From ba01c3c2f066ee4b1790139e6e1f53275cbd4394 Mon Sep 17 00:00:00 2001 From: Knut Ahlers Date: Thu, 13 Jun 2024 17:45:04 +0200 Subject: [PATCH] Fix: Check editor auth before creating the initial token Signed-off-by: Knut Ahlers --- configEditor_global.go | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/configEditor_global.go b/configEditor_global.go index 6f61b69..0433a17 100644 --- a/configEditor_global.go +++ b/configEditor_global.go @@ -9,6 +9,7 @@ import ( log "github.com/sirupsen/logrus" + "github.com/Luzifer/go_helpers/v2/str" "github.com/Luzifer/twitch-bot/v3/pkg/twitch" "github.com/Luzifer/twitch-bot/v3/plugins" ) @@ -200,6 +201,12 @@ func configEditorGlobalLogin(w http.ResponseWriter, r *http.Request) { return } + if !str.StringInSlice(user, config.BotEditors) && !str.StringInSlice(id, config.BotEditors) { + // That user is none of our editors: Deny access + http.Error(w, "access denied", http.StatusForbidden) + return + } + tok, expiresAt, err := editorTokenService.CreateLoginToken(id, user) if err != nil { http.Error(w, err.Error(), http.StatusInternalServerError)