From 5e46619865639ae79fb427f928f3a7ed36631fc2 Mon Sep 17 00:00:00 2001
From: Knut Ahlers <knut@ahlers.me>
Date: Mon, 22 Apr 2019 19:54:27 +0200
Subject: [PATCH] Add special group for all authenticated users

Signed-off-by: Knut Ahlers <knut@ahlers.me>
---
 acl.go      |  4 ++++
 acl_test.go | 24 ++++++++++++++++++++++++
 2 files changed, 28 insertions(+)

diff --git a/acl.go b/acl.go
index 709dfcb..ba665f7 100644
--- a/acl.go
+++ b/acl.go
@@ -148,6 +148,10 @@ func (a aclRuleSet) HasAccess(user string, groups []string, r *http.Request) acl
 		}
 	}
 
+	if str.StringInSlice("@_authenticated", a.Allow) && user != "" {
+		return accessAllow
+	}
+
 	// Neither user nor group are handled
 	return accessDunno
 }
diff --git a/acl_test.go b/acl_test.go
index b379236..3aa9d40 100644
--- a/acl_test.go
+++ b/acl_test.go
@@ -59,6 +59,30 @@ func TestRuleSetMatcher(t *testing.T) {
 	}
 }
 
+func TestGroupAuthenticated(t *testing.T) {
+	r := aclRuleSet{
+		Rules: []aclRule{
+			{
+				Field:       "field_a",
+				MatchString: aclTestString("expected"),
+			},
+		},
+		Allow: []string{"@_authenticated"},
+	}
+	fields := map[string]string{
+		"field_a": "expected",
+	}
+
+	if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) != accessAllow {
+		t.Error("Access was denied")
+	}
+
+	r.Allow = []string{"testgroup"}
+	if r.HasAccess(aclTestUser, aclTestGroups, aclTestRequest(fields)) == accessAllow {
+		t.Error("Access was allowed")
+	}
+}
+
 func TestInvertedRegexMatcher(t *testing.T) {
 	fields := map[string]string{
 		"field_a": "expected",