From 2c79523a50ebdf64cff35027cbd61a3c8c077f52 Mon Sep 17 00:00:00 2001
From: Sonja Happ <sonja.happ@eonerc.rwth-aachen.de>
Date: Tue, 20 Apr 2021 17:10:29 +0200
Subject: [PATCH] fix access checking for scenarios

---
 routes/scenario/scenario_methods.go    | 34 +++++++++++++++++---------
 routes/scenario/scenario_middleware.go |  3 +--
 2 files changed, 24 insertions(+), 13 deletions(-)

diff --git a/routes/scenario/scenario_methods.go b/routes/scenario/scenario_methods.go
index dbd6cb6..49ea335 100644
--- a/routes/scenario/scenario_methods.go
+++ b/routes/scenario/scenario_methods.go
@@ -152,20 +152,32 @@ func (s *Scenario) delete() error {
 	return nil
 }
 
-func (s *Scenario) checkAccess(userID uint, userRole string, operation database.CRUD) bool {
+func (s *Scenario) checkAccess(userID uint, operation database.CRUD) bool {
 
-	if userRole == "Admin" {
+	db := database.GetDB()
+	u := database.User{}
+
+	err := db.Find(&u, userID).Error
+	if err != nil {
+		return false
+	}
+
+	if u.Role == "Admin" {
 		return true
+	}
+
+	scenarioUser := database.User{}
+	err = db.Order("ID asc").Model(s).Where("ID = ?", userID).Related(&scenarioUser, "Users").Error
+	if err != nil {
+		return false
+	}
+
+	if !scenarioUser.Active {
+		return false
+	} else if s.IsLocked && operation != database.Read {
+		return false
 	} else {
-		db := database.GetDB()
-		u := database.User{}
-		u.Username = ""
-		err := db.Order("ID asc").Model(s).Where("ID = ?", userID).Related(&u, "Users").Error
-		if err != nil || !u.Active || (s.IsLocked && operation != database.Read) {
-			return false
-		} else {
-			return true
-		}
+		return true
 	}
 
 }
diff --git a/routes/scenario/scenario_middleware.go b/routes/scenario/scenario_middleware.go
index c8f87e8..d908e03 100644
--- a/routes/scenario/scenario_middleware.go
+++ b/routes/scenario/scenario_middleware.go
@@ -49,14 +49,13 @@ func CheckPermissions(c *gin.Context, operation database.CRUD, scenarioIDsource
 	}
 
 	userID, _ := c.Get(database.UserIDCtx)
-	userRole, _ := c.Get(database.UserRoleCtx)
 
 	err = so.ByID(uint(scenarioID))
 	if helper.DBError(c, err) {
 		return false, so
 	}
 
-	if so.checkAccess(userID.(uint), userRole.(string), operation) == false {
+	if so.checkAccess(userID.(uint), operation) == false {
 		helper.UnprocessableEntityError(c, "Access denied (user has no access or scenario is locked).")
 		return false, so
 	}