feat: add permission validation for RS

Author: bietkul

model/category/category.go

@@ -158,6 +158,11 @@ func (c Category) IsFromES() bool {
 		c == Misc
 }
 
+// IsFromRS checks whether the category is of the reactivesearch category.
+func (c Category) IsFromRS() bool {
+	return c == ReactiveSearch
+}
+
 // HasACL checks whether the given acl is a value in the category categories.
 func (c Category) HasACL(a acl.ACL) bool {
 	return acl.Contains(c.ACLs(), a)

plugins/auth/middleware.go

@@ -166,10 +166,14 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 					util.WriteBackError(w, "invalid password", http.StatusUnauthorized)
 					return
 				}
+
+				log.Println("THIS IS THE THING HERE", *reqCategory, *reqCategory == category.ReactiveSearch, reqUser.HasCategory(category.ReactiveSearch))
 				if reqCategory.IsFromES() {
-					authenticated = *reqUser.IsAdmin
-				} else {
 					authenticated = true
+				} else if *reqCategory == category.ReactiveSearch && reqUser.HasCategory(category.ReactiveSearch) {
+					authenticated = true
+				} else {
+					errorMsg = "credential is only allowed to access elasticsearch"
 				}
 
 				if !authenticated {
@@ -195,8 +199,11 @@ func (a *Auth) basicAuth(h http.HandlerFunc) http.HandlerFunc {
 					return
 				}
 
+				log.Println("THIS IS THE THING HERE", *reqCategory, *reqCategory == category.ReactiveSearch, reqPermission.HasCategory(category.ReactiveSearch))
 				if reqCategory.IsFromES() {
 					authenticated = true
+				} else if *reqCategory == category.ReactiveSearch && reqPermission.HasCategory(category.ReactiveSearch) {
+					authenticated = true
 				} else {
 					errorMsg = "credential is only allowed to access elasticsearch"
 				}