Kyle Isom
d7d7ba21d9
- Add IsAdmin bool to PageData (embedded in all page view structs)
- Remove redundant IsAdmin from DashboardData
- Add isAdmin() helper to derive admin status from request claims
- Set IsAdmin in all page-level handlers that populate PageData
- Wrap admin-only nav links in base.html with {{if .IsAdmin}}
- Add tests: non-admin dashboard/profile hide admin links,
admin dashboard shows them
Security: navigation links to /accounts, /audit, /policies,
and /pgcreds are now only rendered for admin users. Server-side
authorization (requireAdminRole middleware) was already in place;
this change removes the information leak of showing links that
return 403 to non-admin users.
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
128 lines
3.2 KiB
Go
128 lines
3.2 KiB
Go
package ui
|
|
|
|
import (
|
|
"net/http"
|
|
"strconv"
|
|
|
|
"git.wntrmute.dev/kyle/mcias/internal/db"
|
|
"git.wntrmute.dev/kyle/mcias/internal/model"
|
|
)
|
|
|
|
const auditPageSize = 50
|
|
|
|
// auditEventTypes lists all known event types for the filter dropdown.
|
|
var auditEventTypes = []string{
|
|
model.EventLoginOK,
|
|
model.EventLoginFail,
|
|
model.EventLoginTOTPFail,
|
|
model.EventTokenIssued,
|
|
model.EventTokenRenewed,
|
|
model.EventTokenRevoked,
|
|
model.EventTokenExpired,
|
|
model.EventAccountCreated,
|
|
model.EventAccountUpdated,
|
|
model.EventAccountDeleted,
|
|
model.EventRoleGranted,
|
|
model.EventRoleRevoked,
|
|
model.EventTOTPEnrolled,
|
|
model.EventTOTPRemoved,
|
|
model.EventPGCredAccessed,
|
|
model.EventPGCredUpdated,
|
|
}
|
|
|
|
// handleAuditPage renders the full audit log page with the first page embedded.
|
|
func (u *UIServer) handleAuditPage(w http.ResponseWriter, r *http.Request) {
|
|
csrfToken, err := u.setCSRFCookies(w)
|
|
if err != nil {
|
|
http.Error(w, "internal error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
data, err := u.buildAuditData(r, 1, csrfToken)
|
|
if err != nil {
|
|
u.renderError(w, r, http.StatusInternalServerError, "failed to load audit log")
|
|
return
|
|
}
|
|
|
|
u.render(w, "audit", data)
|
|
}
|
|
|
|
// handleAuditRows returns only the <tbody> rows fragment for HTMX partial updates.
|
|
func (u *UIServer) handleAuditRows(w http.ResponseWriter, r *http.Request) {
|
|
pageStr := r.URL.Query().Get("page")
|
|
page, _ := strconv.Atoi(pageStr)
|
|
if page < 1 {
|
|
page = 1
|
|
}
|
|
|
|
data, err := u.buildAuditData(r, page, "")
|
|
if err != nil {
|
|
u.renderError(w, r, http.StatusInternalServerError, "failed to load audit log")
|
|
return
|
|
}
|
|
|
|
u.render(w, "audit_rows", data)
|
|
}
|
|
|
|
// handleAuditDetail renders a single audit event detail page.
|
|
func (u *UIServer) handleAuditDetail(w http.ResponseWriter, r *http.Request) {
|
|
csrfToken, err := u.setCSRFCookies(w)
|
|
if err != nil {
|
|
http.Error(w, "internal error", http.StatusInternalServerError)
|
|
return
|
|
}
|
|
|
|
idStr := r.PathValue("id")
|
|
id, err := strconv.ParseInt(idStr, 10, 64)
|
|
if err != nil {
|
|
u.renderError(w, r, http.StatusBadRequest, "invalid event ID")
|
|
return
|
|
}
|
|
|
|
event, err := u.db.GetAuditEventByID(id)
|
|
if err != nil {
|
|
u.renderError(w, r, http.StatusNotFound, "event not found")
|
|
return
|
|
}
|
|
|
|
u.render(w, "audit_detail", AuditDetailData{
|
|
PageData: PageData{CSRFToken: csrfToken, ActorName: u.actorName(r), IsAdmin: isAdmin(r)},
|
|
Event: event,
|
|
})
|
|
}
|
|
|
|
// buildAuditData fetches one page of audit events and builds AuditData.
|
|
func (u *UIServer) buildAuditData(r *http.Request, page int, csrfToken string) (AuditData, error) {
|
|
filterType := r.URL.Query().Get("event_type")
|
|
offset := (page - 1) * auditPageSize
|
|
|
|
params := db.AuditQueryParams{
|
|
Limit: auditPageSize,
|
|
Offset: offset,
|
|
EventType: filterType,
|
|
}
|
|
|
|
events, total, err := u.db.ListAuditEventsPaged(params)
|
|
if err != nil {
|
|
return AuditData{}, err
|
|
}
|
|
|
|
totalPages := int(total) / auditPageSize
|
|
if int(total)%auditPageSize != 0 {
|
|
totalPages++
|
|
}
|
|
if totalPages < 1 {
|
|
totalPages = 1
|
|
}
|
|
|
|
return AuditData{
|
|
PageData: PageData{CSRFToken: csrfToken, ActorName: u.actorName(r), IsAdmin: isAdmin(r)},
|
|
Events: events,
|
|
EventTypes: auditEventTypes,
|
|
FilterType: filterType,
|
|
Total: total,
|
|
Page: page,
|
|
TotalPages: totalPages,
|
|
}, nil
|
|
}
|