLogin) 273 274 // Routes that require being logged in as an admin user. 275 p.addRoute(http.MethodPost, cms.APIRoute, 276 cms.RouteInviteNewUser, p.handleInviteNewUser, 277 permissionAdmin) 278 p.addRoute(http.MethodPost, cms.APIRoute, 279 cms.RouteSetInvoiceStatus, p.handleSetInvoiceStatus, 280 permissionAdmin) 281 p.addRoute(http.MethodPost, cms.APIRoute, 282 cms.RouteGeneratePayouts, p.handleGeneratePayouts, 283 permissionAdmin) 284 p.addRoute(http.MethodGet, cms.APIRoute, 285 cms.RoutePayInvoices, p.handlePayInvoices, 286 permissionAdmin) 287 p.addRoute(http.MethodPost, cms.APIRoute, 288 cms.RouteInvoicePayouts, p.handleInvoicePayouts, 289 permissionAdmin) 290 p.addRoute(http.MethodGet, cms.APIRoute, 291 cms.RouteAdminUserInvoices, p.handleAdminUserInvoices, 292 permissionAdmin) 293 p.addRoute(http.MethodPost, cms.APIRoute, 294 cms.RouteSetDCCStatus, p.handleSetDCCStatus, 295 permissionAdmin) 296 p.addRoute(http.MethodPost, cms.APIRoute, 297 cms.RouteStartVoteDCC, p.handleStartVoteDCC, 298 permissionAdmin) 299 p.addRoute(http.MethodGet, cms.APIRoute, 300 cms.RouteProposalBillingSummary, p.handleProposalBillingSummary, 301 permissionAdmin) 302 p.addRoute(http.MethodPost, cms.APIRoute, 303 cms.RouteProposalBillingDetails, p.handleProposalBillingDetails, 304 permissionAdmin) 305 } 306 307 // setupPiRoutes sets up the API routes for piwww mode. 308 func (p *Politeiawww) setPiRoutes(r *records.Records, c *comments.Comments, t *ticketvote.TicketVote, pic *pi.Pi) { 309 // The version routes set the CSRF token and thus need to be part 310 // of the CSRF protected auth router. 311 p.auth.HandleFunc("/", p.handleVersion).Methods(http.MethodGet) 312 p.auth.StrictSlash(true). 313 HandleFunc(www.PoliteiaWWWAPIRoute+www.RouteVersion, p.handleVersion). 314 Methods(http.MethodGet) 315 316 // Legacy www routes. These routes have been DEPRECATED. Support 317 // will be removed in a future release. 318 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 319 www.RoutePolicy, p.handlePolicy, 320 permissionPublic) 321 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 322 www.RouteTokenInventory, p.handleTokenInventory, 323 permissionPublic) 324 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 325 www.RouteAllVetted, p.handleAllVetted, 326 permissionPublic) 327 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 328 www.RouteProposalDetails, p.handleProposalDetails, 329 permissionPublic) 330 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 331 www.RouteBatchProposals, p.handleBatchProposals, 332 permissionPublic) 333 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 334 www.RouteVoteStatus, p.handleVoteStatus, 335 permissionPublic) 336 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 337 www.RouteAllVoteStatus, p.handleAllVoteStatus, 338 permissionPublic) 339 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 340 www.RouteActiveVote, p.handleActiveVote, 341 permissionPublic) 342 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 343 www.RouteCastVotes, p.handleCastVotes, 344 permissionPublic) 345 p.addRoute(http.MethodGet, www.PoliteiaWWWAPIRoute, 346 www.RouteVoteResults, p.handleVoteResults, 347 permissionPublic) 348 p.addRoute(http.MethodPost, www.PoliteiaWWWAPIRoute, 349 www.RouteBatchVoteSummary, p.handleBatchVoteSummary, 350 permissionPublic) 351 352 // Record routes 353 p.addRoute(http.MethodPost, rcv1.APIRoute, 354 rcv1.RoutePolicy, r.HandlePolicy, 355 permissionPublic) 356 p.addRoute(http.MethodPost, rcv1.APIRoute, 357 rcv1.RouteNew, r.HandleNew, 358 permissionLogin) 359 p.addRoute(http.MethodPost, rcv1.APIRoute, 