From f3d6353f86e7d9bc2fa01b37529cccf32c929c5f Mon Sep 17 00:00:00 2001
From: Sonja Happ <sonja.happ@eonerc.rwth-aachen.de>
Date: Wed, 14 Apr 2021 11:11:28 +0200
Subject: [PATCH] add user role Download; limit access check to scenario in
 file middleware #52

---
 database/roles.go              | 13 +++++++++++++
 routes/file/file_middleware.go |  9 ++++++---
 2 files changed, 19 insertions(+), 3 deletions(-)

diff --git a/database/roles.go b/database/roles.go
index e303abc..7beeac1 100644
--- a/database/roles.go
+++ b/database/roles.go
@@ -112,6 +112,19 @@ var Roles = RoleActions{
 		ModelFile:                          _r__,
 		ModelResult:                        none,
 	},
+	"Download": {
+		ModelScenario:                      none,
+		ModelComponentConfiguration:        none,
+		ModelDashboard:                     none,
+		ModelWidget:                        none,
+		ModelInfrastructureComponent:       none,
+		ModelInfrastructureComponentAction: none,
+		ModelUser:                          none,
+		ModelUsers:                         none,
+		ModelSignal:                        none,
+		ModelFile:                          _r__,
+		ModelResult:                        none,
+	},
 }
 
 func ValidateRole(c *gin.Context, model ModelName, action CRUD) error {
diff --git a/routes/file/file_middleware.go b/routes/file/file_middleware.go
index acdacb6..897fa52 100644
--- a/routes/file/file_middleware.go
+++ b/routes/file/file_middleware.go
@@ -49,9 +49,12 @@ func CheckPermissions(c *gin.Context, operation database.CRUD) (bool, File) {
 		return false, f
 	}
 
-	ok, _ := scenario.CheckPermissions(c, operation, "body", int(f.ScenarioID))
-	if !ok {
-		return false, f
+	if operation != database.Read {
+		// check access to scenario only if operation is not Read (=download) of file
+		ok, _ := scenario.CheckPermissions(c, operation, "body", int(f.ScenarioID))
+		if !ok {
+			return false, f
+		}
 	}
 
 	return true, f