fix access checking for scenarios

routes/scenario/scenario_methods.go

@@ -152,20 +152,32 @@ func (s *Scenario) delete() error {
 	return nil
 }
 
-func (s *Scenario) checkAccess(userID uint, userRole string, operation database.CRUD) bool {
+func (s *Scenario) checkAccess(userID uint, operation database.CRUD) bool {
 
-	if userRole == "Admin" {
+	db := database.GetDB()
+	u := database.User{}
+
+	err := db.Find(&u, userID).Error
+	if err != nil {
+		return false
+	}
+
+	if u.Role == "Admin" {
 		return true
+	}
+
+	scenarioUser := database.User{}
+	err = db.Order("ID asc").Model(s).Where("ID = ?", userID).Related(&scenarioUser, "Users").Error
+	if err != nil {
+		return false
+	}
+
+	if !scenarioUser.Active {
+		return false
+	} else if s.IsLocked && operation != database.Read {
+		return false
 	} else {
-		db := database.GetDB()
+		return true
-		u := database.User{}
-		u.Username = ""
-		err := db.Order("ID asc").Model(s).Where("ID = ?", userID).Related(&u, "Users").Error
-		if err != nil || !u.Active || (s.IsLocked && operation != database.Read) {
-			return false
-		} else {
-			return true
-		}
 	}
 
 }

routes/scenario/scenario_middleware.go

@@ -49,14 +49,13 @@ func CheckPermissions(c *gin.Context, operation database.CRUD, scenarioIDsource
 	}
 
 	userID, _ := c.Get(database.UserIDCtx)
-	userRole, _ := c.Get(database.UserRoleCtx)
 
 	err = so.ByID(uint(scenarioID))
 	if helper.DBError(c, err) {
 		return false, so
 	}
 
-	if so.checkAccess(userID.(uint), userRole.(string), operation) == false {
+	if so.checkAccess(userID.(uint), operation) == false {
 		helper.UnprocessableEntityError(c, "Access denied (user has no access or scenario is locked).")
 		return false, so
 	}