360 rcv1.RouteEdit, r.HandleEdit, 361 permissionLogin) 362 p.addRoute(http.MethodPost, rcv1.APIRoute, 363 rcv1.RouteSetStatus, r.HandleSetStatus, 364 permissionAdmin) 365 p.addRoute(http.MethodPost, rcv1.APIRoute, 366 rcv1.RouteDetails, r.HandleDetails, 367 permissionPublic) 368 p.addRoute(http.MethodPost, rcv1.APIRoute, 369 rcv1.RouteTimestamps, r.HandleTimestamps, 370 permissionPublic) 371 p.addRoute(http.MethodPost, rcv1.APIRoute, 372 rcv1.RouteRecords, r.HandleRecords, 373 permissionPublic) 374 p.addRoute(http.MethodPost, rcv1.APIRoute, 375 rcv1.RouteInventory, r.HandleInventory, 376 permissionPublic) 377 p.addRoute(http.MethodPost, rcv1.APIRoute, 378 rcv1.RouteInventoryOrdered, r.HandleInventoryOrdered, 379 permissionPublic) 380 p.addRoute(http.MethodPost, rcv1.APIRoute, 381 rcv1.RouteUserRecords, r.HandleUserRecords, 382 permissionPublic) 383 384 // Comment routes 385 p.addRoute(http.MethodPost, cmv1.APIRoute, 386 cmv1.RoutePolicy, c.HandlePolicy, 387 permissionPublic) 388 p.addRoute(http.MethodPost, cmv1.APIRoute, 389 cmv1.RouteNew, c.HandleNew, 390 permissionLogin) 391 p.addRoute(http.MethodPost, cmv1.APIRoute, 392 cmv1.RouteEdit, c.HandleEdit, 393 permissionLogin) 394 p.addRoute(http.MethodPost, cmv1.APIRoute, 395 cmv1.RouteVote, c.HandleVote, 396 permissionLogin) 397 p.addRoute(http.MethodPost, cmv1.APIRoute, 398 cmv1.RouteDel, c.HandleDel, 399 permissionAdmin) 400 p.addRoute(http.MethodPost, cmv1.APIRoute, 401 cmv1.RouteCount, c.HandleCount, 402 permissionPublic) 403 p.addRoute(http.MethodPost, cmv1.APIRoute, 404 cmv1.RouteComments, c.HandleComments, 405 permissionPublic) 406 p.addRoute(http.MethodPost, cmv1.APIRoute, 407 cmv1.RouteVotes, c.HandleVotes, 408 permissionPublic) 409 p.addRoute(http.MethodPost, cmv1.APIRoute, 410 cmv1.RouteTimestamps, c.HandleTimestamps, 411 permissionPublic) 412 413 // Ticket vote routes 414 p.addRoute(http.MethodPost, tkv1.APIRoute, 415 tkv1.RoutePolicy, t.HandlePolicy, 416 permissionPublic) 417 p.addRoute(http.MethodPost, tkv1.APIRoute, 418 tkv1.RouteAuthorize, t.HandleAuthorize, 419 permissionLogin) 420 p.addRoute(http.MethodPost, tkv1.APIRoute, 421 tkv1.RouteStart, t.HandleStart, 422 permissionAdmin) 423 p.addRoute(http.MethodPost, tkv1.APIRoute, 424 tkv1.RouteCastBallot, t.HandleCastBallot, 425 permissionPublic) 426 p.addRoute(http.MethodPost, tkv1.APIRoute, 427 tkv1.RouteDetails, t.HandleDetails, 428 permissionPublic) 429 p.addRoute(http.MethodPost, tkv1.APIRoute, 430 tkv1.RouteResults, t.HandleResults, 431 permissionPublic) 432 p.addRoute(http.MethodPost, tkv1.APIRoute, 433 tkv1.RouteSummaries, t.HandleSummaries, 434 permissionPublic) 435 p.addRoute(http.MethodPost, tkv1.APIRoute, 436 tkv1.RouteSubmissions, t.HandleSubmissions, 437 permissionPublic) 438 p.addRoute(http.MethodPost, tkv1.APIRoute, 439 tkv1.RouteInventory, t.HandleInventory, 440 permissionPublic) 441 p.addRoute(http.MethodPost, tkv1.APIRoute, 442 tkv1.RouteTimestamps, t.HandleTimestamps, 443 permissionPublic) 444 445 // Pi routes 446 p.addRoute(http.MethodPost, piv1.APIRoute, 447 piv1.RoutePolicy, pic.HandlePolicy, 448 permissionPublic) 449 p.addRoute(http.MethodPost, piv1.APIRoute, 450 piv1.RouteSetBillingStatus, pic.HandleSetBillingStatus, 451 permissionAdmin) 452 p.addRoute(http.MethodPost, piv1.APIRoute, 453 piv1.RouteBillingStatusChanges, pic.HandleBillingStatusChanges, 454 permissionPublic) 455 p.addRoute(http.MethodPost, piv1.APIRoute, 456 piv1.RouteSummaries, pic.HandleSummaries, 457 permissionPublic) 458 } 459 460 // addRoute sets up a handler for a specific method+route. If method is not 461 // specified it adds a websocket. 