fix(auth): prevent and heal dirty admin permissions

Author: okatu-loli

internal/db/role.go

@@ -79,6 +79,9 @@ func UpdateRolePermissionsPathPrefix(oldPath, newPath string) ([]uint, error) {
 	}
 
 	for _, role := range roles {
+		if role.Name == "admin" || role.Name == "guest" {
+			continue
+		}
 		updated := false
 		for i, entry := range role.PermissionScopes {
 			entryPath := path.Clean(entry.Path)

internal/op/role.go

@@ -21,6 +21,24 @@ func init() {
 	model.FetchRole = GetRole
 }
 
+func enforceAdminRoleDefaults(r *model.Role) error {
+	if r == nil || r.Name != "admin" {
+		return nil
+	}
+	if len(r.PermissionScopes) == 1 {
+		scopePath := utils.FixAndCleanPath(r.PermissionScopes[0].Path)
+		if scopePath == "/" && r.PermissionScopes[0].Permission == 0xFFFF {
+			r.PermissionScopes[0].Path = "/"
+			return nil
+		}
+	}
+
+	r.PermissionScopes = []model.PermissionEntry{
+		{Path: "/", Permission: 0xFFFF},
+	}
+	return db.UpdateRole(r)
+}
+
 func GetRole(id uint) (*model.Role, error) {
 	key := fmt.Sprint(id)
 	if r, ok := roleCache.Get(key); ok {
@@ -31,7 +49,11 @@ func GetRole(id uint) (*model.Role, error) {
 		if err != nil {
 			return nil, err
 		}
+		if err := enforceAdminRoleDefaults(_r); err != nil {
+			return nil, err
+		}
 		roleCache.Set(key, _r, cache.WithEx[*model.Role](time.Hour))
+		roleCache.Set(_r.Name, _r, cache.WithEx[*model.Role](time.Hour))
 		return _r, nil
 	})
 	return r, err
@@ -46,7 +68,11 @@ func GetRoleByName(name string) (*model.Role, error) {
 		if err != nil {
 			return nil, err
 		}
+		if err := enforceAdminRoleDefaults(_r); err != nil {
+			return nil, err
+		}
 		roleCache.Set(name, _r, cache.WithEx[*model.Role](time.Hour))
+		roleCache.Set(fmt.Sprint(_r.ID), _r, cache.WithEx[*model.Role](time.Hour))
 		return _r, nil
 	})
 	return r, err
@@ -89,7 +115,11 @@ func GetRolesByUserID(userID uint) ([]model.Role, error) {
 			if err != nil {
 				return nil, err
 			}
+			if err := enforceAdminRoleDefaults(_r); err != nil {
+				return nil, err
+			}
 			roleCache.Set(key, _r, cache.WithEx[*model.Role](time.Hour))
+			roleCache.Set(_r.Name, _r, cache.WithEx[*model.Role](time.Hour))
 			return _r, nil
 		})
 		if err != nil {

internal/op/user.go

@@ -16,6 +16,25 @@ var userG singleflight.Group[*model.User]
 var guestUser *model.User
 var adminUser *model.User
 
+func enforceAdminUserDefaults(u *model.User) error {
+	if u == nil || !u.IsAdmin() {
+		return nil
+	}
+	changed := false
+	if utils.FixAndCleanPath(u.BasePath) != "/" {
+		u.BasePath = "/"
+		changed = true
+	}
+	if u.Permission != 0xFFFF {
+		u.Permission = 0xFFFF
+		changed = true
+	}
+	if !changed {
+		return nil
+	}
+	return db.UpdateUser(u)
+}
+
 func GetAdmin() (*model.User, error) {
 	if adminUser == nil {
 		role, err := GetRoleByName("admin")
@@ -26,7 +45,12 @@ func GetAdmin() (*model.User, error) {
 		if err != nil {
 			return nil, err
 		}
+		if err := enforceAdminUserDefaults(user); err != nil {
+			return nil, err
+		}
 		adminUser = user
+	} else if err := enforceAdminUserDefaults(adminUser); err != nil {
+		return nil, err
 	}
 	return adminUser, nil
 }
@@ -59,13 +83,19 @@ func GetUserByName(username string) (*model.User, error) {
 		return nil, errs.EmptyUsername
 	}
 	if user, ok := userCache.Get(username); ok {
+		if err := enforceAdminUserDefaults(user); err != nil {
+			return nil, err
+		}
 		return user, nil
 	}
 	user, err, _ := userG.Do(username, func() (*model.User, error) {
 		_user, err := db.GetUserByName(username)
 		if err != nil {
 			return nil, err
 		}
+		if err := enforceAdminUserDefaults(_user); err != nil {
+			return nil, err
+		}
 		userCache.Set(username, _user, cache.WithEx[*model.User](time.Hour))
 		return _user, nil
 	})