Restrict access to admin routes

This commit is contained in:
Pierre HUBERT 2022-04-02 19:23:32 +02:00
parent 91fd763fe1
commit da74acaed8
2 changed files with 23 additions and 1 deletions

View File

@ -7,6 +7,7 @@ use std::rc::Rc;
use actix_identity::RequestIdentity; use actix_identity::RequestIdentity;
use actix_web::{dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, Error, HttpResponse}; use actix_web::{dev::{forward_ready, Service, ServiceRequest, ServiceResponse, Transform}, Error, HttpResponse};
use actix_web::body::EitherBody; use actix_web::body::EitherBody;
use askama::Template;
use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES, LOGIN_ROUTE}; use crate::constants::{ADMIN_ROUTES, AUTHENTICATED_ROUTES, LOGIN_ROUTE};
use crate::controllers::base_controller::redirect_user; use crate::controllers::base_controller::redirect_user;
@ -55,6 +56,10 @@ impl SessionStatus {
} }
} }
#[derive(Template)]
#[template(path = "access_denied.html")]
struct AccessDeniedTemplate {}
pub struct AuthInnerMiddleware<S> { pub struct AuthInnerMiddleware<S> {
service: Rc<S>, service: Rc<S>,
} }
@ -99,7 +104,12 @@ impl<S, B> Service<ServiceRequest> for AuthInnerMiddleware<S>
.map_into_right_body()); .map_into_right_body());
} }
// TODO : restrict access to admin pages // Restrict access to admin pages
if !identity.is_admin() && req.path().starts_with(ADMIN_ROUTES) {
return Ok(req.into_response(HttpResponse::Unauthorized()
.body(AccessDeniedTemplate {}.render().unwrap()))
.map_into_right_body());
}
service service
.call(req) .call(req)

View File

@ -0,0 +1,12 @@
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<title>Access denied</title>
<link href="/assets/css/bootstrap.css" rel="stylesheet" crossorigin="anonymous"/>
</head>
<body>
<p>You are not allowed to access this resource.</p>
</body>
</html>