462 func (p *Politeiawww) addRoute(method string, routeVersion string, route string, handler http.HandlerFunc, perm permission) { 463 // Sanity check. The login route is special. It must be registered 464 // using the addLoginRoute() function. 465 if strings.Contains(route, "login") { 466 panic("you cannot use this function to register the login route") 467 } 468 469 fullRoute := routeVersion + route 470 switch perm { 471 case permissionAdmin: 472 handler = p.isLoggedInAsAdmin(handler) 473 case permissionLogin: 474 handler = p.isLoggedIn(handler) 475 } 476 477 if method == "" { 478 // Websocket 479 log.Tracef("Adding websocket: %v", fullRoute) 480 p.router.StrictSlash(true).HandleFunc(fullRoute, handler) 481 return 482 } 483 484 switch perm { 485 case permissionAdmin, permissionLogin: 486 // Add route to auth router 487 p.auth.StrictSlash(true).HandleFunc(fullRoute, handler).Methods(method) 488 default: 489 // Add route to public router 490 p.router.StrictSlash(true).HandleFunc(fullRoute, handler).Methods(method) 491 } 492 } 493 494 // addLoginRoute sets up a handler for the login route. The login route is 495 // special. It is the only public route that requires CSRF protection, so we 496 // use a separate function to register it. 497 func (p *Politeiawww) addLoginRoute(method string, routeVersion string, route string, handler http.HandlerFunc) { 498 // Sanity check 499 if !strings.Contains(route, "login") { 500 panic("you cannot use this function to register non login routes") 501 } 502 503 // Add login route to the auth router 504 fullRoute := routeVersion + route 505 p.auth.StrictSlash(true).HandleFunc(fullRoute, handler).Methods(method) 506 } 507 508 // isLoggedIn ensures that a user is logged in before calling the next 509 // function. 510 func (p *Politeiawww) isLoggedIn(f http.HandlerFunc) http.HandlerFunc { 511 return func(w http.ResponseWriter, r *http.Request) { 512 log.Tracef("%v isLoggedIn: %v %v %v", 513 util.RemoteAddr(r), r.Method, r.URL, r.Proto) 514 515 id, err := p.sessions.GetSessionUserID(w, r) 516 if err != nil { 517 util.RespondWithJSON(w, http.StatusUnauthorized, www.UserError{ 518 ErrorCode: www.ErrorStatusNotLoggedIn, 519 }) 520 return 521 } 522 523 // Check if user is authenticated 524 if id == "" { 525 util.RespondWithJSON(w, http.StatusUnauthorized, www.UserError{ 526 ErrorCode: www.ErrorStatusNotLoggedIn, 527 }) 528 return 529 } 530 531 f(w, r) 532 } 533 } 534 535 // isAdmin returns true if the current session has admin privileges. 536 func (p *Politeiawww) isAdmin(w http.ResponseWriter, r *http.Request) (bool, error) { 537 user, err := p.sessions.GetSessionUser(w, r) 538 if err != nil { 539 return false, err 540 } 541 542 return user.Admin, nil 543 } 544 545 // isLoggedInAsAdmin ensures that a user is logged in as an admin user 546 // before calling the next function. 547 func (p *Politeiawww) isLoggedInAsAdmin(f http.HandlerFunc) http.HandlerFunc { 548 return func(w http.ResponseWriter, r *http.Request) { 549 log.Tracef("%v isLoggedInAsAdmin: %v %v %v", 550 util.RemoteAddr(r), r.Method, r.URL, r.Proto) 551 552 // Check if user is admin 553 isAdmin, err := p.isAdmin(w, r) 554 if err != nil { 555 log.Errorf("isLoggedInAsAdmin: isAdmin %v", err) 556 util.RespondWithJSON(w, http.StatusUnauthorized, www.UserError{ 557 ErrorCode: www.ErrorStatusNotLoggedIn, 558 }) 559 return 560 } 561 if !isAdmin { 562 log.Debugf("%v user is not an admin", http.StatusForbidden) 563 util.RespondWithJSON(w, http.StatusForbidden, www.UserError{}) 564 return 565 } 566 567 f(w, r) 568 } 569 }